Under OA, ATO is not set to expire after 3 years but only expire base on the occurrence of a predefined event. Example: New threat/vulnerability, increase in number of weaknesses, change in Authorizing Official (AO), new business mission/requirement or significant operational or inventory change
OA is event driven and time driven
Time Driven security report are reviewed frequently (for example: Weekly for High system, Bi Weekly for Moderate system and monthly for Low system)
Event Driven: the following events might require a comprehensive SCA to be conducted and a new ATO issued: New threat/vulnerability, increase in number of weaknesses, change in Authorizing Official (AO), new business mission/requirement or significant operational or inventory change
OA is dynamic, near real-time ongoing authorization process as oppose to a static, point in time authorization process
OA is fundamentally related to the ongoing understanding and ongoing acceptance of information security risk
OA is affected by the ISCM strategy defined under Phase Six of the RMF (Continuous Monitoring)
Condition to implement OA
Initial authorization needs to be completed
The organization need to develop an Information Security Continuous Monitoring (ISCM) strategy
The AO needs to be documented by the AO
Creation of the SA&A package (SSP, SAR, and POAM) need to be automated although the data feed can be manual or procedural but this information needs to be available to the AO via an automated manner
POAM items/weaknesses are near real time (event and time driven)
Frequency of assessment and reporting are defined in the ISCM strategy and program
PHASE
DEVILEVABLES
PUBLICATIONS
LIFECYCLE
RESPONSIBLE
CATEGORIZATION
System Of Records Notice (SORN), E-Authentication, FIPS199, Risk Assessment Report, Privacy Threshold Analysis (PTA), Privacy Impact Analyst(PIA), PTWA, OMB Number