TYPE AND FACILITY AUTHORIZATIONS

A type authorization¹⁵⁹ is an official authorization decision that allows for a single authorization package to be developed for an archetype (i.e., common) version of a system. This includes, for example hardware, software, or firmware components that are deployed to multiple locations for use in specified environments of operation (e.g., system installation and configuration requirements or operational security and privacy needs provided by the host organization at a specific location). A type authorization is appropriate when the system is deployed in a defined environment and is comprised of identical instances of system architecture, software, identical information types, functionally identical hardware, information that is processed in the same way, identical control implementations, or identical configurations. A type authorization is used in conjunction with authorized site-specific controls¹⁶⁰ or with a facility authorization as described below. A type authorization is issued by the authorizing official responsible for the development of the system¹⁶¹ and represents an authorization to operate. At the site or facility where the system is deployed, the authorizing official who is responsible for the system at the site or facility accepts the risk of deploying the system and issues an authorization to use. The authorization to use leverages the information in the authorization packages for the archetype system and the facility common controls.

A facility authorization is an official authorization decision that is focused on specific controls implemented in a defined environment of operation to support one or more systems residing within that environment. A facility authorization addresses common controls within a facility and allows systems residing in the defined environment to inherit the common controls and the affected system security and privacy plans to reference the authorization package for the facility. The common controls are provided at a specified impact level to facilitate risk decisions on whether it is appropriate to locate a given system in a particular facility.¹⁶² Physical and environmental controls are addressed in a facility authorization but other controls may also be included, for example, boundary protections; contingency plan and incident response plan for the facility; or training and awareness and personnel screening for facility staff. The facility authorizing official issues a common control authorization to describe the common controls available for inheritance by systems residing within the facility.

¹⁵⁹ Examples of type authorizations include: an authorization of the hardware and software applications for a standard financial system deployed in multiple locations; or an authorization of a common workstation or operating environment (i.e., hardware, operating system, and applications) deployed to all operating units within an organization.

¹⁶⁰ Site-specific controls are typically implemented by an organization as common controls. Examples include physical and environmental protection controls and personnel security controls.

¹⁶¹ Typically, type authorizations are issued by organizations that are responsible for developing standardized hardware and software capabilities for customers and delivered to the recipient organizations as “turn key” solutions. The senior leaders issuing such authorizations may be referred to as developmental authorizing officials.

¹⁶² For example, if the facility is categorized as moderate impact, it may not be appropriate to locate high-impact systems or system elements in that environment of operation.