Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk.
Potential Inputs: Authorization decision.
Expected Outputs: A report indicating the authorization decision for a system or set of common controls; annotation of authorization status in the organizational system registry.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative.
Supporting Roles: System Owner or Common Control Provider; Information Owner or Steward; System Security Officer; System Privacy Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Implementation/Assessment. Existing – Operations/Maintenance.
Discussion: Authorizing officials report authorization decisions for systems and common controls to designated organizational officials so the individual risk decisions can be viewed in the context of organization-wide security and privacy risk to organizational operations and assets, individuals, other organizations, and the Nation. Reporting occurs only in situations where organizations have delegated the authorization functions to levels of the organization below the head of agency. Authorizing officials also report exploitable deficiencies (i.e., vulnerabilities) in the system or controls noted during the assessment and continuous monitoring that represent significant security or privacy risk. Organizations determine, and the organizational policy reflects, what constitutes a significant security or privacy risk for reporting. Deficiencies that represent significant vulnerabilities and risk can be reported using the Subcategories, Categories, and Functions in the [NIST CSF]. Authorization decisions may be tracked and reflected as part of the organization-wide system registration process at the organization’s discretion (see Task P-18).
References: [SP 800-39] (Organization, Mission/Business Process, and System Levels); [SP 800-160 v1] (Decision Management and Project Assessment and Control Processes); [NIST CSF] (Core [Identify, Protect, Detect, Respond, Recover Functions]).