Link Search Menu Expand Document
NIST SP 800-37

AUTHORIZATION DECISION INFORMATION

  1. Authorization to Use Decision

The authorization decision is transmitted from the authorizing official to system owners, common control providers, and other key organizational officials. The authorization decision includes the following information:

  • Authorization decision;
  • Terms and conditions for the authorization;
  • Time-driven authorization frequency or authorization termination date;
  • Events that may trigger a review of the authorization decision (if any); and
  • For common controls, the [FIPS 199] impact level supported by those controls. The authorization decision indicates if the system is authorized to operate or authorized to be used; or if the common controls are authorized to be provided to system owners and inherited by organizational systems. The terms and conditions for the authorization provide any limitations or restrictions placed on the operation of the system that must be followed by the system owner or alternatively, limitations or restrictions placed on the implementation of common controls that must be followed by the common control provider. If the system or common controls are not under ongoing authorization, the termination date for the authorization established by the authorizing official indicates when the authorization expires and reauthorization is required. The authorization decision document is transmitted with the original authorization package to the system owner or common control provider.146

Upon receipt of the authorization decision and authorization package, the system owner and common control provider acknowledge, implement, and comply with the terms and conditions of the authorization. The system owner and common control provider retain the authorization decision and authorization package.147 The organization ensures that authorization documents are available to organizational officials when requested. The contents of authorization packages, including sensitive information regarding system vulnerabilities, privacy risks, and control deficiencies, are marked and protected in accordance with federal and organizational policy. Authorization decision information is retained in accordance with the organization’s record retention policy. The authorizing official verifies on an ongoing basis, that the terms and conditions established as part of the authorization are being followed by the system owner and common control provider.

Authorization to Use Decision

The authorization to use is a streamlined version of the authorization to operate and includes:

  • A risk acceptance statement; and
  • Time- or event-driven triggers for review of the security and privacy posture of the provider organization shared cloud or system, application, or service (if any). An authorization to use is issued by an authorizing official from a customer organization in lieu of an authorization to operate. The authorizing official has the same level of risk management responsibility and authority as an authorizing official issuing an authorization to operate or a common control authorization. The risk acceptance statement indicates the explicit acceptance of the security and privacy risk incurred from the use of a shared system, service, or application with respect to the customer organization information processed, stored, or transmitted by or through the shared or cloud system, service, or application.

146 Authorization decision documents may be digitally signed to ensure authenticity.

147 Organizations may choose to employ automated tools to support the development, distribution, and archiving of risk management information to include artifacts associated with the authorization process.