Ongoing Authorization

Work hard to meet the conditions for ongoing authorization agreed to by your Authorizing Official, and remediate issues along the way. You can do this!

Granting ongoing authorization

Leverage a memorandum signed by the AO to grant ongoing authorization. Per NIST SP 800-37, Revision 2, in lieu of an authorization termination date, specify an authorization frequency:

“The authorizing official reviews the information with the specific time-driven authorization frequency defined by the organization as part of the continuous monitoring strategy and determines if the risk of continued system operation or the provision of common controls remains acceptable. If the risk remains acceptable, the authorizing official acknowledges the acceptance in accordance with organizational processes. If not, the authorizing official indicates that the risk is no longer acceptable and requires further risk response or a full denial of the authorization.”

Authorization Frequency

We recommend quarterly authorization frequency as a starting point, with a meeting for risk reporting to stakeholders (AO, SCA, etc.)

• This again emphasizes more, not less
• Manual reporting to start–slides are ok but move towards automation and a dashboard as you mature
• Identify and accept risk
• Make necessary corrections
• Formally document renewal

The quarterly reporting should include things like:

• New applications shipped onto the platform
  • % security requirements (e.g. SD Elements) approved by assessor
  • Compliance with ongoing authorization and cATO playbook policy’s
  • Penetration test results
  • Control traceability metrics
• Platform
  • Control compliance
  • Penetration test results
• Organization
  • Risk
  • Roles & Responsibilities
  • Policy
  • Staffing

Congratulations! You’ve got an ongoing authorization that allows you to continuously deliver applications and services, provided that teams shift left on security and privacy risk.