Link Search Menu Expand Document
NIST SP 800-37

ONGOING AUTHORIZATION

TASK M-6

Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable.
Potential Inputs: Risk tolerance; security and privacy posture reports; plans of action and milestones; organization- and system-level risk assessment results; security and privacy plans.
Expected Outputs: A determination of risk; ongoing authorization to operate, ongoing authorization to use, ongoing common control authorization; denial of ongoing authorization to operate, denial of ongoing authorization to use, denial of ongoing common control authorization.
Primary Responsibility: Authorizing Official.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Authorizing Official Designated Representative.
System Development Life Cycle Phase: New – Operations/Maintenance. Existing – Operations/Maintenance.
Discussion: To employ an ongoing authorization approach, organizations have in place an organization- level and system-level continuous monitoring process to assess implemented controls on an ongoing basis.111 The findings or results from the continuous monitoring process provides useful information to authorizing officials to support near-real time risk-based decision making. In accordance with the guidance in Task R-4, the authorizing official or designated representative reviews the security and privacy posture of the system (including the effectiveness of the implemented controls) on an ongoing basis to determine the current risk to organizational operations and assets, individuals, other organizations, and the Nation. The authorizing official determines whether the current risk is acceptable and provides appropriate direction to the system owner or common control provider. The authorizing official may determine that the risk remains at an acceptable level for continued operation or that the risk is no longer at an acceptable level for continued operation, and may issue a denial of authorization to operate, authorization to use, or common control authorization.

The risks may change based on the information provided in the security and privacy posture reports because the reports may indicate changes to the security or privacy risk factors. Determining how changing conditions affect organizational and individual risk is essential for managing privacy risk and maintaining adequate security. By carrying out ongoing risk determination and risk acceptance, authorizing officials can maintain system and common control authorizations over time and transition to ongoing authorization. Reauthorization actions occur only in accordance with federal or organizational policies. The authorizing official conveys updated risk determination and acceptance results to the senior accountable official for risk management or the risk executive (function).

The use of automated support tools to capture, organize, quantify, visually display, and maintain security and privacy posture information promotes near real-time risk management regarding the risk posture of the organization. The use of metrics and dashboards increases an organization’s capability to make risk- based decisions by consolidating data in an automated fashion and providing the data to decision makers at different levels within the organization in an easy-to-understand format.

References: [SP 800-30]; [SP 800-39] (Organization, Mission/Business Process, and System Levels); [SP 800-55]; [SP 800-160 v1] (Risk Management Process); [IR 8011 v1]; [IR 8062].

111 See Appendix F for additional information on ongoing authorization and continuous monitoring.