In 2013, I wrote a post that traced the definitions in DoD policy on what things need an ATO (then Approval-To-Operate, now known as Authorization-to-Operate). Since that time, much policy has been reissued, so here’s an update:
DoD Instruction 8510.01 (Change 2, July 28, 2017) “Risk Management Framework (RMF) for DoD Information Technology (IT)”, says “Each DoD IS, DoD partnered system, and PIT system must have an authorizing official (AO) responsible for authorizing the system’s operation based on achieving and maintaining an acceptable risk posture.”
“DoD IS”, above, is a DoD “Information System”. The glossary section of 8510.01 says “Information System” is defined in CNSS Instruction 4009, “Committee on National Security Systems (CNSS) Glossary”: “Set of information resources organized for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information.”
This doesn’t help, in terms of determining what doesn’t need an ATO. However, DoD Instruction 8500.01, “Cybersecurity”, says this:
(a) DoD ISs are typically organized in one of two forms:
1. Enclave
2. Major Application (Formerly Automated Information System Application)
a. Certain applications, because of the information in them, require special management oversight due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application and should be treated as major applications. A major application may be a single software application (e.g., integrated consumable items support); multiple software applications that are related to a single mission (e.g., payroll or personnel); or a combination of software and hardware performing a specific support function across a range of missions (e.g., Global Command and Control System, Defense Enrollment Eligibility Reporting System).
b. Major applications include any application that is a product or deliverable of an Acquisition Category I through III program as defined in Enclosure 3 of Reference (av). When operationally feasible all new major applications will be hosted in a Defense Enterprise Computing Center. c. All applications, regardless of whether they rise to the level of major application or not, require an appropriate level of protection. Adequate security for other than major applications may be provided by security of the environment in which they operate. d. When possible, capabilities should be developed as applications hosted in existing authorized computing environments (i.e., enclaves) rather than designated as major applications requiring new and separate authorizations. e. DoD Component CIOs will resolve disputes regarding whether an application rises to the level of a major application.
c. All applications, regardless of whether they rise to the level of major application or not, require an appropriate level of protection. Adequate security for other than major applications may be provided by security of the environment in which they operate.
d. When possible, capabilities should be developed as applications hosted in existing authorized computing environments (i.e., enclaves) rather than designated as major applications requiring new and separate authorizations.
e. DoD Component CIOs will resolve disputes regarding whether an application rises to the level of a major application.