Now that you have tested your information systems' security controls, validating that the controls have been effectively implemented and that they are operating as expected, it is now time to prepare for the system to be approved for production use.

This step in the process is referred to as system authorization. The purpose of this step is to allow an officially designated senior leader within the organization to decide whether an information system will be approved for production use, or whether a current operating system can continue to be used.

An authorizing official has options when it comes to deciding how they will treat a system that is requesting to operate on the production network.

The authorizing official can do the following:

• Authorize the system to operate:
  • In this case, the authorizing official approves the system based on the evidence provided, and allows the system to go to production
  • The system may have one or more Plan of Actions and Milestones (POAM) associated with it, which are deficiencies that need to be mitigated

This information allows the authorizing officials to make informed decisions about work that is still left to be completed on an IT system, and what the plan is to close out this work:

• In this case, the authorizing official has accepted the risk associated with the POAMs and their expected schedule for remediation
• Does not authorize the system to operate/remediate any deficiencies:
  • In this case, the authorizing official chooses not to immediately authorize the system
  • The IT team is instructed to go back and close out POAMs that are deemed to be high risk
  • Once those POAMs are closed out the IT team can return back to the authorizing official with a new request
  • An authorizing official may choose to require all POAMs to be remediated or a subset of the total POAMs
  • As this is a risk-based decision on the part of a senior leader it will depend on the decision of the specific authorizing official

The steps associated with achieving authorization are as follows:

1. Develop your plan of actions and millstones based on the security assessment report:
   • You do not need to include any remediated activities as part of the POAMs since you have already fixed any uncovered weaknesses
   • There is nothing wrong with letting your approving official know that you did uncover weaknesses and that they have been mitigated
2. Assemble the security authorization package for your authorizing official to review:
   1. You will need to work with your authorizing official to determine what they would like to see in their authorization package and how they would like to see it
   2. As mentioned earlier, this depends on the individual authorizing official
   3. Minimum items you should expect to include are as follows:
      • Failed tests from the security assessment report
      • Plan of actions and milestones
      • Statement of residual risk:
        • This document provides the authorization official with the recommendation from an information security perspective regarding risk to reputation, IT operations, and mission
   4. Authorization decision document

NIST Special Publication 800-37 Revision 1 provides additional guidance regarding authorizing information systems at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf