Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment phase. This is prepared by the C&A analyst and the system Owner.
Security Authorization Package is reviewed by the AO tissue
ATO Authorize to Operate (ATO) letter-AO accept all risks associated with the system
Interim Authorize to Operate letter-AO issue a conditional ATO pending System Owner solving all POAM items within a specific period of time, usually 6 months
Denial Authorization to Operate-AO do not issue ATO pending system owner solving all POAM items identified
Security Authorization Package includes
System Security Plan (SSP) Plan Of Acton and Milestone (POA&M) Security Assessment Report (SAR) Authorization To Operate (ATO)