Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment phase. This is prepared by the C&A analyst and the system Owner.
Security Authorization Package is reviewed by the AO tissue
ATO Authorize to Operate (ATO) letter-AO accept all risks associated with the system
Interim Authorize to Operate letter-AO issue a conditional ATO pending System Owner solving all POAM items within a specific period of time, usually 6 months
Denial Authorization to Operate-AO do not issue ATO pending system owner solving all POAM items identified
Security Authorization Package includes
SSP
SAR
POAM
PHASE
DEVILEVABLES
PUBLICATIONS
LIFE CYCLE
AUTHORIZING
System Security Plan (SSP) Plan Of Acton and Milestone (POA&M) Security Assessment Report (SAR) Authorization To Operate (ATO)