Procedure: CMS Information Security (IS) Authorization To Operate Package Guide FINAL Version 3.0 December 1, 2011

Transcription

1 Office of the Chief Information Security Officer Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland Procedure: CMS Information Security (IS) Authorization To Operate Package Guide FINAL Version 3.0 December 1, 2011 Document Number: CMS-OCISO-PROC-ATO2011

2 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 (This Page Intentionally Blank) ii December 1, Version 3.0

3 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide SUMMARY OF CHANGES IN CMS INFORMATION SECURITY (IS) AUTHORIZATION TO OPERATE PACKAGE GUIDE VERSION This document replaces in its entirety the CMS Information Security (IS) Certification & Accreditation (C&A) Package Guide, v1.0, dated August 25, 2009 with the CMS Information Security (IS) Authorization To Operate Package Guide, v2.0, dated December 13, Instructions on creating and/or archiving Authorization To Operate package artifacts into CFACTS have been added. 3. Removal of IATO and other outdated artifacts. Update to the ATO package criteria. December 1, Version 3.0 iii

4 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 (This Page Intentionally Blank) iv December 1, Version 3.0

5 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide TABLE OF CONTENTS 1 INTRODUCTION Purpose Background Scope How To Use This Document OVERVIEW Authorization To Operate Package Artifacts Authorization To Operate Documents AUTHORIZATION TO OPERATE PACKAGE ARTIFACTS System Identification Information People And Inventory Information Security Control Assessment Information Authorization Tracking Information Annual Assessment ATO Status Information Information Security Risk Assessment System Security Plan Contingency Plan E-Authentication Information Privacy Impact Assessment Information Plan Of Actions And Milestones Security Certification Form Required Signatures Certification Cover Memo CFACTS ATO Documents Preparation and Submission Preparation Submission ATO PACKAGE CRITERIA APPROVED...20 December 1, Version 3.0 v

6 CMS IS Authorization To Operate Package Guide LIST OF TABLES CMS-OCISO-PROC-ATO2011 Table 1 ATO Package Artifacts... 8 Table 2 CMS ATO Package Artifact Procedures and Templates... 9 Table 3 Security Certification Form Required Signature Titles Table 4 ATO Package Criteria vi December 1, Version 3.0

7 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide 1 INTRODUCTION 1.1 PURPOSE The Centers for Medicare & Medicaid Services (CMS) Information Security (IS) Authorization To Operate Package Guide hereinafter known as The Guide provides CMS Business Owners and System Developers/Maintainers with the necessary information and instructions for assembling and submitting a CMS Authorization To Operate (ATO) package to apply for a system Authorization to Operate. 1.2 BACKGROUND The CMS is responsible for implementing and administering an IS program to protect its information resources in compliance with applicable laws, regulations, and Executive Orders. CMS provides a high-level overview of this program and covers six (6) distinct phases to form a continuous security management practice for all CMS systems/applications. CMS depends heavily on Business Owners who have the responsibility to make certain that funding and resources are available for all information security requirements for the system and that the systems and the data within are adequately protected and fully compliant with all applicable laws, regulations, Executive Orders, and CMS information security requirements. Business Owners of systems that are already in production, or are currently under an ATO, may only need to address the final phases of the ATO process, which defines activities performed during maintenance of the system and for periodic re-authorization. The Guide supports the CMS IS ATO process and is provided to standardize the submission of ATO packages from CMS Business Owners and System Developers/Maintainers. 1.3 SCOPE The Guide applies to all CMS Business Owners and System Developers/Maintainers that own, develop, and/or maintain a CMS system or a system performing work on behalf of CMS. Business Owners are ultimately responsible for managing the ATO artifact requirements by identifying the responsible party between the Business Owner and System Developer/Maintainer for each of the ATO supporting artifacts or activities and holding the responsible party accountable. All personnel tasked with submitting an ATO package for obtaining an ATO should read this document to become familiar with CMS ATO package artifacts and the submission process. 1.4 HOW TO USE THIS DOCUMENT The Guide provides instruction on creating an ATO package in a.zip file format through the CMS FISMA Controls Tracking System (CFACTS). All ATO packages must be in electronic format in the CFACTS. Hard binders will no longer be accepted. The Certification Cover Memo and Security Certification Form are the only hard copy documents required for December 1, Version 3.0 7

8 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 submission to the Chief Information Officer, through the Office of the Chief Information Security Officer (OCISO). 2 OVERVIEW The CMS IS ATO process is an essential part of the CMS enterprise-wide IS Program. Business Owners submit CMS IS ATO packages to the Chief Information Officer (CIO) through the Chief Information Security Officer (CISO) no less than 60 days prior to expiration of the current ATO (or 60 days prior to the desired implementation date for a new system) for use in making a risk determination decision for the operation of the subject system. When the level of risk to the CMS enterprise is deemed acceptable, the system is granted an ATO. The authorization, granted in writing by the CIO, is required for the operation of any information system, and must be attained prior to full implementation and whenever significant changes are made to the system. This is a key component of the CMS IS Investment Life Cycle and the CMS enterprise risk management process. This CMS IS Authorization To Operate Package Guide provides Business Owners and System Developer/Maintainers with a high-level overview for final steps necessary in preparing the documentation required to demonstrate and validate that appropriate security controls exist to safeguard the subject system, associated CMS information, and the CMS enterprise. 2.1 AUTHORIZATION TO OPERATE PACKAGE ARTIFACTS ATO packages submitted by Business Owners and System Developers/Maintainers are comprised of several distinct artifacts. Each ATO package submitted for acceptance and further submission for an authorization decision must contain the artifacts described in Table 1. Table 1 ATO Package Artifacts ATO Package Artifacts System Security Plan (SSP) (and all associated attachments) SSP Workbook (and all associated attachments) Information Security Risk Assessment (IS RA) (and all associated attachments) Contingency Plan (CP) (and all associated attachments) CP Test Plan CP Test After Action Report Security Control Assessment Plan (SCA Test Plan) Security Control Assessment Report (SCA Report) Plan of Action and Milestones (POA&M) Report Privacy Impact Assessment (PIA) (signed by the CMS Privacy Officer) Certification Cover Memo (hard copy, soft copy in CFACTS) Security Certification Form (hard copy, soft copy in CFACTS) 8 December 1, Version 3.0

9 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide 2.2 AUTHORIZATION TO OPERATE DOCUMENTS To manage a risk-based IS Program; Business Owners are responsible for executing the processes defined in detail in the CMS IS ATO process, which can be found on the Info Security Library navigation link of the CMS IS Virtual Handbook website, Business Owners and System Developers/ Maintainers must follow relevant IS procedures and utilize approved templates prior to submitting ATO packages or may use CFACTS to generate the required SSP, CP and RA artifacts. The procedures and templates are provided below. Table 2 CMS ATO Package Artifact Procedures and Templates ATO Package Artifact IS Program Procedure IS Program Template SSP SSP Workbook IS RA CP CP Test Plan CP Test After Action Report Security Control Assessment Security Control Assessment Report POA&M Privacy Impact Assessment CMS System Security Plan (SSP) Procedure In CFACTS generated from the Security Controls tab. CMS Information Security Risk Assessment (IS RA) Procedure CMS Information Security (IS) Application Contingency Plan (CP) Procedure CMS Contingency Planning Tabletop Test Procedure CMS Contingency Planning Tabletop Test Procedure CMS Information Security (IS) Assessment Procedure CMS IS Assessment Reporting Procedure CMS Information Security (IS) Plan of Actions & Milestones (POA&M) Procedure Contact CMS Privacy Office CMS System Security Plan (SSP) Template There is no specific procedure today. However in CFACTS the SSP Workbook is derived from the specified information in the Security Controls tab. CMS Information Security Risk Assessment (IS RA) Template CMS Information Security (IS) Application Contingency (CP) Plan Template Appendix B CP Tabletop Test Plan Template Appendix C After Test Action Report Template CMS Information Security (IS) Assessment Plan Template Application Assessment Findings Report Template Infrastructure Data Center Assessment Findings Report Template Attachment A CAP Management Worksheet Attachment D CMS Information Security Policy/ Standard Risk Acceptance Template Privacy Impact Assessment Template December 1, Version 3.0 9

10 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO AUTHORIZATION TO OPERATE PACKAGE ARTIFACTS Instructions on creating and loading ATO package artifacts are described in the sections that follow. Prior to compiling the.zip file for the ATO package, users must input required system details into CFACTS, which include (but may not be limited to) system identification, system description, security categorization, system Point of Contacts (POCs), system interconnections, and system inventory. Business Owners and System Developer/Maintainers should follow the instructions for each artifact when assembling and submitting the ATO package for risk acceptance. Once logged on to CFACTS, the Home screen will display the systems assigned to the user. If this view is blank, contact CFACTS support at mailto:ciso@cms.hhs.gov for further assistance. Next, navigate to the applicable System, Site, or Program and click on the appropriate System, Site, or Program name. 3.1 SYSTEM IDENTIFICATION INFORMATION After selecting the system name, the system Identification tab is displayed. This tab allows the user to add or update system identification information. This tab in CFACTS includes General Information, System Description, and Security Categorization (FIPS 199) views which must be completed with the following details: General Information - The user is required to complete or update all applicable fields. Click Save when complete. System Description - Select the System Description view and enter the required information in the designated fields. Click Save when complete. Security Categorization (FIPS 199) - Select the FIPS 199 view and verify the security categorization details. If the data in the Security categorization field is incorrect, contact the OCISO at mailto:ciso@cms.hhs.gov for guidance. 3.2 PEOPLE AND INVENTORY INFORMATION Once the system has been identified, information must be gathered for the system inventory, and the people who are responsible for the system. Select the People and Inventory tab. The following items must be completed for the system: System Point of Contacts (POCS) - Select the POCs view and enter the necessary information for the responsible individuals. Several types of POCs can be identified. However, at a minimum, the following POCs must be identified: Business Owner - a CMS group director or higher CMS Information System Security Officer A CMS employee holding an appointment letter and typically within the same component as the Business Owner 10 December 1, Version 3.0

11 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide System Developer/Maintainer - a CMS division director or higher System Interconnections - Select the Interconnections view to access and edit interconnections. To add a new interconnection select New in the List of Interconnections table and enter or select the required information. Click Save to enter and return to the Interconnections view on the People and Inventory tab. Note that ALL system interconnections must be identified. If a System Name for an interconnected system is not shown, select Not Applicable, and then specify the details in the remaining fields. All applicable fields should be completed. NOTE: All applicable SLA/MOU/ISA documents must be attached in the SSP section of the CFACTS tool. Inventory - Select the Inventory view to enter the major hardware and software inventory components that comprise the information system. To add new hardware or software inventory select New in the Hardware and Software Inventory table and enter the required information. Note that new software and hardware inventory types can also be added from the System Administration tab. Click Save to enter and return to the Inventory view on the People and Inventory tab. 3.3 SECURITY CONTROL ASSESSMENT INFORMATION The applicable control requirements associated with the subject system are determined based upon the security categorization that was previously selected. Only the controls that apply to your system will be listed in the CFACTS. The applicable Information System Security Officer (ISSO) is responsible for ensuring that compliance information for each of these controls is entered. Select the Security Controls tab. The General Information view is displayed starting with the first security control (with Tree View set to OFF). When the Tree View is set to ON (top right of screen), a window panel will be presented to the left of the window with a hyperlink list of each security control-by-control family. For each control requirement, enter the system s Compliance Description detailing how the subject security control is met. Each security control must have implementation detail. Utilize common controls and hybrid controls as appropriate. NOTE: Risk-based decisions for non-compliant control requirements must be documented with a signed and attached Risk Acceptance form in the Compliance Details section. Select the Security Control Assessment view to load your Security Control Assessment details for the system. Each Test Procedure must be maintained to the most current assessment result (Annual Assessment) in order for those tests to be used for re-authorization purposes. All associated Security Control Assessment Plans and Security Control Assessment Report documents are required to be loaded to the Security Control Assessment portion on the SA&A Tracking tab. For the Security Control Assessment, ensure that the following items are addressed: SCA Status Last SCA Date SCA Expiration (maximum of 3-years from last SCA date) December 1, Version

12 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 Scheduled SCA Date. (Schedule for testing to be completed approximately 5 to 6-months prior to expiration of an existing ATO. For guidance on selection of acceptable testers, contact the OCISO at mailto:ciso@cms.hhs.gov.) SCA Due Date Attach: Upload applicable SCA Test Plan(s) Upload applicable Security Assessment Report(s) Other applicable supporting or reference documents and appendices 3.4 AUTHORIZATION TRACKING INFORMATION ANNUAL ASSESSMENT On the SA&A Tracking tab, scroll to the Annual Assessment section. Ensure that the following items are addressed: Annual Assessment Status Last Annual Assessment Date Next Annual Assessment Date (maximum of 1 year from the last assessment) Ensure that all Assessment Procedures for all past annual assessments are addressed in the Security Controls tab as described in Section 3.4 of this document Attach: All past Annual Assessment Reports (or other Assessment reports used to meet the Annual Assessment requirement) Other applicable supporting or reference documents and appendices ATO STATUS INFORMATION On the SA&A Tracking tab in CFACTS, scroll to the Security Assessment and Authorization section. Many of the fields in this section may be locked, and are not editable by users. If any of these fields have incorrect data, contact the OCISO at mailto:ciso@cms.hhs.gov for guidance. Ensure that the following items are addressed properly: SA&A Status Governing Policy (Must be set to PISP) SA&A Initiation Date Last SA&A Date (Date last ATO was granted) SA&A Expiration Date Next SA&A Date (should be set such that the SCA and ATO package can be submitted to the OCISO no less than 60 days from the expiration date of the current ATO) 12 December 1, Version 3.0

13 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide Attach: ATO package (as described in Section 3.7 of this document) Other applicable supporting or reference documents and appendices INFORMATION SECURITY RISK ASSESSMENT The most reliable method today is to use the current risk assessment templates and procedures. These templates can be found at However, the CFACTS RA wizard is an option. To use the wizard, select the SA&A Tracking tab and scroll down to the Risk Assessment section. Select the RA Wizard button to begin generating the system IS RA. The RA Wizard allows the ISSO to enter information for each section of the system risk assessment. Be sure to include findings from the security control assessments. Each of the following sections of the CFACTS must be visited and updated in order to ensure that the system has a valid IS RA. Once complete, the Risk Assessment artifact can be generated for review and uploaded as an artifact into the system. Risk Acceptance documentation that has not been completed elsewhere, must also be uploaded to CFACTS. The IS Policy Risk Acceptance template can be found at For the Risk Assessment, ensure that the following items are addressed: Risk Assessment Status Last Risk Assessment Date Next Risk Assessment Review Date (maximum of 1-year from last review or update) Risk Assessment Expiration Date (maximum of 1-year from last review or update) Next Scheduled Risk Assessment Date (maximum of 1-year from last review or update) Attach: Latest version of the Risk Assessment All applicable Risk Acceptance Forms for the subject system Other applicable supporting or reference documents and appendices (including all documents referenced within the IS RA, if not available elsewhere within CFACTS) SYSTEM SECURITY PLAN Most required SSP information is generated from the Security Controls tab in CFACTS. This is the information for the SSP workbook. However, the CFACTS SSP wizard is an option. Information must be completed in the Security Controls tab prior to using the SSP wizard. After the specific security controls addressing and describing how the controls are implemented, then scroll to the System Security Plan section on the SA&A Tracking tab in CFACTS and select the SSP Wizard link. Select the SSP Wizard button to navigate and to begin generating the system SSP. The SSP Wizard allows the ISSO to enter information for each section of the SSP. December 1, Version

14 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 Each of the following sections of the CFACTS must be visited and updated in order to ensure that the system has a valid SSP. Once complete the System Security Plan artifact can be generated for review and uploaded as an artifact into the system. For the SSP, ensure that the following items are addressed: SSP Status SSP Target completion date (maximum of 1-year from last SSP review) SSP Completion Date (Date SSP was last updated) SSP Reviewed This Year Date (date SSP was last reviewed by Business Owner management) SSP Revision Date (date SSP was last revised) Attach: Latest version of the SSP Latest version of the SSP Workbook (will be generated from the information in the Security Controls tab) All applicable configuration standards for hardware and software Other applicable supporting or reference documents and appendices (including all documents referenced within the SSP, if not available elsewhere within CFACTS) CONTINGENCY PLAN The most reliable method today is to use the current Contingency Plan (CP) templates and procedures. These templates can be found at Each of these sections must be visited and updated in order to ensure that the system has a valid CP. Once complete, the Contingency Plan artifact can be generated for review and uploaded as an artifact into the system. The CP Test Plan and the CP Test After Action Report must be uploaded into CFACTS to generate a complete ATO package. To add a new artifact, select New in the Contingency Plan Table and enter or select the required information. Click Save to enter the information. For the Contingency Plan, ensure that the following items are addressed: CP Status Last CP Completion Date Last CP Test Date Attach: Latest version of the Contingency Plan Latest Contingency Plan Test Plan Latest Contingency Plan Test Report Other applicable supporting or reference documents and appendices 14 December 1, Version 3.0

15 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide E-AUTHENTICATION INFORMATION For the E-Authentication section, ensure that the following items are addressed and if applicable, upload the E-Authentication workbook: E-Authentication Status E-Authentication Level (in accordance with CMS System Security and e-authentication Assurance Levels by Information Type [available at E-Authentication Completion Date PRIVACY IMPACT ASSESSMENT INFORMATION A Privacy Impact Assessment (PIA) must be prepared for all CMS General Support Systems (GSSs) and Major Applications (MAs). A PIA template can be found on the CMS System Lifecycle Framework Templates website at o. The PIA for the current year, signed by the CMS Privacy Officer, must be uploaded in the SA&A Tracking tab in CFACTS. Click Save at the bottom of the page to save your updates. For the Privacy Impact Assessment section, ensure that the following items are addressed: PIA Status PIA Last Date Next PIA Review Date Next PIA Revision Date Attach: Most current version of the PIA (signed by the CMS Privacy Officer) 3.5 PLAN OF ACTIONS AND MILESTONES A Plan of Actions and Milestones (POA&M) with approved corrective actions must be submitted as part of the ATO package by entering weaknesses identified in security control assessments, self-assessments, attestations, and ATO Action Items. The applicable ISSOs are responsible for developing the planned corrective actions and entering this information as updates to the weaknesses in CFACTS. These updates must include point-ofcontact, resources required, scheduled completion dates, estimated completion dates, and milestones. Milestones must address a solution or process for developing a solution to each identified weakness. ISSOs must ensure that milestones address the weakness by reviewing the control requirements in which the weakness is linked. To find the control, select the Linked to Control Title radial button and locate the control requirements in the Security Control section of CFACTS. December 1, Version

16 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 Scheduled completion dates must be reasonable and no dates greater than one year are acceptable. Weaknesses identified from ATO Action Items already have predetermined, scheduled completion dates. ISSOs must ensure completion within the prescribed timelines to ensure the ATO is not rescinded. The OCISO CFACTS Support Team is responsible for approving all planned corrective actions and milestones. Approval or failure s are sent out for all planned corrective actions submitted. Failure s include a POA&M Review Disposition (PRD) form. The PRD will detail the reasons for failing the CAP and explain what actions required are for approval. When all planned corrective actions have been approved, the POA&M reports can be generated. The POA&M is a vital document to be included in the ATO package for submission to the OCISO. To run the POA&M report, select the Reports tab. Select the Plan of Actions and Milestones for the corresponding year. Select from the presented window the level of ordering for the data, and select Run Report to receive the corresponding POA&M report. The POA&M report can be created at any time. The ISSO and the System Developer/Maintainer must review the POA&M report even though they may not have addressed all the weaknesses (e.g. ATO action items) prior to submitting the package. The POA&M report can also be exported into Excel as a worksheet. This action completes the POA&M deliverable for the ATO package. 3.6 SECURITY CERTIFICATION FORM After all of the artifacts have been added into CFACTS, the ISSO, System Developer/ Maintainer, and the Business Owner must complete the CMS Security Certification Form. The CMS Security Certification Form template is located at te.zip. The Security Certification Form should be completed as follows: 1. Select the reason(s) certification is required. 2. Indicate the name of the System. 3. Indicate the CMS Component. 4. Provide the printed Name, Date, and Signature of the CMS Component Information System Security Officer (ISSO). 5. Provide the printed Name, Date, and Signature of the CMS Business Owner. 6. Provide the printed Name, Date, and Signature of the CMS System Developer/Maintainer. 7. Complete the Security Certification Restrictions section and indicate any restrictions. 8. Complete the Security Certification Actions section and indicate any actions. 16 December 1, Version 3.0

17 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide Once signed by the ISSO, System Developer/Maintainer, and the Business Owner, the form must be converted to a PDF and uploaded as an artifact within CFACTS. Once complete, please provide the hard copy to the OCISO. The copy to the OCISO serves as official notification that an ATO request is being submitted REQUIRED SIGNATURES The signature titles identified on the Security Certification Form shall not be altered. Only those titles listed in Table 3 shall be indicated on the Security Certification Form. Table 3 Required Signature Title Business Owner System Developer/ Maintainer CMS Component ISSO Security Certification Form Required Signature Titles Description CMS Group Director for the business function. CMS Division Director that does this activity whether through a contract or with CMS staff. CMS individual in the Business Owner s component CERTIFICATION COVER MEMO The Certification Cover Memo is completed by the Business Owner and submitted to the CMS CIO through the CMS CISO no less than 60 days prior to expiration of the current ATO (or 60 days prior to the desired implementation date for a new system). The Business Owner can obtain a clean version of the Certification Cover Memo from the Info Security Library navigation key of the CMS IS Virtual Handbook located at CFACTS ATO DOCUMENTS PREPARATION AND SUBMISSION PREPARATION To prepare the ATO package to submit to the OCISO, complete and final documents must be arranged in CFACTS for archiving. Select the SA&A Tracking tab. Verify that final versions of the documents have been uploaded. Upload each of the final documents for the SSP, RA, CP, CP Test Plan, CP Test After Action Report, Security Control Assessment Plan, Security Control Assessment Report, E- Authentication, PIA, SORN, and POA&M Report. Select Save at the bottom of the page to ensure that your changes have been applied. At this stage, the SA&A Archival Wizard must be run to aggregate all final authorization documents into a single ZIP file. The archival process can be initiated by selecting New from the Archival Wizard view. Several archival packages may be maintained. December 1, Version

18 CMS IS Authorization To Operate Package Guide SUBMISSION CMS-OCISO-PROC-ATO2011 Submit the signed hardcopy (originals) of the Security Certification Form and the cover letter to the OCISO no less than 60 days prior to expiration of the current ATO (or 60 days prior to the desired implementation date for a new system). Contact the OCISO team at mailto:ciso@cms.hhs.gov to determine the specific delivery point(s)-of-contact. 18 December 1, Version 3.0

19 CMS-OCISO-PROC-ATO2011 CMS IS Authorization To Operate Package Guide 4 ATO PACKAGE CRITERIA Table 4 provides the baseline criteria for CMS systems to receive an ATO. The CMS CISO will generally establish the ATO disposition according to the below criteria, but reserves the right to evaluate other risk factors, on a case-by-case basis, in order to establish overall enterprise risk when reviewing each ATO package and its artifacts. Table 4 ATO Package Criteria Full ATO (3 Years) No open high-risk findings. Any High-risk findings are either CLOSED, or are transferred (and accepted) to another system/entity. High-risk findings on inherited controls are assigned to and accepted by the Common Control Provider. Latest full security assessment is less than 1 year old. For systems where an annual (1/3) independent security assessment is being leveraged. All three assessments are provided, Latest annual assessment is less than 1 year old, and first assessment is no more than 3 years old), and All controls are tested (i.e., 3/3 = all baseline controls). The ATO package is complete (all artifacts are provided in their entirety). Limited ATO (less than 3 years) Latest full security assessment is greater than 1 year old, but less than 3 years old. Maximum allowable ATO expiration date will be 3 years from latest full Security assessment. ATOs that need a short turnaround time such as a congressional mandate. For systems where an annual (1/3) independent security assessment is being leveraged: All three assessments are provided If the first assessment is more than 3 years old or last assessment is more than one year old, the maximum allowable ATO expiration date will be determined by these criteria: If first annual assessment is more than three years old, then the maximum ATO expiration date is the first test date, + 6 months. If the latest annual assessment is more than one year old, then the maximum ATO expiration date is the latest test date, + 3 years. December 1, Version

20 CMS IS Authorization To Operate Package Guide CMS-OCISO-PROC-ATO2011 All controls are tested (i.e., 3/3 = all baseline controls). Will be retired within 1-year, provided documentation attesting to the fact is supplied. The CP is missing. (Maximum allowable ATO is 1 year.) A valid CP TEST was not performed within the past 365 days. (Maximum allowable ATO is 1 year.) A limited ATO (less than 3-years) is appropriate for: Security assessments that do not cover all of the security controls or Security assessments that do not cover the full scope (boundaries) of the system. Denial (or Revocation) 5 If any of the below is true: Cannot meet the (above) requirements to achieve an ATO. No ATO package is provided. The ATO package is missing the SSP, IS RA, or Security Assessment artifacts. OPEN high-risk findings. NEW system with OPEN high-risk findings. Legacy/existing system has any OPEN high findings attributed to the system. An unusually large number of OPEN medium findings (i.e., aggregate of findings effects a high risk). Has a known vulnerability that has been exploited. Unable to achieve the requirements for an ATO within the allotted time designated granted by a Limited ATO. APPROVED Teresa M. Fryer Digitally signed by Teresa M. Fryer DN: c=us, o=u.s. Government, ou=hhs, ou=cms, ou=people, cn=teresa M. Fryer, = Date: :57:03-05'00' Teresa Fryer CMS Chief Information Security Officer and Director, Office of the Chief Information Security Officer 20 December 1, Version 3.0