By Lon Berman, CISSP of BAI Information Security
If you ask most system owners about the desired outcome of their RMF efforts, they will readily tell you “we are
expecting the Authorizing Official (AO) to sign an Authorization to Operate (ATO) for our system.” But how much do they really know about what goes into that decision? Do they understand that ATO is not the only possible outcome of
the authorization process? What are the other possible authorization decisions and what do they mean to the system
To truly understand authorization decisions, you need to understand the decision process itself. In Step 5 of the RMF process, the AO is presented with an Authorization Package that contains, at a minimum, a System Security Plan (SSP), a Security Assessment Report (SAR) and a Plan of Action & Milestones (POA&M).
- The SSP includes a comprehensive system description, documentation of roles and responsibilities, system categorization, and complete documentation of the implementation and status of each applicable security control in the system baseline.
- The SAR is provided by the Security Controls Assessor (SCA) and contains the results of the independent assessment of the system; each control is assessed as being Compliant (C), Non-compliant (NC), or Not Applicable (NA).
- The POA&M contains the system owner’s “response” to the findings of the independent assessment (planned mitigation/remediation steps, resources and schedule).
Additionally, the AO may be provided with a Risk Assessment Report (RAR) that assigns a Risk Level (Very Low,Low, Moderate, High, Very High) to each finding, along with an overall recommendation from the SCA. The AO will then analyze the risk posture of the system, as indicated by these documents.
Some of the questions the AO will ask him/herself are:
- Is the system capable of operating at an acceptable level of risk today?
- Does the system owner, as evidenced by the POA&M, have a credible plan to address risks identified in the independent assessment?
Based on this analysis, the AO needs to decide if the overall system risk is acceptable. The very nature of the word
“acceptable” indicates this will be a subjective decision on the part of the AO.
If the AO feels the overall risk is acceptable and there are no Very High or High risk findings, he/she will issue an
ATO. Each ATO includes an Authorization Termination Date (ATD). The overall term of the ATO cannot exceed three
years. During the term of the ATO, the system owner is required to maintain and report on the security posture of the
system. At a minimum, this entails providing an updated POA&M to the AO on a quarterly basis. A new ATO must be
obtained on or before the ATD (see Note below).
If there are Very High or High risk findings, but the AO deems the risk acceptable due to a compelling need to put the system into operation, an ATO with Conditions can be issued. Typically, an ATO with Conditions is given for a time period of six months or less, and highlights the specific high risk items that need the system owner’s attention. In order to issue an ATO with Conditions, the AO must obtain approval from the DoD Component CIO. Note that the ATO with Conditions is similar in some respects to the Interim Authorization to Operate (IATO) that was given under DIACAP.
If the AO feels the system risk is unacceptable for any reason, a Denial of Authorization to Operate is issued. DATO will prevent a new system from going into operation. For an existing system, DATO requires operation to be halted.
In the special case where a system requires certain testing to be done in an operational environment, an Interim Authorization to Test (IATT) can be sought. IATTs are typically given for a short period of time to permit functional testing in a “live” environment. Most DoD components have some sort of expedited process for obtaining IATT. Such a process will include, at a minimum, a comprehensive test plan provided by the System Owner, along with evidence of testing to ensure other systems or networks will not be at undue risk during the “live” testing period.
The AO is expected to “publish” the authorization decision in the form of a signed document or e-mail message. If
an enterprise tool such as eMASS is being used, the authorization decision document will be uploaded to the system’s artifacts repository and the authorization status updated accordingly.
NOTE: In the future, DoD is expected to support the concept of Ongoing Authorization, in which the AO is given the flexibility to “extend” a system’s ATO based on the success of the System Owner’s Continuous Monitoring program. DoD is expected to publish a Continuous Monitoring Policy and SOP in the near future that will lay out the guidelines for this approach. Needless to say, many System Owners are anxiously awaiting the publication of this policy, with the hope that it can reduce or eliminate the cost and disruption of re-authorization activities. Stay tuned…
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here.
Here is a link to a great book on RMF that we highly recommend.
A ton of other information can be found on the NIST web site.