ATO Certification

IATT, IATO, ATO Certification

Effective October 2016 all new DoD programs are required to be accredited under the Risk Management Framework (RMF) Assessment and Authorization (A&A) process.

All existing DoD programs that fall under the Defense Information Assurance Certification and Accreditation Process (DIACAP) Certification and Accreditation (C&A) process are required to begin, if they haven’t already, the transition to RMF. The transition to RMF is a vast improvement over DIACAP and will better align the DoD systems with Federal systems, saving money and time and improving reciprocity and interconnectivity. SecureStrux is intimately familiar with both accreditation packages and can provide exceptional assistance in supporting both packages and the transition process.

With the DIACAP C&A process, agencies would go through the process to achieve an Interim Authorization to Test (IATT), Interim Authorization to Operate (IATO), and ultimately an ATO. We helped many companies achieve their ATOs. With the RMF A&A process, IATTs and IATOs are no longer applicable. Now, we help companies achieve an ATO with conditions, and ultimately an ATO. If your organization is struggling with getting through the process of obtaining an ATO with conditions or just needs direction on how to get started, SecureStrux can help. We are intimately familiar with both DIACAP C&A and RMF A&A processes and procedures and the associated laws such, regulations, and procedures that mandate a formal process for compliance is implemented and followed. All too often different government agencies have their own processes for C&A, requiring specific documentation and guidelines. This undertaking can be complicated and often takes months to complete. We have assisted companies and Federal agencies through this complex process and we can work through any applicable framework to ensure the C&A / A&A process and procedures are thoroughly completed efficiently and on-time.


  • Articulating and designating security controls in a System Security Plan (SSP)
  • Defining system boundaries
  • Establishing security categorizations according to FIPS PUB 199
  • Assessing the effectiveness of the security controls in place with a Security Test and Evaluation (ST&E) and Security Assessment Report (SAR)
  • Managing and remediating weaknesses uncovered as a result of an assessment through continuous monitoring and creating Plan of Action and Milestones (POA&Ms) when required
  • Document Preparation – RMF requires a great deal of documentation, such as, but not limited to:
    • System Security Plan (SSP)
    • Systems Administrator Guide (SAG)
    • Contingency and Business Continuity Plan (CBCP)
    • Continuity of Operation Plan (COOP)
    • Concept of Operations (CONOPS)
    • Incident Response Plan (IRP)
    • Configuration Management Plan (CMP)
    • Other policies, procedures, and/or plans as needed


  • General Consulting
  • Control Assessments
  • Gap Analysis
  • System Hardening
  • We can support your entire RMF A&A lifecycle process. Our complete package includes all of the above services and more. Let us help you meet and exceed your C&A / A&A requirements, so you can focus on your mission and what you do best.

Contact us for a free consultation.