In this course we discussed the authorized step of the risk management framework. The authorized step is supported by nist special publication 837 risk management framework for information systems and organizations. It has five tasks authorization package, risk analysis and determination, risk response, authorization decision and the authorization reporting. The objective is to determine the risk and if it has been mitigated to an acceptable level authorized the system. In the authorization step, we're providing organizational accountability by requiring a senior management official to determine. If the security and privacy risks including supply chain risks to the organization's operations and assets, individuals, other organizations. Or the nation based on the operation of a system or the use of common controls is acceptable. The residual risks identified during the security controls assessment are evaluated and the decision is made. To authorize the system to operate, deny its operations or remediate the deficiencies. Associated documentation is prepared and updated depending on the authorization decision. There are five key areas in the authorization process, developing the plan of action and milestone. The poem assembling security authorization package, determining the risk determining the acceptability of risk and obtaining the security authorization decision. The accreditation package should contain the system security plan which is an overview of the security requirements. The agreed upon security controls and supporting security related documents and supporting security related documents. Such as the risk assessments, any testing, interviews results, app scans anything like that the security assessment report which is the security controllers. Assessment results and recommend corrective actions and the plan of action and milestone which is measurements implemented or planned. To correct any deficiencies found during the security assessment report and to reduce or eliminate any known vulnerabilities. In addition to the SSP the security assessment report, the SAR and the plan of action and milestone poem. You may also include some additional artifacts which support the authorization decision. The authorization objectives are to make a risk based decision and obtain the authorization to operate. The authorization decision documents include the security accreditation decision letter. Which is a security accreditation decision supporting rationale for the accreditation decision and the terms and conditions for the authorization by the authorization official. The authorization decision document could be prepared by the authorizing officials designated representative. The security accreditation decision provides the formal decision the supporting rationale for the accreditation decision normally highlights the reasons for that decision. This is normally a general statement for approval to operate ATO however, this section is critical for systems receiving interim or denials to operate. The terms and conditions for authorization section is provided so the authorizing official can document additional conditions. This section can be quite complex and is always significant for systems receiving interim approvals to operate listed on the screen are some of the authorization tasks. The authorization packages include security and privacy plans, security privacy assessment reports, plans of action and milestones and an executive summary. Additional information can be included in the authorization package at the request of the authorizing official like scan results, business impact analysis, risk assessments, policy documents, etcetera. Organizations maintain version and change control as the information in the authorization package is updated, providing timely updates to the plan. Assessment reports and poems support the concept of near real time risk management and ongoing authorizations. This can also be used for reauthorization actions If required the security assessment report could identify some vulnerabilities that need to be re mediated if they can't be re mediated on the spot. The plan of action and milestone describes planned and implemented security measures in order to correct those deficiencies or reduce or eliminate those vulnerabilities. This is prepared by the information system owner and is critical in the decision making process. This process was defined In O and BM 02-01 guidance for preparing and submitting security plans of action and milestone. Which is now obsolete but the format is still viable as a reference you see on the screen a template for the columns that could be used in order to create your plan of action and milestone. This could be adjusted by the organization it's really at their discretion which columns get created in their plan of action and milestone. At a minimum you should have the weakness a point of contact the resources required the scheduled completion date milestones. With completion dates, changes to milestones and the status here we have what a poem may look like with the columns and those types of things filled in. This is just an example the plan of action and milestone captures noncompliant weaknesses. Or weaknesses which may be inherited as well as any controls which may not be applicable. The plan of action and milestone pinpoints the weakness, resources needed, what tasks are needed to get the problem fixed when it will be fixed or how long it will take. What is actually done to fix the problem and how risk can be reduced to an acceptable level to allow the system to remain operational until it is fixed. This is mitigating a weakness mitigation identifies how you will reduce the risk of a vulnerability to an acceptable level for operation. This is just an example if you were filling out a plan of action and milestone for in this case a government system. This is a little dated but it gives you some insight on what should or might be collected or tracked in a plan of action of milestone. We start with the plan of action of milestone header focusing on the things that usually cause some confusion. The data initiated this is the date the poem is opened and the information systems Security management. Accepts the plan of action of milestone to support the authorization decision while we work through the issues. This data is not important but once the plan of action of milestone has been finalized, this date will not change until the system is decommissioned. This document has officially at that point become alive, the date last updated changes for a variety of reasons. When the security posture changes during inspections, vulnerability tests, annual review and then when fixes are applied. The component name this is the owning organization of the system seeking accreditation. The system or project name this is the system name and acronym of how the system was registered or known in this case the DODID. Registration number this is really just the authority of registry for the IT Investment IT capability and the IT. System like the army portfolio management solution in an organization, it might be the cpic tracking number that is used for a government system. You should know that a system cannot receive an authorization to operate without this registration number. The POC information should contain the name, phone number and email and it should identify whether this information is for the person responsible for. The authorization to operate for fixing the security weaknesses such as the system owner, the information systems security manager and so on. For some government systems and be requires an O and B exhibit 300 for further information. If this is not applicable, just enter an A into that field security costs are covered in O and B exhibit 50 three's I T investments if not applicable. if it's not applicable, just listed as an A. This is the poem columns again. This is just an example based on a government assessment, but we'll go over the columns which is really the meat of the poem. Column one the weakness is found as a result of testing and validation is performed. The information entered here is for non-compliant, weakness is not applicable in an inherited by a control. Column two is the category level, this is the severity category of the weakness. It indicates the urgency or importance with which the weakness must be fixed. Category levels are expressed as 1, 2 or three, with one being the highest level and three being the lowest. Nist 853 provides recommended control implementation categories based on the impact levels of the system from the 5th 199 assessment. So all category ones have to be remediated before category to category two should be remediated before category three's. Column three, the IA controls and impact codes, are copied from the scorecard. If it was a government system or from the 853 impacts. If you're using the NIST 853 controls in column four, the POC is the person responsible to the authorizing official for fixing the security weaknesses. Column five, resources required can be cost components, people, man-hours. Anything it would take to fix the weakness once the poem is prepared and the costs are determined. The total figure is entered into the header, column security costs, column six, scheduled completion date. This is the date weaknesses are expected to be fixed. It really is important to plan a real completion date as opposed to pulling a date from the air. The cybersecurity risk management framework is finally being taken serious. There are some authorizing officials that require a personal briefing when the scheduled completion date has not been met. And an installation or system is out of time. Column seven, milestones with completion dates are high level plans with expected completion dates ideally once all milestones. And dates have been calculated, this would be the scheduled completion date. This should be a date the weakness can be fixed, not the length of the accreditation period. Column eight milestone changes is used when previous scheduled milestones and completion dates have not been met. Also, additional plans that are needed to fix the problem. Column nine the source identifying weaknesses, anyone who performs testing or validation again. Once the plan of action of milestone has been accepted by the Information Systems Security Manager. This field will not change the correct entry for column 10 status is ongoing or completed with the date completed. As improvements and fixes are applied, they are entered Into column 11. The comments, column 11 will contain the detail of what it took to actually fix the problem mitigations that have not been applied. Or are in place that will hopefully allow an information system to remain operational. Any problems that keep a weakness from being fixed. The reason of control is not applicable and for inherited controls. The name of the system providing the service in the final plan of action of milestone that is once the information systems Security Manager has accepted the poem for an authorization official's decision. The column's weakness, which will also include the category level cyber control and impact scheduled completion date milestone. With completion date and source identifying the weaknesses cannot be changed. Remember that is a live poem and at that point you can only add to the poem. You cannot remove or delete from it. Remember that the authorization package provides a record of the results of the controls assessment. And provides the authorizing official with the information needed to make a risk based decision on whether to authorize the operation of a system or common controls. The system owner or common control provider is responsible for the development completion and submission of the authorization package. The package will consist of an executive summary which provides an authorizing official with the abbreviated version of the assessment report, focusing on the highlights of the assessment. Synopsis of the findings and recommendations for addressing deficiencies in the security and privacy controls. The security and privacy plan, also known as the system security plan, or SSP. Which provides an overview of the security and privacy requirements and describes the controls in place or planned for meeting those requirements. The information systems security plan and the privacy plan may be integrated into one consolidated document. The security and privacy assessment reports provide the findings and results of the implemented controls to the extent to which the controls are implemented correctly. Operating as intended and producing the desired outcome with respect to meeting the security and privacy requirements. The assessment reports may contain recommended corrective actions for deficiencies identified in the controls as well. And the plan of action of milestone, which we've been talking about. It describes the measures planned to correct those deficiencies identified in the controls during the assessment. And to address known vulnerabilities or system security and privacy risks. It's a prioritized approach to risk mitigation that is consistent across the organization. Based on the security categorization of the system and security privacy and supply chain risk assessments. The specific deficiencies in the controls, the criticality of the control deficiencies. The risk mitigation approach of the organization to address the identified deficiencies in the controls and the rationale for accepting certain deficiencies in the controls. Authorization decisions are based on the content of the authorization package. There are four types of authorization decisions that can be rendered by the authorizing official authorization to operate ATO. Common control authorization, authorization to use and denial of authorization. We'll discuss these more in a few minutes here. I've placed an example of an authorization letter. The authorization decision document includes the authorization decision. The terms and conditions for the authorization, an authorization termination date if applicable and risk executive input if provided. Risk assessments are employed to provide information that may influence the risk analysis and determination of the risk to the organization. The authorizing official analyzes the information provided by the senior accountable official for risk management. Or risk executive for a particular function and information provided by the system owner or common control provider in the authorization package when making a risk determination. They are ultimately responsible, so they need to be thorough. When a system is operating under an ongoing authorization and continuous monitoring program, the risk determination task is effectively unchanged. The authorizing official analyzes the relevant security and privacy information provided by the automated security. And privacy management and reporting tool to determine the current security and privacy posture of the system. As long as the controls implemented are effectively working, the authorization remains in place. Senior management addresses risks from an organization wide risk management perspective that includes techniques and methodologies. The organization plans to employ to assess information system related security risks. And other types of risks that concern the organization, like supply chain management methods and procedures. The organization plans to use to evaluate the significance of the risks identified during the risk assessment. Types and extent of the risk mitigation measures the organization plans to employ to address the identified risks. The level of risk the organization plans to accept. In other words, this is their risk tolerance or risk appetite. How the organization plans to monitor risks on an ongoing basis and the degree and type of oversight the organization plans to use to ensure that the risk management strategy is effectively being carried out. The explicit acceptance of risk is the responsibility of the authorizing official. It cannot be delegated to its representative. Factors of consideration include the mission and operation needs, security requirements, reputation and unit or agency image. The cost and risk guidance. Again, it has to be accepted by the authorizing official and cannot be delegated down to its representative. A reciprocity agreement is an agreement amongst participating organizations to accept each other's security assessment, to reuse system resources and to accept each other's assessed security posture to share the information. When we're determining the risk to the organizational operations, including mission functions, image or reputation, organizational assets, individuals, other organizations and the nation. The authorizing official or the authorizing officials designated representative will review documents in collaboration with the Chief information security officer or the system Information security officer. Supported by the system owner, the common control provider and the risk executives for the specific functions. It is conducted with the risk management strategy and risk assessment in mind. Here we have the types of authorizing decisions. Authorization to operate as we've said before. The authorization is granted by the authorizing official for an information system to process, store or transmit information. Authorization is based on acceptability of the agency's components, the system architecture and implementation of assigned security controls. Common control authorization is similar to an authorization to operate. If the authorization official after reviewing the authorization package determines that the risk to the organizational operations and assets, individuals, other organization and the nation is acceptable, a common control authorization may be issued. Authorization to use. An authorization to use is employed when an organization chooses to accept the information in an existing authorization package produced by another organization for an information system that is authorized to operate by a federal entity. The authorization to use is a mechanism to promote reciprocity for systems under the purview of a different authorizing official. An authorization to use is issued by an authorizing official from the customers organization instead of an authorization to operate. Denial of authorization to operate. The authorizing official determination is that an information system cannot operate because of an inadequate security design, failure to adequately implement assigned security controls or other lack of adequate security. If the system is already operational, the operation of the system is halted. For DoD or department of defense authorizations, you may also see an interim authorization to operate. This is a temporary authorization to operate an information system sometimes under limited conditions, in a specified operational environment within a specified time frame. And under the conditions or constraints enumerated in the accreditation decision or an interim authorization to test. This is a temporary authorization to test a DoD information system in a specified operational information environment within the time frame and under the conditions or constraints enumerated in the accreditation decision. The kinds of authorization you may see are system authorization such as major application or general support system, site authorization, which evaluates the applications and systems at a specific self contained location. And type authorization, which evaluates an application or system that is distributed to a number of different locations. Reauthorization actions occur at the discretion of the authorizing official in accordance with federal or organizational policies. If a reauthorization action is required, organizations maximize the use of security and privacy risk information produced as part of the continuous monitoring process currently in effect. Reauthorizing actions can be either time driven, reauthorization occur when the authorization termination date is reached. If one is specified in the authorization to operate letter. If the system is under ongoing authorization, a time driven reauthorization may not be necessary. However, if the continuous monitoring program is not sufficiently comprehensive to fully support ongoing authorizations, a maximum authorization period can be specified by the authorizing official. The other one is an event driven reauthorization, under an ongoing authorization, a reauthorization may be necessary if an event occurs that produces risk above the acceptable organizational risk tolerance. A reauthorization may be warranted. For example, if there is a breach, incident, failure of a control or a significant problem with a continuous monitoring program. A reauthorization action may necessitate a review of and changes in the continuous monitoring strategy, which may in turn affect the ongoing authorization and require a reauthorization of the system. Keep in mind, that once the system is authorized to operate, the authorization to operate remains in place unless there are specific reasons why a reauthorization is needed. If a major change occurs to the system that has already been authorized, then a reauthorization may be necessary, as well as if a new threat has been introduced or a new risk has been introduced to the system. Then a reauthorization may also be warranted. In summary. In this course, we have discussed the authorization steps in the risk management framework process. The plan of action and milestone POA&M. The security authorization package and obtaining security authorization decisions.