Step 5: Authorize Information System

Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.

The plan of action and milestones, prepared for the authorizing official by the information system owner or the common control provider, is one of three key documents in the security authorization package and describes the specific tasks that are planned: (i) to correct any weaknesses or deficiencies in the security controls noted during the assessment; and (ii) to address the residual vulnerabilities in the information system. The plan of action and milestones identifies: (i) the tasks to be accomplished with a recommendation for completion either before or after information system implementation; (ii) the resources required to accomplish the tasks; (iii) any milestones in meeting the tasks; and (iv) the scheduled completion dates for the milestones. The plan of action and milestones is used by the authorizing official to monitor progress in correcting weaknesses or deficiencies noted during the security control assessment. All security weaknesses and deficiencies identified during the security control assessment are documented in the security assessment report to maintain an effective audit trail. Organizations develop specific plans of action and milestones based on the results of the security control assessment and in accordance with applicable laws, Executive Orders, directives, policies, standards, guidance, or regulations. Plan of action and milestones entries are not required when weaknesses or deficiencies are remediated during the assessment or prior to the submission of the authorization package to the authorizing official.

Organizations define a strategy for developing plans of action and milestones that facilitates a prioritized approach to risk mitigation that is consistent across the organization. The strategy helps to ensure that organizational plans of action and milestones are based on: (i) the security categorization of the information system; (ii) the specific weaknesses or deficiencies in the security controls; (iii) the importance of the identified security control weaknesses or deficiencies (i.e., the direct or indirect effect the weaknesses or deficiencies may have on the overall security state of the information system, and hence on the risk exposure of the organization, or ability of the organization to perform its mission or business functions); and (iv) the organization’s proposed risk mitigation approach to address the identified weaknesses or deficiencies in the security controls (e.g., prioritization of risk mitigation actions, allocation of risk mitigation resources). A risk assessment guides the prioritization process for items included in the plan of action and milestones.

Assemble the security authorization package and submit the package to the authorizing official for adjudication.

The security authorization package contains: (i) thesecurityplan; (ii) the security assessment report; and (iii) the plan of action and milestones. The information in these key documents is used by authorizing officials to make risk-based authorization decisions. For information systems inheriting common controls for specific security capabilities, the security authorization package for the common controls or a reference to such documentation is also included in the authorization package. When security controls are provided to an organization by an external provider (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or supply chain arrangements), the organization ensures that the information needed for authorizing officials to make risk- based decisions, is made available by the provider.

Additional information can be included in the security authorization package at the request of the authorizing official carrying out the authorization action. The contents of the security authorization package are protected appropriately in accordance with federal and organizational policies. Organizations are strongly encouraged to use automated support tools in preparing and managing the content of the security authorization package to help provide an effective vehicle for maintaining and updating information for authorizing officials regarding the ongoing security status of information systems within the organization. Providing orderly, disciplined, and timely updates to the security plan, security assessment report, and plan of action and milestones on an ongoing basis, supports the concept of near real-time risk management and ongoing authorization. It also facilitates more cost-effective and meaningful reauthorization actions, if required. Organizations maintain strict version control as key documents in the authorization package are updated. With the use of automated tools and supporting databases, authorizing officials and other senior leaders within the organization are able to maintain awareness with regard to the security state of the information system including the ongoing effectiveness of system-specific, hybrid, and common controls.

Security control documentation describes how system-specific,hybrid, and commoncontrols are implemented. The documentation formalizes plans and expectations regarding the overall functionality of the information system. The functional description of the security control implementation includes planned inputs, expected behavior, and expected outputs where appropriate, typically for those technical controls that are employed in the hardware, software, or firmware components of the information system. Documentation of security control implementation allows for traceability of decisions prior to and after deployment of the information system. The level of effort expended on documentation of the information system is commensurate with the purpose, scope, and impact of the system with respect to organizational missions, business functions, and operations. To the extent possible, organizations reference existing documentation (either by vendors or other organizations that have employed the same or similar information systems), use automated support tools, and maximize communications to increase the overall efficiency and cost effectiveness of security control implementation. The documentation also addresses platform dependencies and includes any additional information necessary to describe how the security capability required by the security control is achieved at the level of detail sufficient to support control assessment. Documentation for security control implementation follows best practices for hardware and software development as well as for system/security engineering disciplines and is consistent with established organizational policies and procedures for documenting system development life cycle activities. Whenever possible and practicable for technical security controls that are mechanism-based, organizations take maximum advantage of functional specifications provided by or obtainable from hardware and software vendors and/or systems integrators including security-relevant documentation that may assist the organization during the assessment and monitoring of the controls. Similarly, for management and operational controls, organizations obtain security control implementation information from appropriate organizational entities (e.g., facilities offices, human resource offices, physical security offices). Since the enterprise architecture and information security architecture established by the organization significantly influence the approach used to implement security controls, providing documentation of this process helps to ensure traceability with regard to meeting the organization’s information security requirements.

Common controls are security controls that are inherited by one or more organizational information systems. Common controls are identified by the chief information officer and/or senior information security officer in collaboration with the information security architect and assigned to specific organizational entities (designated as common control providers) for development, implementation, assessment, and monitoring. Common control providers may also be information system owners when the common controls are resident within an information system. The organization consults information system owners when identifying common controls to ensure that the security capability provided by the inherited controls is sufficient to deliver adequate protection. When the common controls provided by the organization are not sufficient for information systems inheriting the controls, the system owners supplement the common controls with system-specific or hybrid controls to achieve the required protection for the system and/or accept greater risk. Information system owners inheriting common controls can either document the implementation of the controls in their respective security plans or reference the controls contained in the security plans of the common control providers. Organizations may choose to defer common control identification and security control selection until a later phase in the system development life cycle. When common controls are not resident within an information system (e.g., physical and environmental protection controls, personnel security controls), the organization selects one or more senior organizational officials or executives to serve as authorizing officials for those controls. These authorizing officials are responsible for accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the deployment of the security controls provided by common control providers and inherited by organizational information systems. Common control providers are responsible for: (i) documenting common controls in a security plan (or equivalent document prescribed by the organization); (ii) ensuring that common controls are developed, implemented, and assessed for effectiveness by qualified assessors with a level of independence required by the organization; (iii) documenting assessment findings in a security assessment report; (iv) producing a plan of action and milestones for all common controls deemed less than effective (i.e., having unacceptable weaknesses or deficiencies in the controls); (v) receiving authorization for the common controls from the designated authorizing official; and (vi) monitoring common control effectiveness on an ongoing basis.

Security plans, security assessment reports, and plans of action and milestones for common controls (or a summary of such information) are made available to information system owners (whose systems are inheriting the controls) after the information is reviewed and approved by the senior official or executive responsible and accountable for the controls. The organization ensures that common control providers keep this information current since the controls typically support multiple organizational information systems. Security plans, security assessment reports, and plans of action and milestones for common controls are used by authorizing officials within the organization to make risk-based decisions in the security authorization process for their information systems. The use of common controls is documented within the security plans for information systems inheriting those controls. Organizations ensure that common control providers have the capability to rapidly broadcast changes in the status of common controls that adversely affect the protections being provided by and expected of the common controls. Common control providers are able to quickly inform information system owners when problems arise in the inherited common controls (e.g., when an assessment or reassessment of a common control indicates the control is flawed in some manner, when a new threat or attack method arises that renders the common control less than effective in protecting against the new threat or attack method). Organizations are encouraged, when feasible, to employ automated management systems to maintain records of the specific common controls used in each organizational information system to enhance the ability of common control providers to rapidly communicate with information system owners. If common controls are provided to the organization (and its information systems) by entities external to the organization (e.g., shared and/or external service providers), arrangements are made with the external/shared service providers by the organization to obtain information on the effectiveness of the deployed controls. Information obtained from external organizations regarding the effectiveness of common controls is factored into authorization decisions.

Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

The authorizing official or designated representative, in collaboration with the senior information security officer, assesses the information provided by the information system owner or common control provider regarding the current security state of the system or the common controls inherited by the system and the recommendations for addressing any residual risks. Risk assessments (either formal or informal) are employed at the discretion of the organization to provide needed information on threats, vulnerabilities, and potential impacts as well as the analyses for the risk mitigation recommendations. The risk executive (function) also provides information to the authorizing official that is considered in the final determination of risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation and use of the information system. Risk- related information includes the criticality of organizational missions and/or business functions supported by the information system and the risk management strategy for the organization. The risk management strategy typically describes: (i) how risk is assessed within the organization (i.e., tools, techniques, procedures, and methodologies); (ii) how assessed risks are evaluated with regard to severity or criticality; (iii) known existing aggregated risks from organizational information systems and other sources; (iv) risk mitigation approaches; (v) organizational risk tolerance; and (vi) how risk is monitored over time. When making the final risk determination, the authorizing official or designated representative considers information obtained from the risk executive (function) and the information provided by the information system owner or common control provider in the security authorization package (i.e., security plan, security assessment report, and plan of action and milestones). Conversely, information system-related security risk information derived from the execution of the RMF is available to the risk executive (function) for use in formulating and updating the organization-wide risk management strategy.

Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.

The explicit acceptance of risk is the responsibility of the authorizing official and cannot be delegated to other officials within the organization. The authorizing official considers many factors when deciding if the risk to organizational operations (including mission, function, image, or reputation), organizational assets, individuals, other organizations, and the Nation, is acceptable. Balancing security considerations with mission and operational needs is paramount to achieving an acceptable authorization decision. The authorizing official issues an authorization decision for the information system and the common controls inherited by the system after reviewing all of the relevant information and, where appropriate, consulting with other organizational officials, including the organization’s risk executive (function). Security authorization decisions are based on the content of the security authorization package and, where appropriate, any inputs received from key organizational officials, including the risk executive (function). The authorization package provides relevant information on the security state of the information system including the ongoing effectiveness of the security controls employed within or inherited by the system. Inputs from the risk executive (function), including previously established overarching risk guidance to authorizing officials, provide additional organization-wide information to the authorizing official that may be relevant and affect the authorization decision (e.g., organizational risk tolerance, specific mission and business requirements, dependencies among information systems, and other types of risks not directly associated with the information system). Risk executive (function) inputs are documented and become part of the security authorization decision. Security authorization decisions, including inputs from the risk executive (function), are conveyed to information system owners and common control providers and made available to interested parties within the organization (e.g., information system owners and authorizing officials for interconnected systems, chief information officers, information owners/stewards, senior managers).

The authorization decision document conveys the final security authorization decision from the authorizing official to the information system owner or common control provider, and other organizational officials, as appropriate. The authorization decision document contains the following information: (i) authorization decision; (ii) terms and conditions for the authorization; and (iii) authorization termination date. The security authorization decision indicates to the information system owner whether the system is: (i) authorized to operate; or (ii) not authorized to operate. The terms and conditions for the authorization provide a description of any specific limitations or restrictions placed on the operation of the information system or inherited controls that must be followed by the system owner or common control provider. The authorization termination date, established by the authorizing official, indicates when the security authorization expires. Organizations may choose to eliminate the authorization termination date if the continuous monitoring program is sufficiently robust to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities with regard to the security state of the information system and the ongoing effectiveness of security controls employed within and inherited by the system.

Authorization termination dates are influenced by federal and/or organizational policies which may establish maximum authorization periods. For example, if the maximum authorization period for an information system is three years, then an organization establishes a continuous monitoring strategy for assessing a subset of the security controls employed within and inherited by the system during the authorization period. This strategy allows all security controls designated in the respective security plans to be assessed at least one time by the end of the three-year period. This also includes any common controls deployed external to organizational information systems. If the security control assessments are conducted by qualified assessors with the required degree of independence based on federal/organizational policies, appropriate security standards and guidelines, and the needs of the authorizing official, the assessment results can be cumulatively applied to the reauthorization, thus supporting the concept of ongoing authorization. Organizational policies regarding ongoing authorization and formal reauthorization, if/when required, are consistent with federal directives, regulations, and/or policies.

The authorization decision document is attached to the original security authorization package containing the supporting documentation and transmitted to the information system owner or common control provider. Upon receipt of the authorization decision document and original authorization package, the information system owner or common control provider acknowledges and implements the terms and conditions of the authorization and notifies the authorizing official. The organization ensures that authorization documents for both information systems and for common controls are made available to appropriate organizational officials (e.g., information system owners inheriting common controls, risk executive (function), chief information officers, senior information security officers, information system security officers). Authorization documents, especially information dealing with information system vulnerabilities, are: (i) marked and appropriately protected in accordance with federal and organizational policies; and (ii) retained in accordance with the organization’s record retention policy. The authorizing official verifies, on an ongoing basis, that the terms and conditions established as part of the authorization are being followed by the information system owner or common control provider.