RMF Phase 5
Authorizing the Information System
Abstract
This chapter introduces phase 5 of the RMF, the point when the authorizing official makes a determination to either approve or deny the system’s operation based on risk to the organization.
Table of Contents
Chapter Overview and Key Learning Points
Phase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)
Column 2: Office or Organization Responsible for Resolving the Weakness
Column 3: Required Funding and the Source of the Funding
Column 4: Scheduled Completion Date
Column 5: Key Milestones and Milestone Completion Dates
Column 6: Changes to Milestone Dates
Column 7: Source of the Weakness
Column 8: Status of the Finding
Phase 5, Task 2: Assembly of the Authorization Package
Phase 5, Task 3: Determining Risk
Phase 5, Task 4: Accepting Risk
Chapter 13 Lab Exercises: Authorizing the Information System
Information in this Chapter:
• Task 1, phase 5 of the RMF: developing the plan of action and milestones (POA&M)
• Task 2, phase 5 of the RMF: assembling the authorization package
• Task 3, phase 5 of the RMF: determining risk
• Task 4, phase 5 of the RMF: accepting risk
• Implement phase 5 in the lab exercises at the end of the chapter
Chapter Overview and Key Learning Points
In this chapter the information systems program management staff develops a plan of actions and milestones (POA&M) that will be used to correct the deficiencies discovered in the assessment phase. This POA&M and other documentation will be used to assemble the authorization package that will be forwarded to the AO. Next determining and accepting risk is covered and the chapter concludes with exercises that re-enforce the topics of the chapter.
Phase 5, Task 1: Developing the Plan of Action and Milestones (POA&M)
The plan of action and milestones (POA&M) document is prepared by the information system owner to itemize the actions that will address and correct the security weaknesses discovered during the security control assessment and noted in the security assessment report. Like the systems security plan and the security assessment report, the plan of action and milestones is required to be included in the information system’s authorization package. The authorizing official, chief information officer, and program officials use the document to track the progress of corrective actions required of the system to maintain compliance with the information system’s authorization to operate (ATO). Those items that were corrected during the security control assessment and are not included in the final SAR are not required to be documented in the system’s POA&M; however, any item that was noted in the SAR must appear on the POA&M, even if corrected by the time the POA&M is published, to ensure that each deficiency is accurately tracked.
Besides being one of the three primary documents required for authorization of the information system or common control set, a POA&M is required by the Office of Management and Budget (OMB) for every system that has weaknesses discovered in the assessment for FISMA compliance and weaknesses found on Security Act reports, in financial and GAO audits, or in critical infrastructure vulnerability assessments. The POA&M describes the tasks, timelines, and resources needed to correct weaknesses and deficiencies discovered in the assessment of the information system or control set. The timeline should describe whether the correction is planned before or after the system’s scheduled information system implementation, as well as the detailed milestones and their completion dates required to meet compliance. The plan should identify resources, personnel, and funding required to resolve the deficiency.
The plan is used by the system owner and authorizing official to track projected corrections to the system and scheduled resource allocations. By doing this, the POA&M becomes an effective audit trail for tracking the identified weaknesses to the information system and ensuring that the corrections occur as scheduled. For this reason, care must be taken to maintain the integrity of the original POA&M. When updating the document, information is only added; none of the existing information is ever deleted, which ensures that no alteration of the initial POA&M documentation occurs.
The POA&M is used by the organization to prioritize organizational resources to correct weaknesses identified in information system assessments across the entire organization. The information system’s POA&M feeds the organization’s overall POA&M, a document that is, in turn, updated and prioritized. This ensures that deficiencies creating the highest risk to the overall organization are addressed first, in a manner that protects the organization’s assets and information.
Plans of action and milestones are based on the security categorization of the system, specific weaknesses or deficiencies discovered in the system (or control set), the importance of the identified weakness, and the system’s or organization’s proposed risk mitigation strategy to address the identified weaknesses.
The OMB defines a proposed structure for POA&M based on a spreadsheet document itemizing information that must be included in the document. Automated applications can be used to track and maintain the POA&M as long as the system contains the same basic information. Appendix G includes a section of a sample system’s POA&M as well as a template POA&M document.
The column headings and their descriptions for the spreadsheet are as follows:
Column 1: Type of Weakness
Column 1 describes the weakness in terms that are illustrative to individuals reading the document. It is helpful to number each weakness to provide a helpful index for referencing the weakness type. It is not necessary to describe the weakness in such detail that excessive sensitive information would be divulged.
Column 2: Office or Organization Responsible for Resolving the Weakness
Column 2 defines who (office, individual, or both) is responsible for resolving the deficiency.
Column 3: Required Funding and the Source of the Funding
Column 3 indicates the source of funding for the remediation as well as the estimated cost for resolving the weakness. also It also identifies non-funding obstacles such as lack of personnel or lack of expertise.
Column 4: Scheduled Completion Date
Column 4 defines the date the weakness is scheduled to be corrected. This date should not be changed once it is entered; any changes should be listed in the status column.
Column 5: Key Milestones and Milestone Completion Dates
Column 5 identifies specific objectives or requirements that are reached to correct the weakness, including complete correction of the weakness itself. Like the scheduled completion date, these milestones, once entered into the POA&M, should not be changed. Changes should be listed in column 6.
Column 6: Changes to Milestone Dates
Column 6 indicates date changes to the milestones set in column 5.
Column 7: Source of the Weakness
Column 7 indicates how the weakness was discovered; for example, it could have been from the program review, the authorization audit, or the GAO audit.
Column 8: Status of the Finding
Column 8 indicates the most current status of the finding. Currently, only ongoing or completed statuses are acceptable inputs for this column. “Completed” is only used when the weakness is fully resolved.
The POA&M is used by the information system owner to manage the system development and the maintenance staff to schedule and plan the completion of the corrections. The information system owner can then forecast when these corrections will be completed and balance the system’s staff, which will ensure that ongoing maintenance and scheduled upgrades are all prioritized using a process that includes the required POA&M corrections.
Phase 5, Task 2: Assembly of the Authorization Package
The authorization package is the completed set of documentation that is sent from the system owner to the authorizing official, detailing the information system’s (or common control set) security posture and configuration. At a minimum, the authorization package contains the systems security plan, the security assessment report, and the plan of action and milestones. The authorizing official can add additional documentation and information for all authorization packages or on a case-by-case basis. For systems inheriting controls from common control providers or external providers, information on these controls’ authorization status and body of evidence should be included or referenced.
Maintenance of authorization packages is greatly enhanced through the use of automated tracking and processing systems, but is not required. Use of these systems should be encouraged by organizational leadership to increase efficiency of the authorization process and management of the continuous monitoring process required by the risk management process. An automated program increases the ability of organizations to manage version control over documents, supports near-real-time risk management, and supports the ongoing authorization process. The database features of automated systems allow senior leaders to maintain situational awareness of the security status of information systems and the effectiveness of system-specific, common, and hybrid controls.
In some organizations, the assembly of the authorization package is completed by special staff members who are familiar with the risk management process. These individuals often report directly to the senior information security officer (SISO) or the chief information security officer (CISO), or they work in the office of the chief information officer (CIO). Use of these professionals often increases efficiency of the RMF, as senior officials are normally presented with documentation in the authorization package that has been vetted by RMF professionals, who ensure that the packages are accurate and complete.
Phase 5, Task 3: Determining Risk
In this task, the authorizing official or designated representative, along with the senior information security officer and the risk executive (function), evaluate the documentation provided by the system owner in the authorization package to determine the security state of the system based on the implementation of common, system, and hybrid controls. These officials evaluate the status of the system using either formal or informal risk assessment processes in order to provide the needed information on threats and vulnerabilities that the organization would be exposed to, should the information system be placed into operation on the organization’s production environment.
Risk assessment and risk determination are extensive processes that should be fully developed by the organization. There are far too many possible choices and processes to be fully addressed here; however, a risk assessment strategy typically includes a number of basic points. These include defining how risk is assessed within the organization, how these risks are associated, the number of known risks in existing systems, risk mitigation strategies, organizational risk tolerance, and the organization’s risk monitoring process. After the information’s systems authorization package has been evaluated, the risk executive (function) should make tentative updates to the organization’s risk assessment based on the possibility of the system being authorized. If the system is authorized to operate, these changes should be enacted and the organizational risk assessment document should be updated.
Phase 5, Task 4: Accepting Risk
After reviewing the authorization package for completeness and evaluating the security considerations resulting from placing the information system into operation, the authorizing official can accept the risks imposed on the organization and the organization’s information by making the appropriate authorization decision. The authorizing official is aided by input from the risk executive (function) and other organizational officials on the security status of the organization and the overall risk picture as it will be impacted should the system enter operation. In making this decision, the official considers many factors that could impact the organization, including impact to mission, functionality of existing systems, and damage to the organization’s image or reputation. Inputs by the risk executive (function) are documented and become part of the authorization decision and the authorization body of evidence. This input may focus on organizational risk tolerance, inter-system dependencies, mission and organization requirements, and even risks not directly associated with the information system seeking authorization.
Based on this information, the authorizing official makes the authorization decision, and if approved, the official accepts the risk of placing the system into operation. It is important to note that this approval cannot be delegated. The RMF only allows for two authorization decisions that can be made by the AO: either the system is authorized to operate or it is not authorized to operate. To fulfill the many different variations on this approval, the AO has the choice of a wide range of limitations and restrictions that can be placed on the system. For example, the system could be authorized to operate only for testing purposes and using only test information. The system could be authorized to operate for a limited time, with specific POA&M mediation requirements; once the time has elapsed, the system could again submit for full authorization to operate. The authorization decision, once made, is formally documented by the authorizing official. This document indicates the authorization decision, terms and conditions, and the authorization’s termination date. If the organization has a robust continuous monitoring program that will provide the AO with timely and accurate information on the system’s continued compliance with the required security controls, the AO can eliminate the authorization termination date in lieu of this robust continuous monitoring program which, in essence, authorizes the system to operate indefinitely, as long as the system complies with the continuous monitoring program. The authorization package, once updated by the AO, is returned to the system owner. The system owner acknowledges receipt of the package and verifies that the system will be operated within the parameters defined in the authorization decision. This could include operating the system without some components; for example, the system may be authorized to operate, but specific components like wireless may not be authorized, or the system may be required to make specific corrective actions in a defined time period. Failing to follow these directives results in the invalidation of the authorization.
The authorization termination dates are frequently based on federal law or organizational policy, as these rules often determine the maximum length of the system’s authorization. Some authorizations may be unlimited, allowing an organization with a robust continuous monitoring program to maintain a system’s authorization by revalidating the effectiveness of security controls on a scheduled basis. Other organizations may issue an authorization with a finite termination date. It is common to issue authorizations to operate for one, two, or three years. In these cases, it is important to ensure that all of the security controls are re-evaluated during the authorization period. For example, a system that has a three-year authorization must ensure that all of the controls required by its SCTM are re-evaluated before the three-year timeframe expires. The AO and other officials may require specific controls be evaluated with greater frequency; but at a minimum, each control requires assessment by an independent security control assessor before the authorization expires. The result of these assessments can then be used to establish the next authorization period. If the security controls remain effective, reauthorizations following the RMF become quite easy, as it only requires verification that the system’s documentation has been maintained during the previous authorization period and that all of the required controls have been assessed following the prescribed schedule, and at least once in the authorization period.
Phase 5 Checklist
The information system owner developed a plan of action and milestones (POA&M) that addresses all of the findings in the security assessment report.
The information system owner assembled the authorization package with all required key documents.
The final risk determination and risk acceptance determination developed by the authorizing official used the organizational risk management strategy.
The authorizing official made an approval decision for the information system.
The authorization decision was conveyed to the appropriate organizational officials, including the information system owner.
Chapter 13 Lab Exercises: Authorizing the Information System
Developing the plan of action and milestones (POA&M) helps the system owner and the organization develop a plan to correct deficiencies found during the system’s security control assessment. Developing the POA&M is an important step in reaching a system’s authorization to operate (ATO); the POA&M is one of the required documents in the system’s authorization package. Authorizing an information system or common control set is a critical point in a system’s development and provides the system owner with permission to operate the system in the production environment or offer the controls for inheritance. By issuing an ATO, the authorizing official assumes responsibility for the risks in operating the system.
1. When developing the POA&M, what information is required by OMB?
2. What documents are required by NIST in the authorization package?
3. Who assists the AO when they make the risk-based decision to issue an ATO?