NIST SP 800-37 describes the ATO and ATU as very similar in that they both are the mechanisms for documenting and accepting risk of information systems, and approving the use of the system by the agency. ATUs are intended to be used for shared systems, but still document accepting risk and approving use (based on an external security assessment). Though FedRAMP accepts both ATOs and ATUs, there must be at least one ATO on file for the cloud service offering (CSO) in order for FedRAMP to accept an ATU.
Comments
0 comments
Please sign in to leave a comment.