Generate ATO artifacts for an authorization package

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read

    • Generate ATO artifacts such as System Security Plan (SSP), Security Assessment Report (SAR), and Plan of Actions and Milestones (POA&Ms) from an authorization package in Microsoft Word format.

    Before you begin

    Role required: sn_irm_cont_auth.admin, sn_irm_cont_auth.authorization_official, sn_irm_cont_auth.info_system_sec_manager, sn_irm_cont_auth.info_system_sec_officer, sn_irm_cont_auth.system_owner

    About this task

    Authorization to Operate (ATO) artifacts are documents and evidence produced while authorizing a system that support the compliance of a package with the security standards.

    SSP, SAR, and POA&Ms are reports that you can generate for an authorization package. Each report is a collection of documents attached to the authorization package that gives you a consolidated, detailed report about the effectiveness of the system security.
    SSP
    A document that provides an overview of security requirements for an information system. It describes how a system adheres to the security requirements or how it plans to meet the requirements.
    SAR
    A structured document that provides the assessment results and recommended guidelines of an assessor in remediating the vulnerabilities found in the security controls.
    POA&Ms
    A document that gives details as to how to accomplish the elements of the plan, milestones to achieve the tasks, and time line to complete the milestones.
    Note:
    You can generate SSP, SAR, POA&Ms reports in Microsoft Word where you can update the content in CAM Workspace. Whereas, in classic UI you can generate the SSP report in PDF format using the Generate Report(s) button in the Authorization package form.

    Procedure

    1. Navigate to All > CAM Workspace.
    2. To navigate to the Lists page, select the lists icon (Lists icon.).
    3. From the Authorization packages in the RMF list on the left pane, select an authorization package record for which you wish to generate the reports.
      Important:
      • To generate an SSP report, the package must be in the Implement, Assess, Authorize, or Monitor state.
      • To generate an SAR report, the package must either be in the Authorize or Monitor state.
      • To generate a POA&M report, the package must be in the Assess, Authorize, or Monitor state.
    4. To generate an SSP report for the package, select the Generate SSP button.
    5. To generate an SAR report for the package, select the more actions (More actions icon) list next to Generate SSP UI action.

      Generate ATO artifact UI actions.

    6. To generate a POA&M report for the package, select the More actions icon list next to Generate SSP UI action.
      A message appears asking you to confirm that your action triggers the generation of the document for the authorization package, and that the report that is currently being generated will replace any existing report.
    7. Select Proceed.
      After the Microsoft Word file is generated, a banner message states that the report has been generated successfully.
    8. Close the message and select the attachment icon (Attachment icon) in the sidebar.
      The Microsoft Word document is also attached to the Authorization section of the package in the Details related list. You can also select the download icon next to the report to download the file.
    9. Select the More actions icon icon next to the file with a docx extension and click the Download option.
      The downloaded file opens in a Microsoft Word format with all the details. The report is also attached in the Activity section of the package with the timestamp and the user who generated it.

      To use the functionality of Generate ATO artifacts for an authorization package, see the Configurations Required to Enable Report Generation for Authorization Package in CAM Workspace [KB1649486] article in the Now Support Knowledge Base.