top of page

Appendix A - ATO Readiness Task List

Phase
Task
Min Days
Max Days
Security Control Baseline Selection
Determine Applicable Authorization Regime (RMF, FedRAMP, or CMMC)
1
3
Security Control Baseline Selection
Define Preliminary Authorization Boundary
2
5
Security Control Baseline Selection
Select Applicable Security Controls
1
3
Container Hardening
Containerize Custom Software Using Hardened Base Container Images. NOTE: The timeline depends heavily on how many applications need to be containerized and how many hidden dependencies there are that must be untangled.
8
12
Container Hardening
Implement Application Security and Development (ASD) STIG Requirements for Containers
8
12
Container Hardening
Implement Container Security Requirements Guide (SRG)
3
5
Container Hardening
Remediate Container Vulnerabilities Identified by Static Scanning
1
3
Container Hardening
Address Runtime Security Findings
1
3
Container Hardening
Address Policy Enforcement Findings
1
3
DevSecOps Platform Setup
Set Up Internal DevSecOps Platform
8
12
DevSecOps Platform Setup
Package and Deploy Custom Software to Internal DevSecOps Platform
9
14
DevSecOps Platform Setup
Integrate Custom Software with Platform-Provided Services
6
8
DevSecOps Baseline Evidence Automation
Implement Automated Container Build and Deployment Pipeline
5
7
DevSecOps Baseline Evidence Automation
Integrate Automated SBOM Generation in the Pipeline
7
11
DevSecOps Baseline Evidence Automation
Integrate Automated Vulnerability Scanning in the Pipeline
3
5
DevSecOps Baseline Evidence Automation
Integrate Automated OpenSCAP Container Scanning in the Pipeline
3
5
DevSecOps Baseline Evidence Automation
Integrate Static Application Security and Secret Scanning
2
4
DevSecOps Baseline Evidence Automation
Leverage OSCAL/Compliance-as-Code for Control Tracking
3
5
DevSecOps Extra Supporting Automation
Implement Container Image Signing
1
3
DevSecOps Extra Supporting Automation
Implement Anti-Virus Scanning with ClamAV
1
3
DevSecOps Extra Supporting Automation
Implement Penetration Testing with ZAP
2
5
Preliminary ATO Documentation Generation
Determine Final Authorization Boundary
1
3
Preliminary ATO Documentation Generation
Create Custom Software Architecture Diagram
1
3
Preliminary ATO Documentation Generation
Create Ports, Protocols, Services Documentation
1
3
Preliminary ATO Documentation Generation
Create Security Control Compliance Narratives
2
5
Preliminary ATO Documentation Generation
Create System Security Plan
1
3
Preliminary ATO Documentation Generation
Create SRG/STIG Compliance Documentation
1
3
Preliminary ATO Documentation Generation
Create Continuous Monitoring Plan Documentation
1
3
Preliminary ATO Documentation Generation
Create Plan of Actions & Milestones
1
3
Preliminary ATO Documentation Generation
Create Privacy Documents
1
3
Preliminary ATO Documentation Generation
Compile Initial ATO Package
1
3

Connect with Us

  • Youtube
  • LinkedIn
bottom of page