EVENT-DRIVEN TRIGGERS AND SIGNIFICANT CHANGES
Organizations define event-driven triggers (i.e., indicators or prompts that cause a predefined organizational reaction) for both ongoing authorization and reauthorization. Event-driven triggers may include, but are not limited to:
- New threat, vulnerability, privacy risk, or impact information;
- An increased number of findings or deficiencies from the continuous monitoring program;
- New missions/business requirements;
- Change in the authorizing official;
- Significant change in risk assessment findings;
- Significant changes to the system, common controls, or the environments of operation;
- Changes in the supply chain affecting security or privacy risks to operational systems; or
- Exceeding organizational thresholds. When there is a change in authorizing officials, the new authorizing official reviews the current authorization decision document, authorization package, any updated documents from ongoing monitoring activities, or a report from automated security/privacy management and reporting tools. If the new authorizing official finds the current risk to be acceptable, the official signs a new or updated authorization decision document, formally transferring responsibility and accountability for the system or the common controls. In doing so, the new authorizing official explicitly accepts the risk to organizational operations and assets, individuals, other organizations, and the Nation. If the new authorizing official finds the current risk to be unacceptable, an authorization action (i.e., ongoing authorization or reauthorization) can be initiated. Alternatively, the new authorizing official may instead establish new terms and conditions for continuing the original authorization, but not extend the original authorization termination date (if not under ongoing authorization).
A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system. Significant changes to a system that may trigger an event-driven authorization action may include, but are not limited to:
- Installation of a new or upgraded operating system, middleware component, or application;
- Modifications to system ports, protocols, or services;
- Installation of a new or upgraded hardware platform;
- Modifications to how information, including PII, is processed;
- Modifications to cryptographic modules or services;
- Changes in information types processed, stored, or transmitted by the system; or
- Modifications to security and privacy controls. Significant changes to the environment of operation that may trigger an event-driven authorization action may include, but are not limited to:
- Moving to a new facility;
- Adding new core missions or business functions;
- Acquiring specific and credible threat information that the organization is being targeted by a threat source; or
- Establishing new/modified laws, directives, policies, or regulations. The examples of changes listed above are only significant when they represent a change that is likely to affect the security and privacy posture of the system. Organizations establish criteria for what constitutes significant change based on a variety of factors (e.g., mission and business needs; threat and vulnerability information; environments of operation for systems; privacy risks; and security categorization).
Risk assessment results or the results from an impact analysis may be used to determine if changes to systems or common controls are significant and trigger an authorization action. If an authorization action is initiated, the organization targets only the specific controls affected by the changes and reuses previous assessment results wherever possible. An effective monitoring program can significantly reduce the overall cost and level of effort of authorization actions. Most changes to a system or its environment of operation can be handled through the continuous monitoring program and ongoing authorization.