So I just started at a small government bureau/agency as an ISSO and began to review their ATO packages. Outside of two large database servers, the other five are home-grown or third-party applications residing on VM's within the larger department data center. I've never dealt with software applications having ATO's as they are not information systems. It is a tool within the infrastructure. No one has "admin" rights to the actual servers though there are accounts within the application and they do control that. Am I wrong, shouldn't the ATO be with the datacenter for these five applications? How can I be responsible for the system it resides on if no one other than them can modify it?