1. Authorizing Information Systems FITSP-A Module 6

3. It is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk. SP 800-39 Managing Information Security Risk (March 2011) Leadership

4. FITSP-A Exam Module Objectives  Security Assessments and Authorization –Assess and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems –Inspect mechanisms that authorize the operation of organizational information systems and any associated information system connections

5. Assessment and Authorization OverviewAssessment and Authorization Overview  Section A: Assessment and Authorization Tasks –Assess Security Controls –Authorization Package –Authorization Decisions –Authorization Decision Document  Section B: Authorization Elements –Ongoing Authorization –Type Authorization –Authorization Approaches

6. ASSESSMENT AND AUTHORIZATION TASKS Section A

7. RMF Step 4 – Assess Security Controls  Assessment Preparation  Security Control Assessment  Security Assessment Report  Remediation Actions

9. RMF Step 5 – Authorize Information System  Plan of Action and Milestones  Security Authorization Package  Risk Determination  Risk Acceptance

12. Authorization Package

14. Authorization Decisions  Authorization to Operate  Denial Of Authorization to Operate  Interim Authorization to Test  Interim Authorization to Operate

16. Authorization Decision Document  Authorization decision  Terms and conditions for the authorization  Authorization termination date  Risk executive (function) input (if provided)

17. Knowledge Check  What is the first step in the Authorization RMF step?  What documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls?  What are the contents of the Authorization Package, from System Owner to Authorizing Official?  The authorization decision document contains what information?

18. AUTHORIZATION ELEMENTS Section B

19. Ongoing Authorization  Maintains Knowledge of Current Security State  Re-execute RMF Step(s)  Maximize Use of Status Reports  Reauthorization –Time-driven –Event-driven

20. Type Authorization  Definition of Type Authorization –Official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.

21. Authorization Approaches  Single Authorizing Official  Multiple Authorizing Officials  Leveraging an Existing Authorization

22. Key Concepts & Vocabulary  Authorization Decisions  Authorization Decision Document  Authorization Package  Authorizing Official  IATO  IATT  POAM  SAR  SSP  Type Authorization

26. Questions? Next Module: Continuous MonitoringContinuous Monitoring