Onboarding - Data Security

This section provides information on data security for the BioSense Platform, including details on CDC's Authorization to Operate (ATO) and overall approach for ensuring data security of the BioSense Platform.

CDC Authorization to Operate

This section provides information on data security for the BioSense Platform, including details on CDC's Authorization to Operate (ATO) and overall approach for ensuring data security of the BioSense Platform.

All CDC IT systems must obtain a signed Authorization to Operate (ATO) before connecting to the BioSense Platform. The ATO represents management's approval to place a system into operation at CDC. An ATO is granted after an IT system fully complies with the Certification and Accreditation (C&A) process. An IT system must comply with the following regulations specified in the C&A process:

  • Security Certification
  • Security Accreditation
  • E-Authentication
  • Business Continuity Planning

For IT systems required to complete a full C&A, the designated approving authority (DAA) is typically a senior management official, division level or above, within a center, institute, or office. There are two different ATO forms: the Non-reportable System/Application ATO and the Reportable System/Application ATO.

The certifying authority (CA) must sign within the C&A process pending on level of the Federal Information Processing Standard Publication (FIPS PUB) 199, Standards for Security Categorization of Federal Information and Information Systems. CAs are typically the application sponsor, business steward, system owner, chief information security officer, or designated approving authority.

FIPS PUB 199 is an important component of a suite of standards and guidelines that the National Institute for Standards and Technology (NIST) is developing to improve the security of federal information systems, including those systems that are part of the nation's critical infrastructure. FIPS PUB 199 enables agencies to meet the requirements of the Federal Information Security Management ACT (FISMA) and improves the security of federal information systems.

The CA must use the reportable ATO form if the system has a high FIPS PUB 199 impact level or has critical inventory systems.

The CA must use the non-reportable ATO form if the system has a low or moderate FIPS PUB 199 impact level.

Note: The Office of the Chief Information Security Officer (OCISO) will not grant an ATO to a Web-based system if the application scan contains high vulnerabilities. The CA must collaborate with OCISO to lower system vulnerabilities to an acceptable level before an ATO will be granted. The project officer must submit a self-signed ATO, in PDF format, as part of the C&A package. The CA will sign the ATO upon approval of the accepted package.

For more information about full compliance, refer to the C&A process guides on CDC's Unified Process website:
http://www2.cdc.gov/cdcup/library/process_guides/default.htm.

Authorization to Operate for BioSense

The figure below shows the ATO for the syndromic surveillance system on the BioSense Platform (1/7/2015 to 11/12/2017).