When is a new Authority to Operate (ATO) required in eMASS?

A new Authority to Operate (ATO) is required in eMASS when there are significant changes to the system, its environment, or security controls. The ATO is a formal declaration by a senior official that a system is authorized to operate based on an acceptable level of risk to organizational operations and assets.

When significant alterations occur—such as the introduction of new functionalities, changes to the system architecture, updates to the technology stack, or adjustments to the environment in which the system operates—these can affect how vulnerabilities are managed and the overall security posture of the system. Consequently, a reassessment is essential to ensure that the risk associated with these changes is fully understood and managed appropriately, thereby warranting a new ATO.

In contrast, minor updates, user account creations, or network performance issues do not inherently necessitate a new ATO. Minor updates may be managed under existing risk assessments, and routine user account management typically does not alter the security controls or system environment significantly. Furthermore, while network performance is important, it does not directly correlate with security risk in a manner that would require resetting the ATO approval process. Thus, recognizing the need for a new ATO in the case of significant changes signifies a proactive approach to risk management and system