Assemble the authorization package and submit the package to the authorizing official for an authorization decision.
Potential Inputs: Security and privacy plans; security and privacy assessment reports; plan of action and milestones; supporting assessment evidence or other documentation, as required.
Expected Outputs: Authorization package (with an executive summary), which may be generated from a security or privacy management tool94 for submission to the authorizing official.
Primary Responsibility: System Owner; Common Control Provider; Senior Agency Official for Privacy.95 Supporting Roles: System Security Officer; System Privacy Officer; Senior Agency Information Security Officer; Control Assessor.
System Development Life Cycle Phase: New – Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: Authorization packages96 include security and privacy plans, security and privacy assessment reports, plans of action and milestones, and an executive summary. Additional information can be included in the authorization package at the request of the authorizing official. Organizations maintain version and change control as the information in the authorization package is updated. Providing timely updates to the plans, assessment reports, and plans of action and milestones on an ongoing basis supports the concept of near real-time risk management and ongoing authorization, and can be used for reauthorization actions, if required.
The senior agency official for privacy reviews the authorization package for systems that process PII to ensure compliance with applicable privacy requirements and to manage privacy risks, prior to authorizing officials making risk determination and acceptance decisions.
The information in the authorization package is used by authorizing officials to make informed, risk-based decisions. When controls are implemented by an external provider through contracts, interagency agreements, lines of business arrangements, licensing agreements, or supply chain arrangements, the organization ensures that the information needed to make risk-based decisions is made available by the provider.
The authorization package may be provided to the authorizing official in hard copy or electronically or may be generated using an automated security/privacy management and reporting tool. Organizations can use automated support tools in preparing and managing the content of the authorization package. Automated support tools provide an effective vehicle for maintaining and updating information for authorizing officials regarding the ongoing security and privacy posture of information systems within the organization.
When an information system is under ongoing authorization, the authorization package is presented to the authorizing official via automated reports to provide information in the most efficient and timely manner possible.97 Information to be presented to the authorizing official in assessment reports is generated in the format and with the frequency determined by the organization using information from the information security and privacy continuous monitoring programs.
The assessment reports presented to the authorizing official include information about deficiencies in system-specific, hybrid, and common controls (i.e., other than satisfied findings determined by assessors). The authorizing official uses automated security/privacy management and reporting tools or other automated methods, whenever practicable, to access the security and privacy plans and the plans of action and milestones. The authorization documents are updated at an organization-defined frequency using automated or manual processes in accordance with the risk management objectives of the organization.98
References: [OMB A-130]; [SP 800-18]; [SP 800-160 v1] (Risk Management Process); [SP 800-161] (SCRM Plans).
94 Organizations are encouraged to maximize the use of automated tools in the preparation, assembly, and transmission of authorization packages and security and privacy information supporting the authorization process. Many commercially available governance, risk, and compliance (GRC) tools can be employed to reduce or eliminate hard copy documentation.
95 The senior agency official for privacy is active for information systems processing PII.
96 If a comparable report meets the requirements of what is to be included in an authorization package, then the comparable report would itself constitute the authorization package.
97 While the objective is to fully automate all components of the authorization package, organizations may be in various states of transition to a fully automated state—that is, with certain sections of the authorization package available via automated means and other sections available only through manual means.
98 Organizations decide on the level of detail and the presentation format of security and privacy information that is made available to authorizing officials through automation. Decisions about level of detail and format are based on organizational needs with the automated presentation of security and privacy information tailored to the decision- making needs of the authorizing officials. For example, detailed security and privacy information may be generated and collected at the operational level of the organization with information subsequently analyzed, distilled, and presented to authorizing officials in a summarized or highlighted format using automation.