Introduction

Welcome to the OpenATO Guide.

Technology platforms are continuously evolving, CVEs are growing at 20% a year, and threats are increasing probably faster. No single group (contractor or agency) is up to the task of staying abreast of all the changes, yet we must. A path forward is to open the process up to community collaboration so that all can benefit from the updates made at the edges by other parties.

The platform needs to be open to encourage sharing. Catalog baselines, agency Profiles and system Components often contain little or no sensitive information and can easily be shared. Even SSPs and Assessment Plans can, for the most part, be open and shared. (Of course, the Assessment Results containing system vulnerabilities and POA&Ms may be sensitive.) The goal is to slowly trim-tab the ship toward a fluid, evolving ecosystem of assertions and tests (covering the inventory of hardware, software, policy and processes) and away from static “paper” SSPs/ATOs.