So my question is....can an AIS go to IOC with an IATO?
Thank you so much for your time and assistance.
The answer is YES, for now (under the current policy on IATOs, DODI 8510.01, 28 November 2007). However, with the new Cybersecurity (replaces the term Information Assurance (IA)) Risk Management Framework, the current DODI 8510.01, will be replaced (soon) and in essence under the new policy, there will be no IATO, just an ATO that is in a constant state of managing non-critical risks while operating---focus is capability to the war-fighter FIRST. Critical security risks will not be allowed on any DoD network.
The current definition of Interim Authorization to Operate (IATO) is "a temporary authorization to operate a DoD Information System (IS) under the conditions or constraints enumerated in the accreditation decision by the Designated Approval Authority (DAA)." The current IATO rules forces us to get fixes done ASAP but has no continuous monitoring procedure. The exact wording is: "An IATO accreditation decision must specify an Authorization Termination Date (ATD) that is within 180 days of the authorization date. A DAA may not grant consecutive IATOs totaling more than 360 days." In other words, you are in an operational (IOC) status if you have fixable, non-critical security issues/risks and you have a maximum of 360 days before you are forced into a Denial of Authority To Operate (DATO)--at that time you are taken off the network! Under the current policy, risks could be realized while a fix is still being worked on putting the war-fighter in danger of security breaches.
Under the new rules the Authorizing Official (AO) will replace the DAA in approving the ATO. There are no IATOs but, the AO may place conditions upon ATO status, such as risk mitigations through security controls within a specified time timeframe. The new process will have a greater link to configuration management and solution architectures. Systems with critical security issues will not be allowed to operate. The continuous monitoring policy is designed to make sure that systems are shut down immediately if major security flaws are uncovered.