What is Step 5 – Authorization?
DIARMF Step 5 is similar to Phase 4 of DIACAP, Make Certification Determination & Authorization Decision. In fact, the major difference between the two system in this part of the process are the names. DIARMF Step 5 Authorization is where the Authorizing Official Accept the residual risks of the systems. The residual risks are the remaining risks that could not be fixed with security controls for one reason or another. Perhaps the organization did not have enough money to implement a specific kind of web proxy or the physical location of a base at the foot of key terrain owned by a private civilian has made it so the vulnerability to the asset cannot be fully mitigated at this time. The residual risks are addressed in the findings and recommendation are addressed in a Security Assessment Report (SAR). The SAR highlights the residual risks and what can be done about them. It is meant to give the decision makers some idea where the biggest risks are to the Asset. In DIACAP, the equivalent would be the DIACAP Scorecard, similarly the SAR is supposed to give a quick assessment that will help decision maker and/or the Authorizing Official know what kind of risk he or she is expected to accept. How the findings and recommendations will be handled and when are addressed in the Plan of Action and Milestone (POA&M). These documents (SAR and POA&M) are the primary responsibility of Information System Owner or Common Control Provider, but supported by Information Owner/Steward and Information System Security Officer, meaning its DONE by the ISSO and delegated by the Information system Owner. The POA&M addressed the problem, what tasks are needed get to a solution (if any), a date of completion with milestones on the way to accomplishing the solution and resources required. References: OMB Memorandum 02-01; NIST Special Publications 800-30, 800-53A, 800-37. Authorization Decision and Authorization Package The Authorization Decision is based on supporting evidence that comes from content of the authorization package. The Authorization package consists of the following:
• System Security plan – Provides a comprehensive view of all security controls and the overall security posture of the system (see NIST SP 800-18)
• Security Assessment Report – a report and addresses the residual risk, remaining weakness of the system.
• Plan of action and milestones – a breakdown of how and when the remaining vulnerabilities will be addressed.
Once the AO is ready to accept the risk, he or she must formally accept the risks of the system and grant it an Authorization to Operate in writing.