Link Search Menu Expand Document
NIST SP 800-37

TRADITIONAL AND JOINT AUTHORIZATIONS

Organizations can choose from two distinct approaches when planning for and conducting authorizations. These include an authorization with a single authorizing official or an authorization with multiple authorizing officials.163 The first approach is the traditional authorization process defined in this appendix where a single organizational official in a senior leadership position is responsible and accountable for a system or for common controls. The organizational official accepts the security and privacy risks that may adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation.

The second approach, joint authorization, is employed when multiple organizational officials either from the same organization or different organizations, have a shared interest in authorizing a system. The organizational officials collectively are responsible and accountable for the system and jointly accept the security and privacy risks that may adversely impact organizational operations and assets, individuals, other organizations, and the Nation. A similar authorization process is followed as in the single authorizing official approach with the essential difference being the addition of multiple authorizing officials. Organizations choosing a joint authorization approach are expected to work together on the planning and the execution of RMF tasks and to document their agreement and progress in implementing the tasks.

Collaboration on security categorization, control selection and tailoring, a plan for assessing controls to determine effectiveness, a plan of action and milestones, and a system-level continuous monitoring strategy is necessary for a successful joint authorization. The terms and conditions of the joint authorization are established by the participating parties in the joint authorization including the process for ongoing determination and acceptance of risk. The joint authorization remains in effect only while there is agreement among authorizing officials and the authorization meets the specific requirements established by federal and organizational policies. [SP 800-53] controls CA-6(1), Joint Authorization – Same Organization and CA-6(2) Joint Authorization – Different Organizations, describe the requirements for joint authorizations.

163 Authorization approaches can be applied to systems and to common controls inherited by organizational systems.