Link Search Menu Expand Document
NIST SP 800-37

AUTHORIZATION PACKAGE UPDATES

TASK M-4

Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process.
Potential Inputs: Security and privacy assessment reports; organization- and system-level risk assessment results; security and privacy plans; plans of action and milestones.
Expected Outputs: Updated security and privacy assessment reports;108 updated plans of action and milestones; updated risk assessment results; updated security and privacy plans.
Primary Responsibility: System Owner; Common Control Provider.
Supporting Roles: Information Owner or Steward; System Security Officer; System Privacy Officer; Senior Agency Official for Privacy; Senior Agency Information Security Officer.
System Development Life Cycle Phase: New – Operations/Maintenance. Existing – Operations/Maintenance.
Discussion: To achieve near real-time risk management, the organization updates security and privacy plans, security and privacy assessment reports, and plans of action and milestones on an ongoing basis. Updates to the plans reflect modifications to controls based on risk mitigation activities carried out by system owners or common control providers. Updates to control assessment reports reflect additional assessment activities carried out to determine control effectiveness based on implementation details in the plans. Plans of action and milestones are updated based on progress made on the current outstanding items; address security and privacy risks discovered as part of control effectiveness monitoring; and describe how the system owner or common control provider intends to address those risks. The updated information raises awareness of the security and privacy posture of the system and the common controls inherited by the system, thereby, supporting near real-time risk management and the ongoing authorization process.

The frequency of updates to risk management information is at the discretion of the system owner, common control provider, and authorizing officials in accordance with federal and organizational policies and is consistent with the organizational and system-level continuous monitoring strategies. The updates to information regarding the security and privacy posture of the system and the common controls inherited by the system are accurate and timely since the information provided influences ongoing actions and decisions by authorizing officials and other senior leaders within the organization. The use of automated support tools and organization-wide security and privacy program management practices ensure that authorizing officials can readily access the current security and privacy posture of the system. Ready access to the current security and privacy posture supports continuous monitoring and ongoing authorization and promotes the near real-time management of risk to organizational operations and assets, individuals, other organizations, and the Nation.

Organizations ensure that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and plans of action and milestones. Providing an effective method to track changes to systems through configuration management procedures is necessary to achieve transparency and traceability in the security and privacy activities of the organization; to obtain individual accountability for any security or privacy actions; and to understand emerging trends in the security and privacy programs of the organization.

References: [SP 800-30]; [SP 800-53A].

108 If a comparable report meets the requirements of what is to be included in an assessment report (e.g., a report generated from a security or privacy management and reporting tool), then the comparable report would constitute the assessment report.