Authority To Operate

Managing Risk and Proving Trust

‍By Stephanie Crabtree

Managing risk associated with information systems has been at the core of good governance for decades. In the context of the Australian Government, this process is managed through a structured process, known as an Authority to Operate. This article equips you with key information related to an Authority to Operate, including understanding how and why it is used.  

‍ ‍

What is an Authority to Operate (ATO)?

An Authority to Operate (ATO) is a formal risk acceptance process used by Australian Government entities to assess, approve, and continuously monitor whether an information system is secured to a standard deemed operable within their environment.

The Authorising Officer (AO) must sign off on any residual risk, ensuring that a system meets security requirements proportionate to its criticality. The ATO process has become essential for securing IT and OT systems against emerging cyber threats.

‍Cyconsol has significant experience developing system specific security documentation in support of attaining an ATO, or supporting clients in understanding what else might be required.

‍ ‍

Why is it important for Australian Government entities?

‍Non-corporate Commonwealth entities are subject to the Public Governance, Performance and Accountability (PGPA) Act 2013, which in part requires that organisations manage risks to their operation. As part of this, the Australian Government requires entities to use the Protective Security Policy Framework (PSPF). The PSPF covers a broad range of topics and includes minimum security requirements for designing, deploying and authorising the use of information technology solutions.

‍The PSPF was updated in 2025 to include additional guidance under Section 13.3 Technology System Authorisation including using the Information Security Manual (ISM) to assess systems. The guidance emphasises the effective implementation of the ISM to support risk management, alongside the importance of ongoing authorisation activities. These elements together, form the authorisation process.

‍

Who is the Authorising Officer (AO)?

‍This person authorises each system to operate based on the acceptance of the residual security risks associated with its operation.  The AO is often the organisation’s CISO or senior executive with delegated authority to accept risk on behalf of the entity, although this can be dependent on the level of risk associated with the operation of a given system.

‍ ‍

Why is ATO so important for decision making?

‍Essentially, an ATO is a decision to accept or not accept risk. The authorisation decision permits a system to operate once the residual risk is deemed acceptable.

‍Generally, business critical systems require a higher degree of scrutiny and stronger security assurance. Each new application or system is assessed against the organisation’s risk tolerance and the factors that could present risk.

‍A risk-based approach ensures security investment and assurance activities are aligned to business impact, enabling the most critical systems to receive the highest level of protection and confidence in their continued secure operation.

‍More importantly, many government organisations are continually adjusting their cyber security environment, adapting configurations for the changing threat landscape and adding both new defensive technologies and new applications and systems to their environment. What was once a trusted piece of code can lapse into a risk over time. Inherited controls can be impacted. It’s critically important that systems are regularly re-assessed.

‍Organisations are also required to identify major suppliers in their supply chain, map dependencies, and demonstrate that they can minimise or eliminate risks arising from those dependencies. When controls are inherited from cloud providers or managed service partners, the system owner must validate their effectiveness.

‍ ‍

How do I implement an ATO process?

‍You should have both an overarching framework and a process in place to identify risks. It is essential to understand all your high impact systems and systems containing critical data, defining a repeatable process to ensure the risks for these environments are adequately assessed.

‍A well-structured ATO framework provides an overarching approach for how security risk is understood and managed including defined principles such as system classification, risk tolerance, and the expectation that systems must be assessed according to their sensitivity and criticality. This is important to ensure appropriate controls and resources are applied to systems based on business risk.

‍Within this structure, sits the risk management process, which enables achievement of authorisation. This process involves compiling security artefacts which collectively support an evidence-based decision proportionate to the system’s level of impact.

‍Core deliverables often needed as part of an ATO can include the Cloud Security Controls Matrix, System Security Plan, Security Risk Management Plan, Continuous Monitoring Plan, Incident Response Plan to name a few. Depending on the requirements of each organisation, or the complexity of the system, fewer or additional documents may be required including for example, a Supply Chain Risk Assessment.

‍ ‍

What is continuous Authority to Operate (CATO)?

‍A continuous Authority to Operate (cATO) replaces periodic assessments with real-time monitoring and automated evidence and collection workflows. The shift to continuous authorisation treats security assessments as an ‘always‑on’ capability rather than a periodic checkpoint or tick box exercise.  This is especially critical for regulated industries and government‑facing organisations, where authorisation delays can halt entire programs.

‍ ‍

How can Cyconsol help you?

‍Cyconsol can step in at any stage of your ATO journey - from design to implementation of the framework, developing security documentation, and continuously supporting improvement through remediation planning . Our team includes both current and former government security practitioners who’ve lived the ATO process end-to-end, so we understand both the regulatory expectations and the day-to-day realities of sustaining continuous assurance.

‍We can help you make a cultural shift, from treating security assessments as a one-off activity to embedding it as an ongoing, integrated practice throughout the system lifecycle.

• ‍If your organisation requires assistance with the transition to ATO, our CISOaaS can deliver both high-level strategic advice and guide the necessary assessments to deliver a program of work to help you achieve your desired level of risk management.

• Perhaps your policies require maintenance – try our uplift services.

• ‍Many organisations are still using a system of spreadsheets or home-grown applications to record and track assessments. We have solutions for automated monitoring, establishing real‑time control validation, and building the operational processes that let you maintain authorisation without drowning in paperwork. Read more about our Continuous Compliance Management Services using Telos Xacta here.

‍ ‍