Appendix F FNS Salesforce -Authorization to Operate

United States Department of Agriculture
Food, Nutrition, and
Consumer Services
1320 Braddock Place

TO:

Joseph Shaw
System Owner
Food, Nutrition, and Consumer Services

FROM:

Renee Gore
Assistant Chief Information Officer, Authorizing Official
Food, Nutrition, and Consumer Services

Alexandria, VA
22314

SUBJECT: Authorization to Operate for FNS Salesforce
References:
a) NIST, SP 800-37, Revision 2, Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and
Privacy, December 2018
b) NIST SP 800-53, Revision 5, Security and Privacy Controls for Information
Systems and Organizations, December 2020
c) USDA, DR 3540-003, Security Assessment and Authorization, August 12, 2014
The Information Security Division (ISD) has reviewed the request for an Authorization to
Operate (ATO) for the FNS Salesforce authorization boundary, associated subsystems,
components, and hosted applications, which are located in the Salesforce Government
Cloud and Salesforce Government Cloud Plus environments. To support this authorization,
the FNS Salesforce has a security authorization package that includes results of a security
control assessment and a Security Assessment Report (SAR). The FNS Salesforce has a
Moderate system security categorization level, with Moderate Confidentiality, Moderate
Integrity, and Low Availability sensitivity levels. This authorization does not extend to
Classified information.
In accordance with NIST SP 800-37, Revision 2, I am granting this ATO for a maximum
of three (3) years from the date of this memorandum. The authorization period for this
ATO will be from 11/20/2023 until 11/20/2026.
The information system is being accredited without any significant restrictions or
limitations. This memorandum serves as my formal declaration that adequate security
controls have been implemented and that a satisfactory level of security is present in the
information system.
Please note that this information system security accreditation will remain in effect as long
as:
(i)
the system is not changed significantly from its current state,
(ii) the vulnerabilities reported during the continuous monitoring process do not
result in additional agency-level risk that is deemed unacceptable, and
(iii) the system has not exceeded the maximum allowable time period between
security accreditations, in accordance with Federal or Department policy.

The FNS Salesforce ATO boundary and its applications are subject to the Standard
Operating Procedures (SOPs) and Plans, as reviewed by the Application Teams and
approved by the appropriate authorizing personnel, including Division Director(s) and
System Owner(s). Attachment #1 of this ATO memo outlines the applicable SOPs and Plans
included in the ATO package that have been reviewed and signed by the appropriate
personnel.
A copy of this memorandum with all supporting security accreditation documentation will
be added to the Assessment and Authorization (A&A) package in the Cyber Security
Assessment and Management (CSAM) application as an artifact. All documentation will be
retained according to the records retention schedule.
The point of contact for this ATO is John Rosselot, Jr., Chief, Risk Management Branch
(RMB), (571) 563-5260 or by email at [email protected].

Digitally signed by
QUVATOR GORE
Date: 2023.12.11
14:25:48 -05'00'

Renee Gore
Authorizing Official
Food, Nutrition, and Consumer Services

AN EQUAL OPPORTUNITY EMPLOYER

2