The PEO is the lifecycle manager of a program even after the program is transitioned to sustainment. Once the program has been transitioned to sustainment who is responsible as the Authorization Official (AO) for the Authorization to Operate (ATO)? Is it the new sustainment command or is it the PEO as the lifecycle manager?
Thanks for your question. When a program transitions to sustainment, the Authorizing Official (AO) responsible for cybersecurity should not change. When a determination package is submitted early on in the Risk Management Framework (RMF) process, or if the program is entered into in EMass, the AO that accepts the program/project (or is assigned) should remain with the program/project through the acquisition lifecycle. The AO is the only one authorized to sign/approve the Interim Authority to Test (IATT), Authorization to Operate (ATO) or ATO with Conditions. This responsibility should not transferred to the lifecycle manager or the Program executive Officer (PEO) - they do not have this authority. When Service AOs were established they were to be set apart from the program office, working under the Service Chief Information Officer (Service or DoD CIO), to handle cybersecurity authorizations (IATTs, ATOs and ATO with Conditions). The AO and PEO, however, should coordinate and work together on the ATO with Conditions to make sure the "conditions" (risk mitigation steps) are met at a future agreed to point prior to the next ATO. Hope this helps. Please contact me if you have any further questions.