OIT OIS Word ATO Cloud Guide 2018 11

• Department of Veterans Affairs Cloud Authority to Operate (ATO) Process
  • Revision History
  • Table of Contents
    • VA Cloud Authority to Operate Process Summary
    • 1 Background
    • 2 Purpose
    • 3 Scope
    • 4 VA Cloud ATO Process – VA Cloud-Leveraged System
    • 5 Authorization Prerequisites
      • 5.1 Information Security Officer (ISO) Designation
      • 5.2 Veteran – Focused Integration Process Request (VIPR) Identification (ID)
      • 5.3 RiskVision Entry for Application or System
      • 5.4 Application Registration
      • 5.5 Secure Design Review
      • 5.6 Privacy Threshold Analysis (PTA) / Privacy Impact Analysis (PIA)
    • 6 Assessment & Authorization (A&A) Requirements
      • 6.1 Security Documentation
        • 6.1.1 System Security Plan (SSP)
        • 6.1.2 Incident Response Plan (IRP)
        • 6.1.3 Disaster Recovery Plan (DRP)
        • 6.1.4 Information Security Contingency Plan (ISCP)
        • 6.1.5 Privacy Threshold Analysis (PTA) / Privacy Impact Assessment (PIA)
        • 6.1.6 Interconnection Security Agreement (ISA) / Memorandum of Understanding (MOU)
        • 6.1.7 Configuration Management Plan (CMP)
        • 6.1.8 Signatory Authority
        • 6.1.9 Control Implementation Evidence
        • 6.1.10 Risk Assessment (RA)
      • 6.2 Scanning and Testing
        • 6.2.1 Nessus Scan
        • 6.2.2 Database Scan
        • 6.2.3 Verification & Validation (V&V) Quality Code Review
        • 6.2.4 Secure Code Review
        • 6.2.5 Penetration Test / Web Application Security Assessment (WASA)
        • 6.2.6 Security Compliance Configuration Data (SCCD)
      • 6.3 Plan of Action and Milestone (POA&M) Remediation
      • 6.4 Authorizing Official System Brief (AOSB)
    • Appendix A Cloud ATO Checklist
    • APPENDIX B VA Cloud ATO Report and Dashboard (Sample Mockup)
    • Appendix C System Owner Policy Mandated Responsibilities
    • Appendix D References and Supporting Documentation
    • Appendix E Acronyms