14 · Onboarding · Authorities

Onboarding Authorities

Andi Lamprecht ·2026-05-11· 9 min read· Draft

Lifecycle event. Authorities are the orgs that issue endorsements on Authorization Packages and that perform field verification. This page covers how those orgs are credentialed, how individual field verifiers are credentialed within them, and how one authority federates with another. Substrate model is in Disconnected Operations §2.1.

1. Authority Org Onboarding

Authority orgs onboard the same way operators do — corporate identity, regulatory standing, agreed scope of jurisdiction — and receive an Authority Org Certificate under the Authority Credentialing CA.

Authority Type	Examples	Typical Scope
Civil aviation regulator	FAA Eastern, state aviation office	Airspace authorization within a delegated region
Law enforcement	State police, federal LE	Field verification, incident response
Public safety	Fire, EMS, emergency management	Field verification during incidents
Airspace manager	Federal facility, special-use airspace operator	Jurisdiction definition, multi-authority approvals

The org cert is annual. Within the authority, individual users are credentialed separately — see §2.

2. Field Verifier Credentialing

A user inside an authority org with the field-verification permission can perform offline disclosure on a managed device. A field-verification action requires three independent factors at every offline reveal:

Factor	Purpose	Examples
Person-bound credential	Proves who is asking	PIV / CAC for federal users; agency SSO + biometric for state and local
Managed device credential	Proves what device is asking	Device enrolled in agency MDM, reporting attested OS state
Purpose code	Proves why	Verifier picks one option from a short, plain-language list (active incident, safety concern, infrastructure protection); code is logged for after-action review

These are bound together at credential issuance. The person-bound credential is short-lived (typically hours to days of offline validity) and geographically scoped by default. The authority org holds a long-lived org cert; person and device credentials are issued under it and rotate frequently.

3. Field Device Setup

The device is enrolled by the authority org through its MDM (Mobile Device Management) system and registered with ATOMx. Enrollment installs:

ATOMx Root public key (trust anchor)
Current Manufacturer CA list and revocation snapshots
Authority Org Certificate
Per-device managed-device certificate
Per-person credential template (issued at login)
Capsule cache (pre-synced for the jurisdiction)
One-tap purpose codes scoped to the user’s role within the authority

Person-bound credentials require live authentication at the start of each shift and re-authentication at policy intervals. The credential carries geographic and time scope; verification outside that scope requires break-glass — see Disconnected Operations §6.5.

4. Slack-Connect Federation

Authorities connect to peer authorities through a Slack-Connect-style federation model rather than schema-level merging. Each authority chooses what to share with each peer:

Jurisdiction boundaries (or specific sub-zones)
User lists (for cross-agency operations)
No-fly geometries
Endorsement signing privileges within a peer’s airspace

Cross-agency coordination becomes opt-in selective sharing, not centralized identity federation. See Origins and Decisions §7.2.

5. Form Builder per Authority

Each authority defines its own intake form for flight-authorization requests in its airspace. Fields, validation rules, and required attachments are authority-specific. Versioning of forms across authorities is an open question — see Origins and Decisions §9.

6. Selective NFZ

A no-fly zone may be configured to be invisible to authorized pilots (their map does not show it) while still being enforced for unauthorized aircraft. The geometry exists; disclosure of it is policy-gated. See Origins and Decisions §7.3.

7. Regulatory Anchoring and Inter-Agency Agreements

7.1 What Makes an Org an Authority

Authority status is not self-asserted. An org is admitted as an Authority only on the basis of an explicit regulatory or delegated authority claim, anchored in:

Anchor	Examples
Federal aviation statute	49 USC; 14 CFR Part 91 / 107 / 108 (FAA)
Federal protection authority	DHS, USSS, DoD installation airspace authorities
State delegation statute	State aviation offices operating under MOA with FAA
Local police-power statute	Tribal aviation authorities; municipal emergency-management orgs in delegated zones
Inter-agency agreement	Joint operating areas (e.g., NSSE coordination, federal facility ASA delegations)

ATOMx records the citation alongside the Authority Org Certificate so endorsements carry an auditable basis for jurisdiction.

7.2 MOU / IGSA Pattern

ATOMx does not act unilaterally to grant authority status. The standard pattern is:

ATOMx and the candidate authority sign an MOU (federal partner) or IGSA (intergovernmental services agreement, state/local) that establishes:
- Scope of jurisdiction (geographic + operational)
- Endorsement signing rights and authority key custody (ATOMx-held, see Authorization Package §4)
- Field-verification permission grant scope
- Evidentiary export terms (see §7.4)
- Incident notification and response commitments
- Termination and transition clauses
ATOMx provisions the Authority Org Certificate
Authority enrolls administrators, who in turn enroll field verifiers

7.3 Jurisdictional Boundary and Concurrent-Claim Disputes

Overlapping authority is the norm, not the exception (federal + state + local; aviation + protection; etc.). ATOMx does not resolve disputes — it surfaces them. When two authorities have overlapping jurisdiction over a flight:

Both must endorse before the Authorization Package issues (the approval invariant — see §7.1 Approval Invariant in Origins)
If one approves and the other denies, the package does not issue; the operator sees a denial without naming which authority denied
Pre-coordination between authorities (handoff at boundaries, NSSE-style joint operating cells) is supported via the federation model — see §4
Disputes over jurisdiction itself are out-of-band; ATOMx does not adjudicate which authority is correct

7.4 Evidentiary Export and Court Discovery

Authority operations against ATOMx may be the subject of court discovery, FOIA, IG inquiries, or after-action reviews. ATOMx supports:

Read-only audit console for authority-side review of their own org’s signing events, disclosure events, and field-verifier actions
Signed evidentiary export — a portable record of a specific incident or time window, signed by ATOMx, that a court or auditing party can verify independently
Chain-of-custody preservation — exports include hash-chain anchors so a recipient can confirm no events were dropped or altered between the live audit ledger and the export
Body-cam correlation hooks (where the authority captures body-cam during field verification, the disclosure receipt can carry a body-cam reference for joint correlation)

7.5 Classified-Jurisdiction Handling

Some federal facilities operate in airspace whose existence, geometry, or operations are classified at varying levels. ATOMx supports a classified jurisdiction mode:

Property	Behavior
Public visibility	Jurisdiction geometry is not exposed in any public surface; no-fly enforcement happens via the Selective NFZ mechanism
Operator visibility	Operators receive denial without seeing the jurisdiction; appeals are routed through cleared liaison
Authority-side access	Cleared personnel see the jurisdiction; uncleared personnel do not
Audit	Logs are partitioned; cleared audit-export channel is separate from standard channel

This requires a deployment posture aligned with the classification level (FedRAMP High, IL5/IL6 cloud, isolated tenancy as appropriate). It is a roadmap capability for the broadest ATOMx deployment; MVP does not include classified-jurisdiction handling.

7.6 Incident Command and Scene-Commander Override

For active incidents (active shooter, wildfire, hazmat, mass-casualty event), the senior on-scene commander may need temporary endorsement-signing authority that they do not normally hold. ATOMx supports an Incident Command override path:

Pre-authorized at MOU level for specific authority orgs (typically state/local emergency management)
Activated by a named scene commander with second-person witness
Limited to the geographic and time scope of the active incident
Logged distinctly so post-incident review can examine the override use

8. Cross-References

The endorsement signature flow that uses authority credentials: Authorization Package §3
Field verification in austere environments: Disconnected Operations §6
The org-type substrate: Disconnected Operations §2.1

Implementation Readiness — Open Questions

Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.

#	Question	Owner	ADR?	Blocking?
1	MDM platform support matrix. Which MDM platforms (Intune, Jamf, AirWatch/Workspace ONE, Kandji, MaaS360) must we integrate for managed-device attestation, and what attestation surface (compliance API, certificate enrollment, attestation token) is acceptable for each? Authorities will not all standardize on one vendor.	Engineering + Product	Yes — ADR: Managed-Device Attestation Sources for Field-Verifier Devices	Yes
2	Purpose-code catalog ownership. Is the purpose-code vocabulary an ATOMx-standard taxonomy (with authority extensions), fully per-authority, or a hybrid (core codes globally defined, authority-local codes namespaced)? Drives schema, audit, and federation behavior.	Product + Legal	Yes — ADR: Purpose-Code Catalog Governance and Namespacing	Yes
3	Slack-Connect federation protocol mechanics. What is actually exchanged across a Slack-Connect-style federation channel — authority-cert metadata only, signed endorsement artifacts, full Authorization Package references, or live disclosure events? Need wire-level spec and trust boundary.	Engineering	Yes — ADR: Inter-Authority Federation Wire Protocol and Trust Surface	Yes
4	Form-builder version management. How are authority-defined form versions tracked, deprecated, migrated, and bound to historical authorizations? Does an in-flight authorization remain on its original form version through completion?	Engineering + Product	Yes — ADR: Authority Form Versioning, Migration, and Historical Binding	No
5	Classified-jurisdiction deployment posture. Do classified jurisdictions run on a partitioned ATOMx instance, a wholly separate air-gapped deployment, or a logical partition with cross-domain guard? Drives certificate-authority topology and disclosure model.	Engineering + Legal + External Agency	Yes — ADR: Classified-Jurisdiction Deployment Topology	Yes
6	Incident-command override approval workflow. What is the minimum quorum, time-bound expiry, and post-hoc review process for an incident-command override of normal authority scope? What audit format captures the override decision chain?	Product + Legal	Yes — ADR: Incident-Command Override Quorum and Audit Schema	Yes
7	Body-cam correlation protocol. How does field-verifier action data correlate to body-worn camera footage (timestamp sync, device-ID binding, evidentiary chain)? Is correlation pushed by ATOMx, pulled by the agency DEMS, or both?	Engineering + External Agency	Yes — ADR: Body-Cam / Field-Verifier Correlation Channel	No
8	Evidentiary-export schema and signing. What is the canonical export schema (JSON-LD, signed manifest, sealed bundle), which signing cert anchors it, and what is the verification toolchain provided to receiving agencies?	Engineering + Legal	Yes — ADR: Evidentiary Export Format, Signing, and Verification	Yes
9	MOU / IGSA template content. What baseline legal terms (data handling, jurisdictional scope, revocation, breach notice, term length) belong in the standard MOU/IGSA, and which are authority-negotiable? Drives the onboarding pipeline gating.	Legal + Product	No (legal artifact, not architecture)	Yes
10	Two-person rule trigger conditions. Which combinations of jurisdiction sensitivity, purpose code, and authorization class require a two-person disclosure? Is the rule a system-enforced policy or an authority-configurable toggle?	Product + Legal	Yes — ADR: Two-Person Disclosure Rule Policy Model	No
11	Audit-export retention period. How long are authority-side audit logs and disclosure records retained, where (ATOMx-side, authority-side, both), and what is the deletion / legal-hold workflow? Different government contracts impose different floors.	Legal + Engineering	Yes — ADR: Authority Audit Retention and Legal-Hold Model	Yes
12	Jurisdictional dispute resolution (out-of-band). When two authorities overlap and disagree on a disclosure or endorsement, what is the out-of-band escalation path? Is it documented contractually only, or surfaced in-product as a dispute case?	Product + Legal + External Agency	No (process, not architecture)	No
13	Role permissions matrix inside an authority org. What are the canonical roles inside an authority (admin, field-verifier, endorser, auditor, observer), and are they fixed by ATOMx or composable per authority? Drives RBAC schema.	Product + Engineering	Yes — ADR: Authority Org Internal RBAC Model	Yes

Last updated on May 11, 2026

13 · Onboarding · Operators & Pilots 15 · Origins & Decisions