AUTHORIZATION DECISION
TASK R-4
Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable.
Potential Inputs: Risk responses for determined risks.
Expected Outputs: Authorization to operate, authorization to use, common control authorization; denial of authorization to operate, denial of authorization to use, denial of common control authorization.
Primary Responsibility: Authorizing Official.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Authorizing Official Designated Representative.
System Development Life Cycle Phase: New – Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: The explicit acceptance of risk is the responsibility of the authorizing official and cannot be delegated to other officials within the organization. The authorizing official considers many factors when deciding if the risk to the organization’s operations (including mission, functions, image, and reputation) and assets, individuals, other organizations, or the Nation, is acceptable. Balancing security and privacy considerations with mission and business needs is paramount to achieving an acceptable risk-based authorization decision.102 The authorizing official issues an authorization decision for the system or for organization-designated common controls after reviewing the information in the authorization package, input from other organizational officials (see Task R-2), and other relevant information that may affect the authorization decision. The authorization package provides the most current information on the security and privacy posture of the system or the common controls.
The authorizing official consults with the Senior Accountable Official for Risk Management or the Risk Executive (Function) prior to making the final authorization decision for the information system or the common controls. Because there are potentially significant dependencies among organizational systems and with external systems, the authorization decisions for individual systems consider the current residual risk, organizational plans of action and milestones, and the risk tolerance of the organization.
The authorization decision is conveyed by the authorizing official to the system owner or common control provider, and other organizational officials, as appropriate.103 The authorization decision also conveys the terms and conditions for the authorization to operate; the authorization termination date or time-driven authorization frequency; input from the senior accountable official for risk management or risk executive (function), if provided; and for common control authorizations, the system impact level supported by the common controls.
For systems, the authorization decision indicates to the system owner whether the system is authorized to operate or authorized to use, or not authorized to operate or not authorized to use. For common controls, the authorization decision indicates to the common control provider and to the system owners of inheriting systems, whether the common controls are authorized to be provided or not authorized to be provided. The terms and conditions for the common control authorization provide a description of any specific limitations or restrictions placed on the operation of the system or the controls that must be followed by the system owner or common control provider.
The authorization termination date is established by the authorizing official and indicates when the authorization expires. Organizations may eliminate the authorization termination date if the system is operating under an ongoing authorization—that is, the continuous monitoring program is sufficiently robust and mature to provide the authorizing official with the needed information to conduct ongoing risk determination and risk acceptance activities regarding the security and privacy posture of the system and the ongoing effectiveness of the controls employed within and inherited by the system.
The authorization decision is included with the authorization package and is transmitted to the system owner or common control provider. Upon receipt of the authorization decision and the authorization package, the system owner or common control provider acknowledges and implements the terms and conditions of the authorization. The organization ensures that the authorization package, including the authorization decision for systems and common controls, is made available to organizational officials (e.g., system owners inheriting common controls; chief information officers; senior accountable officials for risk management or risk executive [function]; senior agency information security officers; senior agency officials for privacy; and system security and privacy officers). The authorizing official verifies on an ongoing basis as part of continuous monitoring (see Task M-2) that the established terms and conditions for authorization are being followed by the system owner or common control provider.
When the system is operating under ongoing authorization, the authorizing official continues to be responsible and accountable for explicitly understanding and accepting the risk of continuing to operate or use the system or continuing to provide common controls for inheritance. For ongoing authorization, the authorization frequency is specified in lieu of an authorization termination date. The authorizing official reviews the information with the specific time-driven authorization frequency defined by the organization as part of the continuous monitoring strategy and determines if the risk of continued system operation or the provision of common controls remains acceptable. If the risk remains acceptable, the authorizing official acknowledges the acceptance in accordance with organizational processes. If not, the authorizing official indicates that the risk is no longer acceptable and requires further risk response or a full denial of the authorization.
The organization determines the level of formality for the process of communicating and acknowledging continued risk acceptance by the authorizing official. The authorizing official may continue to establish and convey the specific terms and conditions to be followed by the system owner or common control provider for continued authorization to operate, continued common control authorization, or continued authorization to use. The terms and conditions of the authorization may be conveyed through an automated management and reporting tool as part of an automated authorization decision.
If control assessments are conducted by qualified assessors with the level of independence104 required, the assessment results support ongoing authorization and may be applied to a reauthorization. Organizational policies regarding ongoing authorization and reauthorization are consistent with laws, executive orders, directives, regulations, and policies.
Appendix F provides additional guidance on authorization decisions, the types of authorizations, and the preparation of the authorization packages.
References: [SP 800-39] (Organization, Mission/Business Process, and System Levels); [SP 800-160 v1] (Risk Management Process).
102 While balancing security and privacy considerations with mission and business needs is paramount to achieving an acceptable risk-based authorization decision, there may be instances when the authorizing official and senior agency official for privacy cannot reach a final resolution regarding the appropriate protection for PII and the information systems that process PII. [OMB A-130] provides guidance on how to resolve such instances.
103 Organizations are encouraged to employ automated security/privacy management and reporting tools whenever feasible, to develop the authorization packages for systems and common controls and to maintain those packages during ongoing authorization. Automated tools can significantly reduce documentation costs, provide increased speed and efficiency in generating important information for decision makers, and provide more effective means for updating critical risk management information. It is recognized that certain controls are not conducive to the use of automated tools and therefore, manual methods are acceptable in those situations.
104 In accordance with [OMB A-130], an independent evaluation of privacy program and practices is not required. However, an organization may choose to employ independent privacy assessments at the organization’s discretion.