Continuous ATO: Going from Authority to Operate (ATO) to Ability to Respond
This white paper explores best practices designed to help reduce the time and cost of ATOs while improving access to risk data using process automation.
This white paper explores best practices designed to help reduce the time and cost of ATOs while improving access to risk data using process automation.
The Change Healthcare security breach has impacted over 94% of hospitals as reported by the American Health Association (AHA). A cascading set of events was unleashed starting with the Feb 21, 2024 announcement of the data breach at Change Healthcare requiring nearly $2BÂ in advance payments severely impacting nearly 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories. The security attack is reported to have been caused by a security vulnerability in software provided by ConnectWise and used by Change Healthcare. Security and cybersecurity incidents in healthcare are not new. However, what makes the Change Healthcare security breach standout is the widespread impact and the need for a forceful government response that included the Whitehouse. In many ways this cyberattack mirrors the Colonial Pipeline incident a few years ago where Citizens faced gas shortages serving as a wakeup call to policy makers that cybersecurity incidents can be disruptive to the
General Services Administration (GSA), Office of Small and Disadvantaged Business Utilization (OSDBU) and The FedRAMP PMO are hosting a webinar on March 21, 2024 to provide guidance to small business CSPs in becoming FedRAMP authorized. Small businesses are encouraged to attend and register for this free event. The topics that will be covered include: Gain insight into the benefits of partnering with FedRAMP Understand The FedRAMP Authorization process Identify FedRAMP Resources for CSPs Time: Thursday, March 21, 2024 at 1:00 PM in Eastern Time (US and Canada) The registration link is available here. Small businesses with cloud service offerings that cater to federal agencies with innovative SaaS or PaaS solutions should seek FedRAMP accreditation. What is FedRAMP? The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment for commercial cloud service providers (CSPs). Any cloud system hosting federal must be
The US Government is continuing to move rapidly to ensure US competitiveness in the area of Artificial Intelligence (AI). The FedRAMP Program Management Office (PMO) published the Emerging Technology Prioritization Framework (ETPF) in January 2024. The ETPF is designed to help accelerate the availability of FedRAMP accredited Gen AI cloud solutions for federal agencies and users. The FedRAMP PMO is soliciting feedback and comments due by March 11, 2024 on the the proposed prioritization framework. Please read our blog to learn more about FedRAMP. US Government agencies including DOD and Federal Civilian agencies spent nearly $3B on AI solutions based on a 2023 report from Stanford University. This spending is expected to grow rapidly as agencies and public sector organizations start production deployments in the near future. To ensure the safe and secure deployment of AI technologies and to drive the development of standards, the Department of Commerce announced the creation
**stackArmor will be part of the leading AI stakeholders to help advance the development and deployment of safe, trustworthy AI under new U.S. Government safety institute** MCLEAN, Va.–February 8, 2024–Today, stackArmor announced that it has been selected by the Department of Commerce to join the nation’s leading artificial intelligence (AI) stakeholders to participate in a Department of Commerce initiative to support the development and deployment of trustworthy and safe AI. Established by the Department of Commerce’s National Institute of Standards and Technology (NIST), the U.S. AI Safety Institute Consortium (AISIC) will bring together AI creators and users, academics, government and industry researchers, and civil society organizations to meet this mission. “Understanding that adopting AI in a safe and secure manner is a challenge for public sector agencies due to evolving guidance, standards for risk, and a shortage of resources, it’s of the utmost importance to offer proven solutions to the
Solution enables underrepresented communities greater access to AI/ML research capabilities MCLEAN, Va.–(BUSINESS WIRE)–stackArmor, a leading provider of cloud, security and compliance acceleration solutions for meeting FedRAMP, FISMA and CMMC 2.0, today announced it has been supporting Dr. Paul Avillach, one of the Multiple Principal Investigators of the National Institutes of Health (NIH)’s Artificial Intelligence/Machine Learning Consortium to Advance Health Equity and Researcher Diversity (AIM-AHEAD) program. The AIM-AHEAD program mission is to enhance the participation of underrepresented communities in the development of AI/ML models. The program improves the capabilities of this emerging technology, beginning with electronic health records (EHR) and extending to other diverse data to address health disparities and inequities. A lack of diversity of data and researchers in the AI/ML field runs the risk of creating and perpetuating harmful biases in its practice, algorithms and outcomes. “We have been privileged to support Dr. Avillach’s vision to reduce the cost
The US Government Accountability Office (GAO) released a report on The Federal Risk and Authorization Management Program (FedRAMP®). The 37 page report provides highly relevant insights to both agencies and commercial organizations pursuing FedRAMP accreditations or ATOs. Highlights from the report are presented below. Key Challenges Faced by Agencies and Cloud Service Providers (CSP) Receiving timely responses from stakeholders: Agencies and CSPs reported that they had issues with receiving timely responses from stakeholders throughout the authorization process. Sponsoring CSPs that were not fully prepared Agencies reported that CSPs did not fully understand the FedRAMP process and lacked complete documentation. Lacking sufficient resources: Agencies reported that they lacked the resources (e.g., funding and staffing) needed to sponsor an authorization. Meeting FedRAMP technical and process requirements: CSPs reported that they had to update the infrastructure to meet federal security requirements. Finding an agency sponsor: CSPs reported that finding an agency sponsor was difficult. Engaging
Welcome back to the era of GenAI, where the world remains captivated by the boundless potential of artificial intelligence. However, the proliferation of AI does not preclude us from considering the new risks it poses. As you may recall, I have been supporting numerous initiatives around AI Risk Management as part of our ATO for AI offering and recently explored the ethical risks surrounding AI using the IEEE CertifAIEd framework. As part of the NIST AI RMF, we need to continue to adopt new and emerging risk management practices unique to AI systems. Today, we’re going to be exploring the other type of risks: the security vulnerability vectors that are unique to AI systems. Today we will be examining the most common of those vectors, called the OWASP LLM Top 10 and how to protect yourself while building solutions using AWS Native AI services. What is the OWASP LLM Top 10?
Updated on 5/24/2025 with new developments related to this topic. On May 22, 2025, NIST published a blog stating their intent to leverage existing control frameworks to protect AI systems as opposed to creating new frameworks. stackArmor’s position published in 2023 to use AI Overlays to develop guardrails for AI systems has been accepted as an approach that will be implemented by NIST. Ms. Clare Martorana, U.S. Federal Chief Information Officer, Office of the Federal Chief Information Officer, Office of Management Budget. Subject: Request for Comments on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Draft Memorandum Ms. Martorana, We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. As the CEO and founder of a small and innovative solutions provider, stackArmor, Inc., headquartered in Tysons VA, I applaud your efforts to foster transparency and solicit ideas and comments. We
TYSONS CORNER, Va., Dec. 15, 2023 — stackArmor, Inc., a leading provider of FedRAMP, FISMA, CMMC 2.0, NIST AI RMF and StateRAMP compliance acceleration solutions and Carahsoft Technology Corp., the Trusted Government IT Solutions Provider® today announced that it has assisted University of Utah School of Medicine, with successfully obtaining a FISMA Moderate ATO for the National Emergency Medical Services Information System (NEMSIS). NEMSIS is a collaborative system hosted on Amazon Web Services (AWS) to improve prehospital patient care through the standardization, aggregation, and utilization of point of care EMS data at a local, state, and national level. NEMSIS is a program of US Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) Office of EMS and hosted by the University of Utah’s Data Coordinating Center, housed within the School of Medicine. “FISMA is one of the most important regulations regarding Federal data security standards and guidelines. An ATO (Authority To Operate) forms the
A blog post by Matthew Venne, Sr. Solutions Director, stackArmor It’s no secret that Cloud 2.0 will be driven by Artificial Intelligence (AI). The rate at which the world is adopting AI-based solutions is nothing short of staggering; what was once viewed as science fiction, is quickly becoming science fact. With each AI system that gets deployed into the world, another machine takes ownership of decisions previously made by a human. We are currently seeing AI being adopted across all sectors of life: self-driving cars, college admissions, housing applications, the defense industry and more.  This presents unique challenges and risks that require new thought leadership to properly assess and mitigate. What happens if: An Autonomous Intelligence System (AIS) used for college admissions incorporates a bias against any demographic? An AI-powered smartwatch discovers its owner has a condition they wanted to keep private? An AIS escalates its own privileges to access
AI is so much more than a buzz term these days. It is a full blown technological revolution commanding the attention of industries and sectors across the board. Its surging role is particularly evident in the public sector where government and federal agencies are flocking to capture the benefits of the emerging tech. Take the Department of State for example. In order to automate the time-consuming task of documentation processing and declassification, the department has instituted an AI-driven pilot project that helps to streamline reviews. AI Initiatives from The White House and Public Sector But as AI gains traction, there is also a rush to get ahead of its challenges. In a talk hosted by the Information Technology Industry Council, Arati Prabhakar, the director of the White House’s Office of Science and Technology Policy, discussed an expected executive order that focuses on balancing opportunity with risk. Of course, that became
October was a busy month for FedRAMP. From Federal Secure Cloud Advisory Committee (FSCAC) meetings to an automation overhaul, there were a slew of activities aiming to further prepare the program for the future it faces and will need to serve. Developing the Next Generation of FedRAMP The push to really explore FedRAMP’s upcoming chapter began with the first FSCAC meeting of the month on October 19. The focus of this particular gathering was to delve further into the Cloud Solution Provider (CSP) Authorization Path and offer an opportunity to present insights on how to enhance this process. The following convening on October 26 was centered around the growing role of Continuous Monitoring (ConMon), also offering an opening of the floor to discuss input that would lead to draft recommendations. But the key theme that keeps recurring is automation. While the forthcoming November meetings will tune more deeply into equipping
On a new episode of stackCast (powered by stackArmor), host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, welcomes the SVP and CISO at Lineaje, Nick Mistry. The two discuss: The importance of software supply chain security and why it has been mandated by some government programs such as FedRAMP and FISMA The overview of a Software Bill of Materials (SBOM) and breakdown of transitive dependencies vs. dependencies Why Lineaje developed an SBOM exchange platform (SBOM360 Hub) and how it works How SBOM360 Hub impacts the overall security posture of a company To learn more about Lineaje and how they solve critical Software Supply Chain security problems faced by every organization that builds, uses, or sells software, please visit: https://www.lineaje.dev/. – About stackCast: Welcome to stackCast, powered by stackArmor, your go-to source for all things related to cloud security and cybersecurity compliance. Hosted by Martin Rieger, Chief Solutions Officer
The Office of Management and Budget (OMB) released a Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) on Friday, Oct 27, 2023. FedRAMP was codified in 2022 when Congress passed the FedRAMP Authorization Act (“Act”). The Act established FedRAMP within the General Services Administration (GSA) and created a FedRAMP Board to provide input and recommendations to the Administrator of GSA. FedRAMP has been in place through a Office of Management and Budget (OMB) memorandum in December 2011. OMB released the DRAFT Memorandum that has a number of highlights. Salient elements of the proposed changes are summarized below from our perspective in having supported over 200 system migrations and ATOs since 2009 when we supported the first Government wide Cloud Authorization To Operate (ATO) in May 2010 for Recovery.gov and then the first Cabinet Agency Cloud ATO in Dec 2010 for Treasury.gov. SaaS focus: OMB has a
By: Gaurav “GP” Pal, Founder and CEO, stackArmor Last month at stackArmor, we announced the establishment of our AI Risk Management Center of Excellence (CoE), comprised of executives with strong operational backgrounds and experience driving large-scale modernization efforts in Federal agencies. We’re pleased to share that Suzette Kent, former Federal Chief Information Officer for the United States, is joining the stackArmor CoE to advise and provide ongoing counsel to stackArmor and its stakeholders. “Harnessing the power of AI for delivery of government mission and services will be transformational,” said Suzette Kent. “But, it is complicated to align all the emerging policy, risk frameworks, approval processes and existing policy and law. I am thrilled to be included in the COE because I have seen the work of the stackArmor team to drill down to details and find a path to connect all the pieces. We can only get to use of
It’s been a few weeks now since Carahsoft’s FedRAMP Headliner Summit, but there is no shortage of moments to recall from it. For instance, Robert Costello commemorated his two-year anniversary as CIO at the Cybersecurity and Infrastructure Security Agency (CISA) during the event. While speaking on his role, he explained the difference that has unfolded, including a greater emphasis on having technically savvy federal employees. As quoted by MeriTalk, he stated, “We’re now doing cutting-edge technology solutions, providing services to the agencies that we weren’t before…” Growing Demand for Cloud Services It’s an important point that agencies such as CISA are enhancing tech skills. With growing risk, expanding innovations, and rising regulations, the demand is higher than ever. This is seen in funding initiatives as well. According to Government Technology, the federal government is preparing to distribute $1 billion to states and cities in order to support their cybersecurity plans.
By: Matthew Venne, Senior Solutions Director In an increasingly interconnected world, securing digital assets and sensitive information has never been more critical. In a never-ending game of “cat and mouse, malicious actors and cyber security professionals go back and forth trying to one-up each other.  As a result, the security required to protect digital assets has outgrown the “traditional†perimeter-based security model, where processes and identities are typically only authenticated once and then implicitly trusted.  To adapt to the new network complexity, a new model, the “Zero Trust†security model, has gained prominence as a more robust and effective approach to safeguarding data and systems.  Okta, a leading identity and access management (IAM) solution provider, has recently introduced its Identity Engine to implement Zero Trust principles. In this blog post, we will delve into how Okta’s Identity Engine implements Zero Trust and the benefits it offers for modern organizations. Understanding
Solution receives industry backing with newly established AI Risk Management Center of Excellence (CoE) MCLEAN, Va., September 27, 2023 – stackArmor, the leader in security and compliance acceleration for government organizations, today announced its Approval To Operate (ATO) for AI™ accelerator, that helps public sector and government organizations rapidly implement security and governance controls to manage risks associated with Generative AI and General AI Systems. ATO for AI™ builds on the decades of experience in managing digital and information systems risk using open NIST standards like NIST RMF, NIST SP 800-53 and NIST SP 800-171 and integrates them with emerging frameworks like NIST AI RMF specifically tailored to manage AI risk. As organizations across the globe reap the benefits of AI for automated decision-making and data analysis, the Biden administration recently issued a fact sheet announcing commitments from eight AI companies to manage the risks posed by AI. The document notes the
On a new episode of stackCast (powered by stackArmor), host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, welcomes the CEO at IriusRisk, Stephen de Vries. The two discuss: What threat modeling is, and why it’s crucial in today’s digital landscape How IriusRisk automates the threat modeling process How IriusRisk breaks down silos between Security and Development The guide to how companies can invest in security Compliance and how working with G-SIBs comes with a unique challenge To learn more about IriusRisk and how they automate the threat modeling process, please visit: https://www.iriusrisk.com/. —- About stackCast: Welcome to stackCast, powered by stackArmor, your go-to source for all things related to cloud security and cybersecurity compliance. Hosted by Martin Rieger, Chief Solutions Officer & CISO at stackArmor, the series focuses on navigating the ever-changing landscape of cloud technology and cybersecurity. In a world where our reliance on digital technology is
What’s the cloud hanging over cloud service providers’ heads? The rapidly evolving threat landscape. It’s challenging to keep up with the pace and scale of risk, which is especially true when you are working with clients as essential as federal government agencies. Therefore, it’s critical to not only maintain cyber hygiene, but to anticipate what’s lurking. One key way to help reach those goals is to band together with other cybersecurity experts to exchange ideas, discuss the topics impacting everyday tasks, explore solutions, and brainstorm on what’s ahead. Cue the GovForward FedRAMP Headliner Summit presented by GovExec. GovForward FedRAMP Headliner Summit On August 23, leaders across the cybersecurity, cloud technology, government, and military fields will descend on the Waldorf Astoria in Washington, D.C. for conversations ranging from the need to better protect critical infrastructure to the state of cloud adoption. The main overarching theme, though, will be examining the impact
If federal cybersecurity were a play, regulatory programs such as FedRAMP would be like the directors helping to guide all of the participating actors properly execute their parts and bring the vision to life. And with the spotlight growing brighter due to the mass digital migration, evolving tech landscape, and expanding threat environment, they recently brought in some new stage managers to help. 2nd Meeting of the Federal Secure Cloud Advisory Committee (FSCAC) In compliance with the FedRAMP Authorization Act of 2022, the General Services Administration (GSA) established the Federal Secure Cloud Advisory Committee (FSCAC), an alliance of 14 private and public sector representatives stemming from companies such as Google to agencies such as the Defense Information Systems Agency. According to the Federal Register, FSCAC’s purpose is to “provide advice and recommendations to the Administrator of GSA, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding
https://youtu.be/nRqtoTR68_w On a new episode of stackCast (powered by stackArmor), host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, welcomes the CEO at SafeLogic, Evgeny Gervis. The two discuss: The important aspect of cybersecurity for business, especially those dealing with the United States government and any other entity that requires cryptographic software validation How SafeLogic is revolutionizing the approach to achieving FIPS 140 validation How SafeLogic supports customers who are dependent upon someone else’s cryptography and what that process looks like To learn more about SafeLogic and how their FIPS 140 validation-as-a-service streamlines the process of achieving and maintaining FIPS 140 validation for encryption, please visit www.safelogic.com. You can also listen to the episode here. About stackCast: Welcome to stackCast, powered by stackArmor, your go-to source for all things related to cloud security and cybersecurity compliance. Hosted by Martin Rieger, Chief Solutions Officer & CISO at stackArmor, the series
https://youtu.be/iF8JDGpzTHsWelcome to stackCast, powered by stackArmor, your go to source for all things related to cloud security and cybersecurity compliance. Host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, kicks off the series with Gaurav Pal (GP), CEO and Founder of stackArmor, who shares: The vision behind stackArmor and challenges they faced early on How they put the NIST security controls at the center of their universe The importance of cloud security and compliance The evolving security framework and future of the federal cloud security industry To learn more about stackArmor and how they can help you with your compliance needs or anything cloud related, please visit www.stackarmor.com. You can also find stackArmor on: LinkedIn: https://www.linkedin.com/company/stackarmor/ YouTube: https://www.youtube.com/channel/UCS2dl2kpZ5PBA6BzBtiJu3g You can also listen to the podcast here.