Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    Glossary
A  |  B  |  C  |  D  |  E  |  F  |  G  |  H  |  I  |  J  |  K  |  L  |  M  |  N  |  O  |  P  |  Q  |  R  |  S  |  T  |  U  |  V  |  W  |  X  |  Y  |  Z

authorization to operate

Abbreviations / Acronyms / Synonyms:

accreditation
approval to operate
ATO
Security Authorization (to Operate)
Security Authorization(to Operate)

Definitions:

  See authorization to operate (ATO).
Sources:
CNSSI 4009-2015 under security authorization (to operate)

  seeCertificationandAccreditation.
Sources:
NIST SP 800-16 under Approval to Operate

  See Authorization (to operate).
Sources:
NIST SP 800-30 Rev. 1 under Security Authorization (to Operate)
NIST SP 800-39 under Security Authorization(to Operate)

  Authorization to Operate; One of three possible decisions concerning an issuer made by a Designated Authorizing Official after all assessment activities have been performed stating that the issuer is authorized to perform specific PIV Card and/or Derived Credential issuance services.
Sources:
NIST SP 800-79-2 under ATO

  The official management decision given by a senior Federal official or officials to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security and privacy controls. Authorization also applies to common controls inherited by agency information systems.
Sources:
NIST SP 800-161r1 from NIST SP 800-53 Rev. 5
NIST SP 800-37 Rev. 2 from OMB Circular A-130 (2016)
NIST SP 800-53 Rev. 5 from OMB Circular A-130 (2016)
NIST SP 800-53A Rev. 5 from OMB Circular A-130 (2016)

  Formal declaration by a designated accrediting authority (DAA) or principal accrediting authority (PAA) that an information system is approved to operate at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards.
Sources:
CNSSI 4009-2015 under accreditation

  The official management decision issued by a designated accrediting authority (DAA) or principal accrediting authority (PAA) to authorize operation of an information system and to explicitly accept the residual risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals.
Sources:
CNSSI 4009-2015 under approval to operate

  The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
Sources:
CNSSI 4009-2015