Link Search Menu Expand Document
NIST SP 800-37

AUTHORIZATION PACKAGE

The authorization package provides a record of the results of the control assessments and provides the authorizing official with the information needed to make a risk-based decision on whether to authorize the operation of a system or common controls.127 The system owner or common control provider is responsible for the development, compilation, and submission of the authorization package. This includes information available from reports generated by an automated security/privacy management and reporting tool. The system owner or common control provider receives inputs from many sources during the preparation of the authorization package (e.g., senior agency information security officer; senior agency official for privacy, senior accountable official for risk management or risk executive [function]; control assessors; system security or privacy officer; and the continuous monitoring program). The authorization package128 includes the following:

  • Executive summary;
  • Security and privacy plans;129 130
  • Security and privacy assessment reports;131 and
  • Plans of action and milestones. The executive summary provides a consolidated view of the security and privacy information in the authorization package. The executive summary identifies and highlights risk management issues associated with protecting information systems and the environments in which the systems operate. The summary provides the essential information needed by the authorizing official to understand the security and privacy risks to the organization’s operations and assets, individuals, other organizations, and the Nation. The executive summary information can be used by the authorizing official to make informed, risk-based decisions regarding the operation and use of the system or the provision of common controls that can be inherited by organizational systems.

The security and privacy plans provide an overview of the security and privacy requirements and describe the controls in place or planned for meeting those requirements.132 The plans provide sufficient information to understand the intended or actual implementation of the controls implemented within the system and indicate the controls that are implemented via inherited common controls. Additionally, privacy plans describe the methodologies and metrics that will be used to assess the controls. The security and privacy plans may also include as supporting appendices or as references, additional documents such as a privacy impact assessment, interconnection security agreements, security and privacy configurations, contingency plan, configuration management plan, supply chain risk management plan, incident response plan, and system-level continuous monitoring strategy. The security and privacy plans are updated whenever events dictate changes to the controls implemented within or inherited by the system.

The security and privacy assessment reports, prepared by the control assessor or generated by automated security/privacy management and reporting tools, provide the findings and results of assessing the implementation of the controls identified in the security and privacy plans to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security and privacy requirements. The assessment reports may contain recommended corrective actions for deficiencies identified in the controls.133 The authorizing official reviews the reports and determines the appropriate risk response [Task R-3].

Supporting the near real-time risk management objectives of the authorization process, the assessment reports are updated on an ongoing basis whenever changes are made to the controls implemented within or inherited by the system.134 Updates to the assessment reports ensure that system owners, common control providers, and authorizing officials maintain an awareness of control effectiveness. The effectiveness of the controls directly affects the security and privacy posture of the system and decisions regarding explicit acceptance of risk.

The plan of action and milestones describes the measures planned to correct deficiencies identified in the controls during the assessment; and to address known vulnerabilities or security and privacy risks.135 The content and structure of plans of action and milestones are informed by the risk management strategy developed as part of the risk executive (function) and are consistent with the plans of action and milestones process established by the organization which include any requirements defined in federal laws, executive orders, policies, directives, or standards. If the systems and the environments in which those systems operate have more vulnerabilities than available resources can realistically address, organizations develop and implement plans of action and milestones that facilitate a prioritized approach to risk mitigation and that is consistent across the organization. A prioritized and consistent approach to risk mitigation ensures that plans of action and milestones are based on:

  • The security categorization of the system and security, privacy, and supply chain risk assessments;
  • The specific deficiencies in the controls;
  • The criticality of the control deficiencies (i.e., the direct or indirect effect the deficiencies may have on the security and privacy posture of the system and the risk exposure of the organization);136
  • The risk mitigation approach of the organization to address the identified deficiencies in the controls; and
  • The rationale for accepting certain deficiencies in the controls. Organizational strategies for plans of action and milestones are guided and informed by the security categorization of the systems affected by the risk mitigation activities. Organizations may decide, for example, to allocate their risk mitigation resources initially to the highest-impact systems or other high value assets because a failure to correct the known deficiencies in those systems or assets could potentially have the most significant adverse effects on their missions or business functions. Organizations prioritize deficiencies using information from risk assessments and the risk management strategy developed as part of the risk executive (function). Therefore, a high-impact system would have a prioritized list of deficiencies for that system, and similarly for moderate-impact and low-impact systems.

127 Authorization packages for common controls that are not system-based may not include a security or privacy plan, but do include a record of common control implementation details.

128 The authorizing official determines what additional supporting information, artifacts, or references may be required in the authorization package. The additional documentation may include, for example, risk assessments, contingency plans, or SCRM plans.

129 [SP 800-18] provides guidance on system security plans. Guidance on privacy plans will be addressed in a planned publication specific to privacy plans.

130 In accordance with [OMB A-130], the information system security plan and the privacy plan may be integrated into one consolidated document.

131 [SP 800-53A] provides guidance on security assessment reports. Guidance on privacy assessment reports will be addressed in future publications.

132 The information system security plan and the privacy plan may be integrated into one consolidated document.

133 An executive summary provides an authorizing official with an abbreviated version of the security and privacy assessment reports focusing on the highlights of the assessment, synopsis of findings, and recommendations for addressing deficiencies in the security and privacy controls.

134 Because the desired outcome of ongoing tracking and response to assessment findings to facilitate risk management decisions is the focus (rather than the specific process used), organizations can manage and update security assessment report information using any format or method consistent with internal organizational processes.

135 If changes are made as a result of mitigation actions from plans of actions and milestones, system security plans are updated accordingly.

136 In general, risk exposure is the degree to which an organization is threatened by the potential adverse effects on organizational operations and assets, individuals, other organizations, or the Nation.