rato.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <title>Planning for ATO at CMS</title>
    <script src="assets/uswds-2.11.1/js/uswds-init.min.js"></script>
    <link rel="stylesheet" href="assets/uswds-2.11.1/css/uswds.min.css" />
    <meta http-equiv="refresh" content="10;url=https://security.cms.gov/learn/authorization-operate-ato"/>
  </head>
  <body>
    <script src="assets/uswds-2.11.1/js/uswds.min.js"></script>

    <a class="usa-skipnav" href="#main-content">Skip to main content</a>
  
<!--
    <section class="usa-banner" aria-label="Official government website">
      <div class="usa-accordion">
        <header class="usa-banner__header">
          <div class="usa-banner__inner">
            <div class="grid-col-auto">
              <img class="usa-banner__header-flag" src="assets/img/uswds-2.11.1/us_flag_small.png" alt="U.S. flag">
            </div>
            <div class="grid-col-fill tablet:grid-col-auto">
              <p class="usa-banner__header-text">An official website of the United States government</p>
              <p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p>
            </div>
            <button class="usa-accordion__button usa-banner__button"
              aria-expanded="false" aria-controls="gov-banner">
              <span class="usa-banner__button-text">Here’s how you know</span>
            </button>
          </div>
        </header>
        <div class="usa-banner__content usa-accordion__content" id="gov-banner">
          <div class="grid-row grid-gap-lg">
            <div class="usa-banner__guidance tablet:grid-col-6">
              <img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-dot-gov.svg" role="img" alt="" aria-hidden="true">
              <div class="usa-media-block__body">
                <p>
                  <strong>
                    Official websites use .gov
    </strong>
                  <br/>
                  A <strong>.gov</strong> website belongs to an official government organization in the United States.
    
                </p>
              </div>
            </div>
            <div class="usa-banner__guidance tablet:grid-col-6">
              <img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-https.svg" role="img" alt="" aria-hidden="true">
              <div class="usa-media-block__body">
                <p>
                  <strong>
                    Secure .gov websites use HTTPS
    </strong>
                  <br/>
                  A <strong>lock</strong> (
    <span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description" focusable="false"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"/></svg></span>
    ) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
    
                </p>
              </div>
            </div>
          </div>
        </div>
      </div>
    </section>
    
    -->
      
    
    <div class="usa-overlay"></div>
    <header class="usa-header usa-header--extended"><div class="usa-navbar">
      <div class="usa-logo" id="extended-logo">
        <em class="usa-logo__text"><a href="index.html" title="Home" aria-label="Home">CMS Security & Compliance Planning</a></em>
      </div>
      <button class="usa-menu-btn">Menu</button>
    </div>
    <!-- Redirection Notice -->
    <section class="usa-site-alert usa-site-alert--emergency" aria-label="Site alert,">
      <div class="usa-alert">
        <div class="usa-alert__body">
          <h3 class="usa-alert__heading">CMS ATO Notice</h3>
          <p class="usa-alert__text">
            CMS ATO information can now be found at <a class="usa-link" href="https://security.cms.gov">security.cms.gov</a>, along with other security and privacy resources. 
          </p>
          <p class="usa-alert__text">
            This website will be retired. You will be redirected in a moment.
          </p>
        </div>
      </div>
    </section>
  <!-- End Redirection Notice -->
    <nav aria-label="Primary navigation" class="usa-nav">
        <div class="usa-nav__inner"><button class="usa-nav__close"><img src="assets/img/uswds-2.11.1/usa-icons/close.svg" role="img" alt="close"></button>
   
   
            <ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item">
        <button class="usa-accordion__button usa-nav__link usa-current " aria-expanded="false" aria-controls="extended-nav-section-one"><span>CMS Rapid ATO</span></button>
        <ul id="extended-nav-section-one" class="usa-nav__submenu">
       
                 
          <li class="usa-nav__submenu-item">
            <a href="rato.html" class=""> What is CMS Rapid ATO</a>
          </li>
          <li class="usa-nav__submenu-item">
            <a href="overview.html" class=""> Background</a>
          </li>


         </ul></li>
                
                <li class="usa-nav__primary-item">
        <button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-nav-section-two"><span>ATO Phases</span></button>
        <ul id="extended-nav-section-two" class="usa-nav__submenu">
         <!-- <li class="usa-nav__submenu-item">
            <a href="#" class=""> Preparation</a>
          </li>-->
        <li class="usa-nav__submenu-item">
            <a href="overview-phases.html" class=""> Overview</a>
        </li><li class="usa-nav__submenu-item">
                  <a href="initiate.html" class=""> Initiate</a>
                </li><li class="usa-nav__submenu-item">
                  <a href="develop.html" class=""> Develop and Assess</a>
                </li><li class="usa-nav__submenu-item">
                  <a href="operate.html" class=""> Operate</a>
                </li>
                <li class="usa-nav__submenu-item">
                    <a href="retire.html" class=""> Retire</a>
                  </li></ul></li>

                 
                     <li class="usa-nav__primary-item">
                    <button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-three"><span>Resources</span></button>
                    <ul id="extended-nav-section-three" class="usa-nav__submenu">
                     <!-- <li class="usa-nav__submenu-item">
                        <a href="#" class=""> Preparation</a>
                      </li>-->
                    <li class="usa-nav__submenu-item">
                        <a href="types.html" class=""> Authorizations & Agreements   </a>

                 
                    </li>
                    
                    <li class="usa-nav__submenu-item">
                      <a href="roles.html" class=""> Key Roles & Stakeholders</a>
                            </li>
                        
                            <li class="usa-nav__submenu-item">
                                <a href="tools.html" class=""> Tools & Services  </a>
        
                         
                            </li>
                        
                        </ul></li>

                 

           
                  
                  
                  </ul>
    </div>
      </nav>
    </header>
    
    
      
    
    <main id="main-content">
      
        <div class="usa-section">
            <div class="grid-container">
              <div class="grid-row grid-gap">
                <div class="usa-layout-docs__sidenav desktop:grid-col-3">
                  <nav aria-label="Secondary navigation">
            <ul class="usa-sidenav">
              
             <li class="usa-sidenav__item">
              <a href="types.html" class="usa-current">CMS Rapid ATO </a><ul class="usa-sidenav__sublist">
                <li class="usa-sidenav__item">
                    <a href="#plan" class="">Iterative security planning</a><ul class="usa-sidenav__sublist">
                     
                  
              </ul>
            </li>

            <li class="usa-sidenav__item">
                <a href="#blue" class="">Blueprint Digital Service</a><ul class="usa-sidenav__sublist">
                 
              </ul>
            </li>
            <li class="usa-sidenav__item">
                <a href="#cms" class="">CMS Compliance Library</a><ul class="usa-sidenav__sublist">
                 
              </ul>
            </li>

            
            </ul>
          </nav>
          
                </div>
          
                <main class="usa-layout-docs__main desktop:grid-col-9 usa-prose usa-layout-docs" id="main-content">
                  <h1>What is CMS Rapid ATO?</h1>
          
                
                  <p>Every information system that integrates with CMS (or any Federal IT) must be authorized. For most, this means getting an <strong>Authority to Operate (ATO)</strong>. In addition to meeting compliance requirements, this helps CMS manage risk and safeguard vital information. <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/CMS-Information-Security-Requirements.pdf">Read more about the ATO process</a>.</p>


                  <p>The goal of <b>CMS Rapid ATO</b> is to move from burdensome, manual compliance to Compliance Automatization.  Leveraging new tools and practices, we will speed up the process, reduce cost and encourage innovation for Business Owners, and improve compliance and risk management for CMS.
</p>

<p>In addition to automating the building and maintenance of compliance documentation, Rapid ATO will provide the CMS Security and Privacy community with the information and tools to plan, launch and maintain secure, compliant software. The cost of updating and addressing compliance issues after implementation is typically greater than integrating security and privacy requirements during development. This site is intended to help teams prepare and shift compliance left in their development process</p>
                  
                  
                  
                  
                  
                  <p>This website is a <strong>high-level resource</strong> intended to give an approachable understanding of security planning at CMS, not to include every detail. We link to additional information and resources, when appropriate. Specifically, this information is intended for Business Owners, Information System Security Officers (ISSOs), Developers—but we hope it is useful for anyone planning to build and innovate at CMS.</p>
                  <p><strong>Rapid ATO</strong> aims to simplify and streamline the ATO process in three initiatives:</p>
                  <h3 id="plan"><strong>Iterative security planning</strong></h3>
                  <p>We don&rsquo;t build software using waterfall methodologies any more. We build it iteratively so we can anticipate changes and adjust accordingly. This allows us to build better products cheaper. Why do we still do waterfall compliance?</p>
                  <p>By clarifying the ATO process and empowering product teams to plan for and address compliance requirements as they build their system, we can eliminate the cost and disruption of late surprises. </p>
                  <p>Instead of building a product and then completing compliance documentation after (waterfall), the Rapid ATO initiative integrates security planning into product development so as you build and iterate the product you can do the same for your security plan. Say goodbye to waterfall compliance. Say hello to iterative security planning. </p>

                  <h3 id="blue"><strong>Blueprint Digital Service for CMS</strong></h3>

                  <p>Security planning accounts for about 80 percent of the work needed to get an ATO. Additionally, anyone who&rsquo;s worked through an ATO knows that writing security control implementation statements is one of the biggest challenges (see Develop and Assess phase). </p>
                  <p>The Rapid ATO shared responsibility model helps product teams manage risk and meet compliance requirements. By allowing the CMS hosting environment to take on certain responsibilities, you fully inherit some control narratives. This means you don&rsquo;t have to write them. There are also shared controls, where the host is responsible for part of the narrative and the product team provides supplemental information to complete it. </p>
                  <p>To lessen the load and streamline the process, we&rsquo;re introducing the <strong>Blueprint Digital Service </strong>platform. Blueprint guides you through security planning and simplifies the process by providing reusable compliance components that include draft control implementation statements.</p>
                  
                  <img src="imgs/bp-1.png" alt="Blueprint" style="border: 1px solid rgb(189, 187, 187);"/>
                  <caption><i>From the system home, you can start a new SSP, continue an existing project, find helpful information, and directly access components. </i></caption>

                  <p>Components match your system technologies and policies to recommended, pre-approved control narratives that satisfy requirements. In doing so, they enhance the creation, maintenance and understanding of System Security Plans (SSPs). They’ll also support gap analysis, automated verification and ongoing assessments and authorization. </p>


                  <img src="imgs/bp-2.png" alt="Blueprint" style="border: 1px solid rgb(189, 187, 187);"/>
                  <caption><i>From the project home, you can access components that Blueprint assigns  based on the technology you’re using. </i></caption>

                  <p>Rather than writing hundreds of lengthy statements, Blueprint empowers you to add components that apply to your system, review and update the included control statements, and build an exportable SSP to upload to the CMS FISMA Controls Tracking System (CFACTS). </p>

                  <img src="imgs/bp-3.png" alt="Blueprint" style="border: 1px solid rgb(189, 187, 187);"/>
                  <caption><i>The component page includes standards, guidance and draft narratives for control implementation statements for every control. It also clearly calls out the system’s responsibility for each. You can edit each statement directly on the page and track your progress as you work.  </i></caption>


<p>For example, if your system is using Splunk to track audit logs and Confluence to manage information, you can select the Splunk and Confluence components and Blueprint will suggest control implementation narratives for your system. Rather than writing the statements from scratch, you can simply review and edit/augment the statements as needed. This also allows you to build your SSP as you build your system.</p>

<img src="imgs/bp-4.png" alt="Blueprint" style="border: 1px solid rgb(189, 187, 187);"/>
<caption><i>Users can download their SSP from Blueprint as a CFACTS CSV, a Word Document and in Open Security Controls Assessment Language (OSCAL).   </i></caption>

<p>ISPG along with a team of experts are building Blueprint specifically for CMS to make compliance smarter, not harder. </p>






                  
                  
                  <h3 id="cms"><strong>CMS Compliance Library</strong></h3>
                
                  <p>Reusable system components and compliance as code will modernize the ATO process and integrate security and compliance into the System Development Life Cycle (SDLC).  That’s why we’re making components available to all in our CMS Compliance Library. By welcoming users across CMS to access and contribute to the Compliance Library, the Rapid ATO initiative will scale iterative security planning throughout the agency.
                  </p>

                  <p>Security and compliance checks will still need to be verified at the system level, but an accessible Compliance Library will prevent each project team from reinventing the components wheel. Additionally, the library will include applicable statutes, incident response plans, configuration management plans, points of contact, and other helpful information.</p>

                  <p>This will help developers build compliance into the development process, and create initial SSPs with vetted, managed, component-based control implementation statements. It will also ease system audits with continuous monitoring and authorization. Time to renew the library card. 
                  </p>















                </main>
              </div>
            </div>
          </div>
    </main>
    
    <footer class="usa-footer usa-footer--slim">
        <div class="grid-container usa-footer__return-to-top">
         <!--- <a href="#">Return to top</a>-->
        </div>
        <div class="usa-footer__primary-section">
          <div class="usa-footer__primary-container grid-row">
            <div class="mobile-lg:grid-col-8">
             <!-- <nav class="usa-footer__nav" aria-label="Footer navigation">
                <ul class="grid-row grid-gap">
                  <li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
                    <a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
                  </li>
                  <li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
                    <a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
                  </li>
                  <li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
                    <a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
                  </li>
                  <li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
                    <a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
                  </li>
                </ul>
              </nav>-->
            </div>
            <div class="mobile-lg:grid-col-4">
              <address class="usa-footer__address">
                <div class="grid-row grid-gap">
                  <div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
                    <div class="usa-footer__contact-info">
                      <a href="tel:1-800-555-5555"></a>
                    </div>
                  </div>
                  <div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
                    <div class="usa-footer__contact-info">
                      <a href="mailto:info@agency.gov"></a>
                    </div>
                  </div>
                </div>
              </address>
            </div>
          </div>
        </div>
        <div class="usa-footer__secondary-section">
          <div class="grid-container">
            <div class="usa-footer__logo grid-row grid-gap-2">
              <div class="grid-col-auto">
                <img class="usa-footer__logo-img" src="assets/img/uswds-2.11.1/logo-img.png" alt="">
              </div>
              <div class="grid-col-auto">
                <p class="usa-footer__logo-heading"></p>
              </div>
            </div>
          </div>
        </div>
      </footer>
  </body>
</html>