2.5 AUTHORIZATION BOUNDARIES

The authorization boundary establishes the scope of protection for an information system (i.e., what the organization agrees to protect under its direct management or within the scope of its responsibilities).⁴¹ The authorization boundary includes the people, processes, and information technologies (i.e., system elements) that are part of each system supporting the organization’s missions and business functions. Authorization boundaries that are too expansive (i.e., include too many system elements or components) make the risk management process unnecessarily complex. Conversely, authorization boundaries that are too limited (i.e., include too few system elements or components) increase the number of systems that must be separately managed and therefore, may unnecessarily inflate the information security and privacy costs for the organization.

The authorization boundary for a system is established during the RMF Prepare Task – System level, Task P-11. Organizations have flexibility in determining what constitutes the authorization boundary for a system. The set of system elements included within an authorization boundary defines the system (i.e., the scope of the authorization). When a set of system elements is identified as an authorization boundary for a system, the elements are generally under the same direct management.⁴² Other considerations for determining the authorization boundary include identifying system elements that:

• Support the same mission or business functions;
• Have similar operating characteristics and security and privacy requirements;
• Process, store, and transmit similar types of information (e.g., categorized at the same impact level);⁴³ or
• Reside in the same environment of operation (or in the case of a distributed system, reside in various locations with similar operating environments).

The scope of the authorization boundary is revisited periodically as part of the continuous monitoring process carried out by the organization. While the above considerations may be useful to organizations in determining authorization boundaries for purposes of managing risk, the considerations are not intended to limit the organization’s flexibility in establishing authorization boundaries that promote effective security and privacy with the available resources of the organization.

The process of establishing authorization boundaries carries significant risk management implications and is therefore an organization-wide activity that requires coordination among key participants. The process considers mission and business requirements, security and privacy requirements, and the costs to the organization. Appendix G provides additional information and considerations for determining authorization boundaries, including boundaries for complex systems and software applications.

⁴¹ Information systems are discrete sets of information resources organized for the collection, processing, use, sharing, maintenance, dissemination, or disposition of information, whether such information is in digital or non- digital form. Information resources include information and related resources, such as personnel, equipment, funds, and information technology. Information systems may or may not include hardware, firmware, and software.

⁴² For information systems, direct management control involves budgetary, programmatic, or operational authority and associated responsibility and accountability. Direct management control does not necessarily imply that there is no intervening management.

⁴³ If a system contains information at multiple impact levels, the system is categorized at the highest impact level. See [FIPS 199] and [FIPS 200].