U.S. Department of Health and Human Services
Authorization is required before a system may process, store, or transmit agency data. An authorizing official/authorizing official designated representative, reviews the security authorization package. The authorizing official/authorizing official designated representative, will then give a system either an ATO or Denial of Authorization to Operate.
An ATO signifies completion of an objective third party system evaluation and acceptance of any residual risk of the system to the agency. This means that the DAA takes responsibility if a security incident related to a known risk were to occur.
Denial of Authorization to Operate: System is not granted an authorization to operate. The information system is not authorized to operate and is not placed into operation. If the system is currently in operation, all activity is halted. Failure to receive an authorization to operate indicates that there are major weaknesses or deficiencies in the security controls employed within or inherited by the information system. The authorizing official or designated representative works with the information system owner or common control provider to revise the plan of action and milestones to ensure that appropriate measures are taken to correct the identified weaknesses or deficiencies.
Page 6 of 8
System Security Authorization