executing-nist-rmf-authorization-to-operate
Installation
SKILL.md
Executing the NIST RMF to an Authorization to Operate (ATO)
When to Use
- When a federal or federally-aligned system (or a FedRAMP cloud service) needs an Authorization to Operate, a re-authorization, or has fallen out of authorization.
- When you must produce or review the core authorization artifacts: System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M).
- When categorizing a system's impact level (Low / Moderate / High) under FIPS 199.
- When selecting, tailoring, or implementing a NIST SP 800-53 Rev 5 control baseline.
- When standing up continuous monitoring (ConMon) or pursuing ongoing authorization / cATO after an initial ATO.
Prerequisites
- A defined system and authorization boundary (what's in, what's inherited, what's a leveraged service).
- An identified Authorizing Official (AO), System Owner, and ISSO.
- The information types the system handles (use SP 800-60 to map them to impact levels).
- For cloud: the provider's Customer Responsibility Matrix (CRM) and any inherited/leveraged ATO.
- Access to assessment evidence sources (config, scans, policies) for the Assess step.