RMF Step 5: Authorize System

Final Risk Determination and Authorization Decision

When making a Final Risk Determination, all systems used by the Department must have an official (AO) who can authorize their operation by maintaining an acceptable risk posture (AO). Next, the AO determines the risk to organizational operations. The AO considers the current security status of the system, as indicated by the SAR risk assessment, in addition to the operational necessity of the system in making this determination. The AO must also consider any applicable risk-related guidance provided by the DoD SISO, PAOs, ISRMC, DSAWG, or component SISO. Finally, the AO determines whether the risk to DoD operations and assets, people, other organizations, and the country would be incurred from operating and using the system.

When making an Authorization Decision, the AO has many options. These are an ATO, an ATO with conditions, an IATT, or a DATO. A system is only considered authorized once an affirmative authorization decision has been made. The AO’s signature on the authorization decision document indicates full acceptance of the risks associated with operating the system. The AO’s determinations are as follows: ATO, ATO with conditions, IATT, or DATO. A system is not considered authorized until an affirmative authorization decision has been made.

Types of authorization decisions based on risk determination and security control risk level are listed from best to worst.

Option 1:

Risk Determination

Acceptable

Security Control Risk Level

There are no NC controls with a level of risk of “Very High” or “High.”

Authorization Decision the AO will provide

ATO

Authorization Details

A system authorization decision must specify an authorization termination date within 3 years of the authorization date unless the system has a system-level continuous monitoring program that complies with DoD continuous monitoring policy as issued. System authorization decisions must continue to specify the 3-year authorization termination date until such a policy is issued and when the DoD considers the continuous system monitoring mature and effective.

Option 2:

Risk Determination

Overall system risk is acceptable due to mission criticality

Security Control Risk Level

NC controls with a risk of “Very High” or “High” exist that cannot be corrected or mitigated immediately.

Authorization Decision the AO will provide

ATO with conditions

(Only with the permission of the responsible DoD Component CIO.)

Authorization Details

An ATO with conditions requires the permission of the DoD Component CIO. The DoD Component CIO’s authority may not be delegated.

The DoD Component CIO must concur in writing or through DoD public key infrastructure-certified digital signature (PKI) that system operation is still critical due to its mission significance or that the degree of security risk associated with continued system operation is acceptably low. The ISRMC Secretariat and the SISO receive a copy of the decision and supporting documentation from the DoD Component CIO. This decision determines how much risk the system can endure while continuing to operate. For example, an ATO with conditions must be reviewed for AO after 1 year. Suppose the system still requires operation with a “Very High” or “High” degree of risk after 1 year. In that case, the Component CIO must grant permission for continued operation. If the system is still required, the supporting POA&M should identify vulnerabilities and describe how the corrective actions will be completed before the scheduled review. To remain in operation with a “Very High” or “High” degree of risk after 1 year, the Component CIO must approve it again.

Option 3:

Risk Determination

Risk determination is being made to permit testing of the system in an operational information environment or with live data, and the risk is acceptable.

Security Control Risk Level

(can vary by the situation)

Authorization Decision the AO will provide

IATT

Authorization Details

An IATT should be granted only when a particular operational environment or live data is required to complete specific test objectives (such as replicating certain operating conditions in the test environment is impossible) and should expire at the end of testing (usually for less than 90 days).

• No operational use of a system is permitted during an IATT. Operation of a system for testing purposes only (i.e., the system will not be used for operational purposes during the IATT period) is permitted.

• Following DoD Instruction 5000.02, “Operation of the Defense Acquisition System,” a program T&E plan must include an IATT application. Furthermore, the application of an IATT must be planned, resourced, and documented within the T&E plan.

Suppose operational testing and evaluation are done in the operational environment or on deployed capabilities. In that case, an ATO (rather than an IATT) may be required. The ATO must be reviewed after operational testing and evaluation for modification in light of the operational test results.

Security controls that can only be tested in an operational environment should be tested and satisfied before testing in an operational environment or with live data, except for those that can only be tested in an operational environment. In consultation with the ISO or PM/SM, the AO will determine which security controls can only be tested in an operational environment.

Option 4:

Risk Determination

Unacceptable Risk  (typically this is caused by CAT1 findings)

Security Control Risk Level

(can vary by the situation)

Authorization Decision the AO will provide

DATO

Authorization Details

Immediately after receiving an DATO, the system will have all communications terminated. Therefore, an DATO is an immediate stop order.

• Any system issued a DATO will immediately have its network connections terminated.

• A DATO may be issued as part of a decommissioning strategy for a system.