Summary

  • Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment phase. This is prepared by the C&A analyst and the system Owner.
  • Security Authorization Package is reviewed by the AO tissue
  • ATO Authorize to Operate (ATO) letter-AO accept all risks associated with the system
  • Interim Authorize to Operate letter-AO issue a conditional ATO pending System Owner solving all POAM items within a specific period of time, usually 6 months
  • Denial Authorization   to Operate-AO do not issue ATO pending system owner solving all POAM items identified
  • Security Authorization Package includes
    • SSP
    • SAR
    • POAM
PHASEDEVILEVABLESPUBLICATIONSLIFE CYCLE
AUTHORIZINGSystem Security   Plan (SSP)   Plan Of Acton and Milestone (POA&M)   Security Assessment Report (SAR)   Authorization To Operate (ATO)  SP 800-18/53   SP 800-39/37   SP 800-53A   SP 800-39/37Implementation
error: Content is protected !!