Link Search Menu Expand Document
NIST SP 800-37

ONGOING AUTHORIZATION

  1. Conditions for Implementation of Ongoing Authorization
  2. Information Generation, Collection, and Independence Requirements
  3. Ongoing Authorization Frequency
  4. Transitioning from Static Authorization to Ongoing Authorization

Continuous monitoring strategies148 promote effective and efficient risk management on an ongoing basis. Risk management can become near real-time by using automation and state-of- the-practice tools, techniques, and procedures for the ongoing monitoring of controls and changes to systems and the environments in which those systems operate. Continuous monitoring based on the needs of the authorizing official, produces the necessary information to determine the security and privacy posture of the system149 and highlights the risks to organizational operations and assets, individuals, other organizations, and the Nation. Ultimately, continuous monitoring guides and informs the authorizing official’s decision whether to authorize the continued operation of the system or the continued use of the common controls inherited by organizational systems.

Continuous monitoring helps to achieve a state of ongoing authorization where the authorizing official maintains sufficient knowledge of the current security and privacy posture of the system to determine whether continued operation is acceptable based on ongoing risk determinations—and if not, which steps in the RMF need to be revisited to effectively respond to the additional risk. Reauthorizations are unnecessary in situations where the continuous monitoring program provides authorizing officials with the information necessary to manage the risk arising from changes to the system or the environment in which the system operates. If a reauthorization is required, organizations maximize the use of status reports and relevant information about the security and privacy posture of the system that is produced during the continuous monitoring process to improve efficiency.

When a system or common controls are under ongoing authorization, the system or common controls may be authorized on a time-driven and/or event-driven basis, leveraging the security and privacy information generated by the continuous monitoring program. The system and common controls are authorized on a time-driven basis in accordance with the authorization frequency determined as part of the organization- and system-level continuous monitoring strategies. The system and common controls are authorized on an event-driven basis until organizational-defined trigger events occur. Whether the authorization is time-driven or event- driven, the authorizing official acknowledges the ongoing acceptance of identified risks. The organization determines the level of formality required for such acknowledgement by the authorizing official.

Conditions for Implementation of Ongoing Authorization

When the RMF has been effectively applied across the organization and the organization has implemented a robust continuous monitoring program, systems may transition from a static, point-in-time authorization process to a dynamic, near real-time ongoing authorization process. To do so, the following conditions must be satisfied:

  • The system or common control being considered for ongoing authorization has received an initial authorization based on a complete, zero-based review of the system or the common controls.150
  • An organizational continuous monitoring program is in place that monitors implemented controls with the appropriate degree of rigor and at the required frequencies specified by the organization in accordance with the continuous monitoring strategy and NIST standards and guidelines.151 The organization establishes and implements a process to designate that the two conditions are satisfied and the system or the common controls are transitioning to ongoing authorization. The process includes the authorizing official acknowledging that the system or common control is now being managed by an ongoing authorization process and accepting the responsibility for performing all activities associated with that process. The transition to ongoing authorization is documented by the authorizing official by issuing a new authorization decision.152 The security and privacy information generated through the continuous monitoring process is provided to the authorizing officials and other organizational officials in a timely manner through security and privacy management and reporting tools. Such tools facilitate risk-based decision making for the ongoing authorization for systems and common controls.

Information Generation, Collection, and Independence Requirements

To support ongoing authorization, security and privacy information for controls is generated and collected at the frequency specified in the organization’s continuous monitoring strategy. Security and privacy information may be collected using automated tools or other methods of assessment depending on the type and purpose of the control and desired rigor of the assessment. Automated tools may not generate security and privacy information that is sufficient to support the authorizing official in making risk determinations. Automated tools may not provide sufficient support for various reasons (e.g., the tools do not generate information for every control or every part of a control, additional assurance is needed, or the tools do not generate information on specific technologies or platforms). In such cases, manual control assessments are conducted at organizationally-determined frequencies to cover any gaps in automated security and privacy information generation. The manually-generated assessment results are provided to the authorizing official in the manner deemed appropriate by the organization.

To support ongoing authorizations for moderate- and high-impact systems, the security and privacy information provided to the authorizing official, whether generated manually or in an automated fashion, is produced and analyzed by an entity that meets the independence requirements established by the organization. The senior agency official for privacy is responsible for assessing privacy controls and for providing privacy information to the authorizing official. At the discretion of the organization, privacy controls may be assessed by an independent assessor. The independent assessor is impartial and free from any perceived or actual conflicts of interest regarding the development, implementation, assessment, operation, or management of the organizational systems and common controls being monitored.

Ongoing Authorization Frequency

[SP 800-53] security control CA-6, Part c. specifies that the authorization for a system and any common controls inherited by the system be updated at an organization-established frequency. This part of the control reinforces the concept of ongoing authorization. In accordance with CA- 6 (along with the security and privacy assessment and monitoring frequency determinations established as part of the continuous monitoring strategy), organizations determine a frequency with which authorizing officials review security and privacy information via the security or privacy management and reporting tool or manual process.153 The near real-time information from the reporting tool or manual process is used to determine whether the mission or business risk of operating the system or providing the common controls continues to be acceptable. [SP 800-137] provides criteria for determining assessment and monitoring frequencies.

Under ongoing authorization, time-driven authorization triggers refer to the frequency with which the organization determines that authorizing officials are to review security and privacy information and authorize the system (or common controls) for continued operation as described above. Time-driven authorization triggers can be based on a variety of organization- defined factors including the impact level of the system. When a time-driven trigger occurs, authorizing officials review security and privacy information on the systems for which they are responsible and accountable to determine the ongoing organizational mission or business risk, the acceptability of such risk in accordance with organizational risk tolerance, and whether the approval for continued operation is justified. The organizational continuous monitoring process, supported by the organization’s security and privacy management and reporting tools, provides the appropriate functionality to notify the responsible and accountable authorizing official that it is time to review the security and privacy information to support ongoing authorization.

In contrast to time-driven authorization triggers, event-driven triggers necessitate an immediate review of security and privacy information by the authorizing official. Organizations may define event-driven triggers (i.e., indicators or prompts that cause an organization to react in a predefined manner) for ongoing authorization and reauthorization. When an event-driven trigger occurs under ongoing authorization, the authorizing official is either notified by organizational personnel (e.g., senior agency information security officer, senior agency official for privacy, system owner, common control provider, or system security or privacy officer) or via automated tools that defined trigger events have occurred requiring an immediate review of the system or the common controls. The authorizing official may also determine independently that an immediate review is required. The event-driven trigger review is conducted in addition to the time-driven frequency review defined in the organizational continuous monitoring strategy and occurs during ongoing authorization when the residual risk remains within the acceptable limits of organizational risk tolerance.154

Transitioning from Static Authorization to Ongoing Authorization

The intent of continuous monitoring is to monitor controls at a frequency that is sufficient to provide authorizing officials with the information necessary to make effective, risk-based decisions, whether by automated or manual means.155 However, if a substantial portion of monitoring is not accomplished via automation, it will not be feasible or practical to move from the current static authorization approach to an effective and efficient ongoing authorization approach. A phased approach for the generation of security and privacy information may be necessary during the transition as automated tools become available and a greater number of controls are monitored by automated techniques. Organizations may begin by generating security and privacy information from automated tools and fill in gaps by generating additional information from manual assessments. As additional automated monitoring functionality is added, processes can be adjusted.

Transitioning from a static authorization process to a dynamic, ongoing authorization process requires considerable thought and planning. One methodology that organizations may consider is to take a phased approach to the migration based on the security categorization of the system. Because risk tolerance levels for low-impact systems are likely to be greater than for moderate-impact or high-impact systems, implementing continuous monitoring and ongoing authorization for low-impact systems first may ease the transition. The phased approach starting with low-impact systems allows organizations to incorporate lessons learned as continuous monitoring and ongoing authorization processes are implemented for moderate- impact and high-impact systems. Incorporating lessons learned facilitates the consistent progression of the continuous monitoring and ongoing authorization implementation from the lowest to the highest impact levels for the systems within the organization. Organizations may also consider employing the phased implementation approach by partitioning systems into subsystems or system elements and subsequently transitioning those subsystems or system elements to ongoing authorization one segment at a time until the entire system is ready for the full transition (at which time the authorizing official acknowledges that the system is now being managed by an ongoing authorization process).

148 [SP 800-137] provides additional guidance on information security continuous monitoring. Guidance on privacy continuous monitoring will be provided in future publications.

149 For greater efficiency, the information security continuous monitoring (ISCM) and privacy continuous monitoring (PCM) strategies may be consolidated into a single unified continuous monitoring strategy. Similarly, the ISCM and PCM programs may also be consolidated into a single unified continuous monitoring program.

150 System owners and authorizing officials leverage security and privacy information about inherited common controls from assessments conducted by common control providers.

151 [SP 800-53] and [SP 800-53A] provide guidance regarding the appropriate degree of rigor for security assessments and monitoring. Future publications will address privacy assessments.

152 Prior to transitioning to ongoing authorization, organizations have authorization decision documents that include an authorization termination date. By requiring a new authorization decision document, it is made clear that the system or the common controls are no longer bound to the termination date specified in the initial authorization document because the system and the common controls are now under ongoing authorization.

153 Ongoing authorization and ongoing assessment are different concepts but closely related. To employ an ongoing authorization approach (which implies an ongoing understanding and acceptance of risk), organizations must have in place, an organization-level and system-level continuous monitoring process to assess implemented controls on an ongoing basis. The findings or results from the continuous monitoring process provides information to authorizing officials to support near-real time risk-based decision making.

154 The immediate reviews initiated by specific trigger events may occur simultaneously (i.e., in conjunction) with time-driven monitoring activities based on the monitoring frequencies established by the organization and how the reviews are structured within the organization. The same reporting structure may be used for event- and time-driven reviews to achieve efficiencies.

155 Privacy continuous monitoring means maintaining ongoing awareness of privacy risks and assessing privacy controls at a frequency sufficient to ensure compliance with applicable privacy requirements and to manage privacy risks.