MichaelSides
commented
2 months ago 9/3/24: Following sent out to all TTS System Owners/POC's:
Immediate Response Required - Needed by 12pm September 6, 2024
We are currently working on a short suspense tasking that will be followed by an ATO retrospective, and we need your input to gather the necessary information.
Independent assessments and ISSO support are shared service functions provided by the Office of the Chief Information Security Officer, in GSA IT. Please identify which programs are paying for associated ATO assessment cost and ISSO support.
In general ,we have been asked to gather the following details:
What are you paying for GSA OCISO ATO Support?
Where is the payment coming from? WCF?
How is the payment documented?
Long story short: How much money are you spending on ATO’s for your systems?
Action Items:
Review and update columns C-F ATO Assessment link
If necessary, provide additional information to help answer the questions above
Please submit your response by 12pm Friday
Thank you for your cooperation and timely response.
Awaiting input.
Tasking From LaKeisha:
I need your help with completing an ATO data call while I am out on leave this week. Can you send an email to the Program Leads today and request a response by 12pm ET on Friday? We need to know which programs are paying for ISSO support and the associated ATO assessment cost. Please reference section 3.2 of the OCISO MOU for a list of TTS Systems.
Original request:
Purpose: After Ann discussed the SoCAAS memo with the broader leadership team it raised a lot of questions about ATOs and how some TTS teams are paying and some are not. We are trying to make sure we understand the status quo and whether there is an issue based on the memo. We know you know a lot more about a lot of this so would appreciate your expertise.
Here are the questions we wrote in our agenda doc. We will not answer these all tomorrow, but instead we want to make sure we are asking the right questions.
WCF / GSA IT one-off charges - what is the impact of the recent SoCAAS memo on ATOs and other activity?
Link to email and document
https://mail.google.com/mail/u/0/#search/mukunda/WhctKLbFbDSSmJcNvXqhJnwdLzlFzbDhQgrtNKScJggwNkWCDkVLBQDKrcxlHmprHGZrZjL?projector=1&messagePartId=0.1
Seems like some “new programs” are being required to pay for ATOs or fedramp authorization sponsorship now while other TTS programs are not - this is unfair and seems not in line with the memo. This also may defeat the purpose of the WCF. But also some programs need extra speed they get from paying for the ATO.
We can raise Q and concerns with CFO on this but need to be strategic and collect information like:
Re: WCF and GSA IT Services
Which TTS organizations receive existing services from GSA IT
Confirm - which TTS organizations receive a WCF bill that includes charges for services from GSA IT
Fit-gap on WCF charges vs. range of services
(Explicit examination of whether or not ATO services are already included in the WCF bill)
ATO’s
Which TTS organizations pay for ATO services from GSA IT
Of those that pay for ATO services from GSA IT - what are they paying for and is the payment documented, and for how many ATOs?
How much money is being spent on ATOs across TTS?
As a general matter - How long does it take to get an ATO completed? Do we have metrics for paid vs not paid?
How well can we forecast ATOs? What % of our portfolio can we forecast on an 18-month timeline?