Ongoing Authorization In Summary

  • OA is event driven
    • Example of Event: New treat / vulnerability, increase number of weaknesses, change in Authorizing Official (AO), new business mission/requirement or significant operational or inventory change
  • OA is dynamic, near real-time ongoing authorization process as oppose to a static, point in time authorization process
  • OA is fundamentally related to the ongoing understanding and ongoing acceptance of information security risk
  • OA is affected by the ISCM strategy defined under Phrase six of the RMF (continuous Monitoring)
  • Condition to implement OA
    • Initial Authorization needs to be completed
    • The organization need to develop an Information Security Continuous Monitoring (ISCM) strategy (This document contains the events)
    • Ongoing authorization decision for a system needs to be formally documented by the authorization official (Example within the ATO)
error: Content is protected !!