Government IT Security Outsourced IT

Assessment and Authorization

What is Assessment and Authorization?

Assessment and Authorization is defined by the Department of Interior (DOI) as a “…comprehensive assessment and/or evaluation of an information system policies, technical/non-technical security components, documentation, supplemental safeguards, policies, and vulnerabilities.”1 All systems and applications supporting Federal government agencies must follow National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) Special Publication NIST SP 800-37 Rev. 2 as the standard for Assessment and Authorization (A&A) process before being put into production, and every five years thereafter.2

The purpose of the A&A process is to evaluate the effectiveness and implementation of an organization’s security requirements, including the organization’s own policies as well as any external compliance requirements the organization is responsible for upholding. The Department of Interior’s (DOI) Office of the Chief Information Officer (OCIO) determines the authorization methodology and also administers the RMF A&A accreditation process. The process occurs in the following phases:

  1. Initiation phase. In the initiation phase, the OCIO analyzes the organization’s information security documentation. The goal is to ensure that the AO and the organization’s chief information security officer (CISO) agree on the terms of the company’s System Security Plan (SSP). Examples of documentation that may be reviewed include:
  2. System Security Categorization Federal Information Processing Standards (FIPS) 199
  3. Contingency/Disaster Recovery (CP/DR) Plan
  4. Documented Risk Assessment
  5. Assessment phase. In the assessment Phase, a comprehensive review of information security controls and remediation tactics is conducted to confirm proper implementation and optimal operation as stated in the organization’s SSP. Some of the activities that may occur during this phase include:
  6. Security Test and Evaluation Plan
  7. Security Assessment Report
  8. Plan of Action and Milestones (POA&M)
  9. Authorization phase. During the authorization phase, the ATO will be determined by a senior agency official. This decision will grant the organization the authority to operate its information systems and indicates the acceptance of risk to agency operations, assets, and individuals. A&A approval is an informal acceptance of the security and privacy controls for IT systems administered by an organization. The A&A evaluation is confirmed through a formal authorization package reviewed by an Authorizing Official (AO). Following the formal evaluation, the organization then receives one of the following information system accreditations:
  10. Authorization to Operate (ATO)
  11. ATO with conditions
  12. Denial of ATO

1 DOI, 2023, “DOI Security Assessment & Authorization”

2 NIST, 2018, “NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”