Ongoing Authorization In Summary

  • Under OA, ATO is not set to expire after 3 years but only expire base on the occurrence of a predefined event. Example: New threat/vulnerability, increase in number of weaknesses, change in Authorizing Official (AO), new business mission/requirement or significant operational or inventory change
  • OA is event driven and time driven
    • Time Driven security report are reviewed frequently (for example: Weekly for High system, Bi Weekly for Moderate system and monthly for Low system)
    • Event Driven: the following events might require a comprehensive SCA to be conducted and a new ATO issued: New threat/vulnerability, increase in number of weaknesses, change in Authorizing Official (AO), new business mission/requirement or significant operational or inventory change
    • OA is dynamic, near real-time ongoing authorization process as oppose to a static, point in time authorization process
  • OA is fundamentally related to the ongoing understanding and ongoing acceptance of information security risk
  • OA is affected by the ISCM strategy defined under Phase Six of the RMF (Continuous Monitoring)

Condition to implement OA

  • Initial authorization needs to be completed
  • The organization need to develop an Information Security Continuous Monitoring (ISCM) strategy
  • The AO needs to be documented by the       AO
  • Creation of the SA&A package (SSP, SAR, and POAM) need to be automated although the data feed can be manual or procedural but this information needs to be available to the AO via an automated manner
  • POAM items/weaknesses are near real time (event and time driven)
  • Frequency of assessment and reporting are defined in the ISCM strategy and program
PHASEDEVILEVABLESPUBLICATIONSLIFE CYCLERESPONSIBLE
CATEGORIZATIONSystem Of Records Notice (SORN), E-Authentication, FIPS199, Risk Assessment Report, Privacy Threshold Analysis (PTA), Privacy Impact Analyst(PIA), PTWA, OMB NumberFIPS200, FIPS199, SP-800-60, SP-800-30, SP800-37, SP 800-39, SP800-63InitiationISSO, C&A Analyst, Information owner, System Owner
CONTROL SELECTONSystem Security Baseline ControlSP 800-53, FIPS 200Initiation / Development / AcquisitionISSO, C&A Analyst, System Owner
IMPLEMENTATON OF CONTROLSystem Security Plan(SSP), Configuration Management Plan(CMP), Contingency Plan (CP),Contingency Plan TestSP 800-18, SP 800- 53, SP 800-128, FIPS 200, SP 800-70, SP 800-34, SP 800-84Development Acquisition/ ImplementationISSO, System Owner
ASSESSING CONTROLSecurity Test Plan , System Security Plan(SSP), Security Assessment Report (SAR), Security Test Evaluation (ST&E) ReportSP 800-53, SP 800– 53A, SP 800-18Development/ AcquisitionC&A Analyst
AUTHORIZINGSystem Security Plan(SSP), PlanOf Acton and Milestone (POA&M), Security Assessment Report(SAR), Authorization To Operate(ATO)SP 800-53, SP 800- 53A, SP 800-18, SP-800-30, SP 800-37, SP800-39ImplementationAO, ISSO, C&A Analyst, System Owner
CONTINUOUS MONITORINGSystem Security Plan(SSP), Plan Of Acton and Milestone (POA&M), Security Assessment Report (SAR), Annual Assessment  LetterSP 800-53, SP 800- 53A, SP 800-18, SP800-30, SP 800-137Maintenance/ OperationAO, ISSO, C&A Analyst, System Owner
error: Content is protected !!