AWS Select Tier Partner
Risk Management Framework & ATO

Authority to Operate, earned and maintained.

The Risk Management Framework (RMF) is how a federal system earns its Authority to Operate. D9Tech supplies the cleared RMF engineers who support the AWS Professional Services team through it: authoring the body of evidence, advising the authorizing official, and sustaining continuous monitoring, so the mission gets authorized and stays that way.

Talk to D9Tech See past performance

Risk Management Framework · NIST SP 800-37 · run end to end to an Authority to Operate

ATO maintained on a DoD high-performance network

U.S. Navy / DoD HPCMP (DREN) · Prime

Authority to Connect granted, ~250 users onboarded

Defense Microelectronics Activity · Prime

Body of evidence authored, AO advised to a cloud ATO

Cleared federal program · via AWS ProServe

Evidence catalog that moved a migrated environment to ATO

Federal / U.S. Navy · via AWS ProServe

Our engineers author the body of evidence

The cleared engineers we provide in support of the AWS Professional Services team write the System Security Plans, security assessment reports, POA&Ms, and risk assessments, and assemble the package an authorizing official can act on. They have built the evidence catalogs and taxonomies that carry a system through submission.

They advise the AO and ISSM

In support of the AWS Professional Services delivery, our engineers engage the authorizing official and ISSM on NIST 800-53, DoD, DISA, and cybersecurity service provider policy, review the architecture against the RMF package, and help steer the program to an authorization decision.

And keep the authorization alive

After the ATO, the engineers we field sustain continuous monitoring, STIG compliance, and POA&M burn-down, and turn manual patching into policy-mapped Infrastructure as Code so the security baseline holds.

The body of evidence
The body of evidence

The package that earns the signature.

Built to NIST SP 800-53 Revision 5 and DoD policy, in the tools your authorizing official already uses.

  • System Security PlanThe control implementation narrative, assessor-ready.
  • Security Assessment ReportST&E and IV&V results that stand up to scrutiny.
  • POA&M managementFindings tracked and burned down, never left to drift.
  • STIG & 800-53 mappingChecklists mapped to controls, applied as code.
  • Continuous monitoringConMon, logging, and drift control that hold the line.
  • eMASS & Xacta packagesSubmission-ready in the tools the AO already uses.

Proven on the hardest authorizations.

Cleared federal program · via AWS Professional Services

Authoring the body of evidence for a cloud ATO.

On a cleared federal program inside a cloud environment, D9Tech engineers supporting the AWS Professional Services team produce the System Security Plans, security assessment reports, POA&Ms, and risk assessments, review the architecture against the RMF package, and assemble the body of evidence the authorizing official needs to grant an ATO. They advise the program's AO and ISSM on NIST 800-53, DoD, DISA, and cybersecurity service provider policy.

  • Body of evidence authored
  • AO and ISSM advised
  • NIST 800-53 / DoD / DISA
  • In support of AWS ProServe

Stuck short of ATO? We get you there.

Put cleared D9Tech RMF engineers behind your AWS Professional Services engagement, at kickoff or at the eleventh hour, ready to drive the authorization.

Talk to D9Tech