Authority to Operate (ATO) available government systems

Latest response

All,

Looking if there is an ATO for RHEV before I go down this path of installing a new backend in my office. I need to see that when this goes through the Risk Management Framework (RMF) process, it is approved. If this is true, what are the steps required to secure it? I see the RHEL7 stigs, but they don't pertain to RHEV for the most part (or do they?)

Thanks in advance

Dave

Responses

There's really not a government-wide ATO. You're really at the whim of your agency's IA people and processes. In general, while the idea of "reciprocity" is great, it's usability in practice has proven to be pretty much utterly lacking.

All I can say is "good luck". I know that one of the agencies I consult to really only just recently gave a generic ATO for EL 7.x (I know you were asking after RHEV, but RHEL 7 is illustrative of the overarching issue). Even so, specific implementations still require individual accreditation (and many accreditors are freaked by process-engines that are a lot harder to subject to a validation-scan than a basic OS). The primary benefit of the agency-level ATO is that things like standardized builds and processes can act as common control providers (CCPs) for the RMF process-hurdles you need to clear.