What is a Product Owner ATO Boundary Consolidation?

The Product Owner ATO boundary consolidation allows for a single ATO to cover multiple similar or related systems/applications in a common ATO boundary. The process will reduce artifact and work duplication and should speed the ATO process overall. To facilitate the process, a Product Team is assembled and a single system owner/stakeholder from the Team is nominated as the Product Owner.

The Product Owner acts on behalf of his/her constituent system owners and will serve as the designated System Owner for all ATO related activities on the team’s behalf (e.g., ensuring feedback is received from other stakeholders, attending continuous monitoring meetings, and signing documents on behalf of the other owner stakeholders). This team model will reduce the time required to develop and approve required ATO artifacts and make communication between the Product Team and the NCI Cybersecurity Office more efficient.

The Product Owner works with the Product Owner Team to review documentation and oversee the process and activity surrounding all seven phases of the Risk Management Framework (RMF). The Product Owner also possesses the signing authority for official FISMA artifacts.

The ATO Boundary Consolidation is also a flexible tool and is not limited to one Product Owner. Alternatively, there can be a single system owner when there are multiple stakeholders. In the foreseeable future this model will take many forms as needs change.

What criteria is used to determine which systems should be part of an ATO consolidated boundary?

• Share an identical risk categorization (FISMA Low and FISMA Moderate)
• Are maintained by a single technical program (e.g., CTOS, Octo, DCCPS)
• Are hosted on the same platform (Enterprise Services GSS, Cloud One, Cloud Two)
• Possess a common technology stack (software and infrastructure)
• Have a common federal system owner

How will being part of an ATO boundary consolidation benefit the system owner?

• Reduces the number of compliance packages to maintain
• Reduces the level of effort to scale compliance, which lessens schedule delays and resource investments
• Better positioned to standardize processes and technologies for control implementation
• There are well defined roles and points of contact to supplement standardized processes, reinforce accountability, and hone security focus in daily activities
• The system owner can streamline cross-team coordination for incident response, disaster recovery, change management, and response to changes in policy
• The system owner is aligned for continuous improvement to introduce new security capabilities (tools) and methodologies (progress toward continuous authorization) through cross-team collaboration

To inquire about including your existing system in a boundary consolidation, please contact your A&A ITSA at NCICBIITSA&Ateam@mail.nih.gov

To inquire about creating a new system ATO boundary, please contact NCICBIITSecurity-Governance@mail.nih.gov