executing-nist-rmf-authorization-to-operate

Installation
SKILL.md

Executing the NIST RMF to an Authorization to Operate (ATO)

When to Use

  • When a federal or federally-aligned system (or a FedRAMP cloud service) needs an Authorization to Operate, a re-authorization, or has fallen out of authorization.
  • When you must produce or review the core authorization artifacts: System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Action & Milestones (POA&M).
  • When categorizing a system's impact level (Low / Moderate / High) under FIPS 199.
  • When selecting, tailoring, or implementing a NIST SP 800-53 Rev 5 control baseline.
  • When standing up continuous monitoring (ConMon) or pursuing ongoing authorization / cATO after an initial ATO.

Prerequisites

  • A defined system and authorization boundary (what's in, what's inherited, what's a leveraged service).
  • An identified Authorizing Official (AO), System Owner, and ISSO.
  • The information types the system handles (use SP 800-60 to map them to impact levels).
  • For cloud: the provider's Customer Responsibility Matrix (CRM) and any inherited/leveraged ATO.
  • Access to assessment evidence sources (config, scans, policies) for the Assess step.

Workflow

Installs
7
GitHub Stars
24.8K
First Seen
9 days ago
executing-nist-rmf-authorization-to-operate — mukul975/anthropic-cybersecurity-skills