The Authority to Operate (ATO) is the formal security sign-off required before BenefitConnect can go live in production. It has no real equivalent in commercial healthcare PM work — a HIPAA risk assessment is closer, but an ATO is a harder, non-negotiable gate: without it, the system simply does not launch, regardless of schedule pressure.
Owned by T. Abernathy (ISSO), reviewed by M. Whitcombe (COR), and formally granted by the agency's Authorizing Official — not by anyone on the contractor team or FOPBA program staff.
System Security Plan (SSP) — Summary
| System Categorization | Moderate (FIPS 199) — handles applicant PII but not classified data |
| Security Control Baseline | NIST SP 800-53 Moderate baseline |
| Assessment Method | Independent Security Control Assessment (SCA) by third-party assessor |
| Target ATO Date | Month 7 (Milestone Gate 1) |
POA&M — Plan of Action & Milestones (open findings)
| Finding | Severity | Remediation Owner | Target Close | Status |
|---|---|---|---|---|
| Session timeout exceeds moderate-baseline threshold | High | K. Lindqvist | Month 6 | Open |
| Audit logging gap on legacy data import path | Moderate | K. Lindqvist | Month 6 | Open |
| MFA not yet enforced for admin console | High | T. Abernathy | Month 5 | Closed |
Why This Gate Matters for the Schedule
Every open High-severity POA&M finding is a direct risk to Milestone Gate 1 (see the IMS and RAIDD Log, R-01). A federal PM's job here isn't to do the security work itself — it's to actively track POA&M burn-down against the schedule and escalate early if remediation is slipping, since an ATO delay is a hard go-live blocker, not a negotiable one.