Security Control Authorization Phase 5

  • Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment phase. This is prepared by the C&A analyst and the system Owner.
  • Security Authorization Package is reviewed by the AO to issue
    • ATO Authorize to Operate (ATO) letter-AO accepts all risks associated with the system
    • Interim Authorize to Operate letter-AO issues a conditional ATO pending system owner solving all POAM items within a specific period of time, usually 6 months
    • Denial Authorization  to Operate-AO does not issue ATO pending system owner solving all POAM items identified
  • Security Authorization Package includes
    • SSP
    • SAR
    • POA&M
error: Content is protected !!