Hi, I work in a federal office as an ISSO. Over the last few years the ops teams have been requesting a lot of SaaS based products from 3rd party. Usually hosted in azure or AWS gov clouds with our systems, also usually fedramped.

I’m having a hard time figuring out how to establish an ATO submission requirement from the ops teams. They keep asking for things like service now, jira confluence, blah blah all kinds of random SaaS apps, but it always ends up with me trying to figure out how to make it work. Usually I’m telling the teams to document the configs and submit a CR, but it just always ends up with me doing all the work.

My question: Should I be in more meetings with OPs, helping them figure out deployment and technical details before the process starts? Or should they be providing me all of that and I just assemble the CRM and rest of the ATO package? I was under the impression it was the latter, but I’m pretty inexperienced when it comes to incorporating these little systems under my fisma umbrella.

Thanks!