← Federal Suite 03 · Security & Accessibility

ATO Package — System Security Plan & POA&M

Download Word

The Authority to Operate (ATO) is the formal security sign-off required before BenefitConnect can go live in production. It has no real equivalent in commercial healthcare PM work — a HIPAA risk assessment is closer, but an ATO is a harder, non-negotiable gate: without it, the system simply does not launch, regardless of schedule pressure.

Owned by T. Abernathy (ISSO), reviewed by M. Whitcombe (COR), and formally granted by the agency's Authorizing Official — not by anyone on the contractor team or FOPBA program staff.

System Security Plan (SSP) — Summary

System CategorizationModerate (FIPS 199) — handles applicant PII but not classified data
Security Control BaselineNIST SP 800-53 Moderate baseline
Assessment MethodIndependent Security Control Assessment (SCA) by third-party assessor
Target ATO DateMonth 7 (Milestone Gate 1)

POA&M — Plan of Action & Milestones (open findings)

FindingSeverityRemediation OwnerTarget CloseStatus
Session timeout exceeds moderate-baseline thresholdHighK. LindqvistMonth 6Open
Audit logging gap on legacy data import pathModerateK. LindqvistMonth 6Open
MFA not yet enforced for admin consoleHighT. AbernathyMonth 5Closed

Why This Gate Matters for the Schedule

Every open High-severity POA&M finding is a direct risk to Milestone Gate 1 (see the IMS and RAIDD Log, R-01). A federal PM's job here isn't to do the security work itself — it's to actively track POA&M burn-down against the schedule and escalate early if remediation is slipping, since an ATO delay is a hard go-live blocker, not a negotiable one.