Authorizing Official: A Guide to Eligibility and Authorization

As an authorizing official, you play a critical role in the authorization process. You must be eligible to serve in this position.

Eligibility requirements for authorizing officials are outlined in the Federal Acquisition Regulation (FAR). To be eligible, you must be a government employee with a valid government email address.

Your role as an authorizing official involves making decisions about contract awards and modifications. You must have the authority to obligate the government to pay for goods and services.

The FAR outlines specific requirements for authorizing officials, including the need for a valid government email address and the requirement that you be a government employee.

Curious to learn more? Check out: Public Officials Liability Insurance

Ongoing authorization is the process of continuously monitoring systems to address real-time threats.

The National Institute of Standards and Technology (NIST) requires all agencies to adopt an ongoing state of security and conduct ongoing authorizations.

System controls are constantly evaluated and tested to spot vulnerabilities.

This allows for risk-based decisions to be made quickly and confidently.

The goal of ongoing authorization is to minimize ongoing exposures by engaging in remediation efforts.

All FISMA systems must be proven secure before they are allowed to operate, and ongoing authorization is a modernized way to manage this process.

Ongoing authorization is a continuous process, not a one-time event, and it requires constant evaluation and testing of system controls.

To be eligible for the Ongoing Authorization (OA) Program, your system must meet specific requirements, including a valid Authorization to Operate (ATO) that's not expiring in the next 6 months.

A security and privacy assessment must be conducted within the past 12 months, and the system must be fully hosted on OIT AWS cloud. Security Hub must be enabled, and Continuous Diagnostics and Mitigation (CDM) data feeds must be integrated into CDM architecture.

You can check your system's eligibility using the Ongoing Authorization Program Dashboard, which helps ISSOs and security professionals identify what parts of their system meet the OA requirements.

To be eligible for the Ongoing Authorization (OA) Program, your system must meet specific requirements.

One of the key prerequisites is having a valid Authorization to Operate (ATO) that is not expiring in the next 6 months. This means you need to ensure your ATO is up-to-date and not set to expire soon.

A security and privacy assessment, including a penetration test, must have been conducted within the past 12 months. This assessment helps identify potential security risks and ensures your system is secure.

You'll also need to have participated in a Threat Modeling session, which can be set up by your Certification and Authorization (CRA) representative. This session helps identify potential threats and vulnerabilities in your system.

Your system must be fully hosted on the OIT AWS cloud, with no hybrid systems. This means you can't have a mix of on-premises and cloud-based systems.

To enable continuous diagnostics and mitigation, you'll need to integrate Key Continuous Diagnostics and Mitigation (CDM) data feeds into your CDM architecture. This includes data feeds for Hardware Asset Management (HWAM) and Vulnerability (VUL).

You'll also need to ensure your system's data is integrated into requisite reporting mechanisms and visible in corresponding dashboards and reports. This will help you stay on top of your system's security and compliance.

A valid CMS certification letter is required for your system's ISSO, which confirms their certification.

Finally, your system must meet the metrics baseline requirement and cannot have any planned decommissioning. This ensures your system is secure, compliant, and meets the necessary standards.

Take a look at this: Prior Authorization Certification

The OA onboarding process is a crucial step for systems that qualify for the OA Program. To get started, the OA Team will reach out to you proactively if your system meets the requirements, or you can contact them directly to request onboarding.

The process begins with an invitation email that includes instructions to get your system started with OA. You'll need to let the OA Team know you're interested in joining the program, obtain the necessary job codes, and work with your ISSO to stay in communication throughout the process.

The candidate email will include a welcome package for review by both you and your ISSO. This package includes key artifacts that must be reviewed before joining OA, such as the OA onboarding memo and certification form.

The ISSO will submit the signed memo into the ATO Request workflow in CMS Connect, and the CRA will update the OA Status field to OA Onboarding in CFACTS. You and your ISSO will also participate in an ISPG-led Threat Modeling session during onboarding.

Here's a summary of the OA onboarding process:

Once your system is placed into OA, it's your responsibility as the System/Business Owner and ISSO to maintain compliance.

The authorization process is a crucial step in ensuring the security and compliance of an information system. An Authorizing Official (AO) reviews security authorization packages, which can consist of various security documents, including system security plans, security assessment reports, and risk assessment reports.

To determine if a system is eligible for the OA Program, the OA Team works to identify systems that meet the requirements for OA. The OA Team may proactively reach out to System/Business Owners if their system qualifies. System/Business Owners can also look at their specific system and reach out to the OA Team to request OA Program onboarding.

The OA onboarding process involves several steps, including reviewing a welcome package, obtaining job codes, and participating in an ISPG-led Threat Modeling session. The System/Business Owner and ISSO must also ensure that all information in CFACTS is correct to date.

An AO reviews the OA onboarding memo, which is submitted by the ISSO, and signs it to confirm that the system is ready for onboarding. The AO's decision is based on various factors, including organizational risk tolerance, system dependencies, and mission and business requirements.

The following documents are typically included in an authorization package:

The AO is responsible for determining what changes warrant another ATO review and regularly reviews data accumulated from security monitoring reports to inform ongoing authorization decisions.

The types of status you can receive when applying for an Authorization to Operate (ATO) are crucial to understand. You can be given one of three statuses: an ATO, a denial of authorisation to operate, or an interim Authorization to Operate.

An ATO means your system or product is approved for use within the organisation, allowing you to operate without any restrictions. This status can be granted after a thorough review process that may take several years, depending on the complexity of the system and the assigned Authorizing Official.

A denial of authorisation to operate, on the other hand, means your system may not be used within the organisation. This status can be a setback, but it's essential to understand that it's not a permanent rejection, and you can reapply for an ATO in the future.

An interim Authorization to Operate is a temporary status that grants you permission to operate your system for a short period, typically between 90 to 180 days, or under limited conditions. This status is often issued as an intermediate step while your ATO application is being reviewed.

A different take: How to Appeal Prior Authorization Denial

You can receive one of three statuses when applying for an ATO.

The first status is an ATO, which allows your system or product to be used within the organisation.

A denial of authorisation to operate is the second status, which means the system may not be used within the organisation.

An interim Authorization to Operate is the third status, which gives you permission to operate for a short period, between 90 to 180 days, or under limited conditions until your system is denied or approved.

Monitoring is an essential step after a system has been granted Authorisation to Operate (ATO). Continuous monitoring is performed on the identified security controls, and any changes to the system are documented and reviewed.

The monitoring process can be lengthy, with some ATO processes taking several years to complete. The cost of ATO is highly variable depending on the AO assigned to the system.

Documentation and scans must be continually updated to remain current upon AO review. This is a crucial step to ensure the system remains secure and compliant.

The government or organisation may issue an Interim Authority to Test (IATT), which grants temporary authorisation to test a system without live data for a specific period under certain conditions or constraints.

Maintaining an IT system's authorisation is an ongoing process. ATOs, or authorisation to operate, are only valid for a specific period of time, usually three years.

This assumption may be unrealistic due to agile software development practices that expedite and embrace change. As a result, changes are inevitably made, making ATOs insufficient.

Continuous monitoring is key to maintaining confidence in any system and its security controls. This involves reassessing and reauthorising the system when necessary.

The risks associated with the system must be continuously monitored and reassessed. This ensures that the system remains secure and compliant with regulations.

Game wardens and experts play a crucial role in authorizing official activities. They are responsible for ensuring that all activities are conducted in accordance with regulations and laws.

Game wardens work closely with other experts, such as wildlife biologists and conservationists, to develop and implement policies that protect wildlife and their habitats.

Game Warden is a first-of-its-kind accredited commercial DevSecOps platform and secure cloud hosting environment.

It provides automated DevSecOps capabilities that allow software teams to reduce some of the burden of security testing and reviews, giving them more freedom to focus on improving their product.

Game Warden's continuous monitoring activities support automated assessments, giving Authorizing Officials (AOs) the documentation and oversight they need to confidently accredit software continuously.

This approach enables AOs to be more consistently informed on security posture and make faster authorization decisions.

For your interest: Prior Authorization Automation

Many game wardens and experts are not experts in security, but rather in paperwork. They spend a significant amount of time filling out forms and reports, which can be a tedious task.

Game wardens often have to deal with complex regulations and laws, which requires a strong understanding of paperwork and administrative tasks.

In some cases, game wardens may have to spend up to 50% of their time on paperwork, leaving them with limited time for actual enforcement and conservation efforts.

The Authorizing Official (AO) is a high-ranking member within an agency, often a Chief Information Officer (CIO), Chief Information Security Officer (CISO), or Chief Technology Officer (CTO).

The AO plays a crucial role in system risk management and risk assessment, weighing the risk to benefit ratio of a system to decide its authorization status. They are responsible for the final sign-off on approval based on all available security information.

To prevent conflicts of interest, the AO is never the information system owner (ISO). Instead, they work closely with the Authorizing Official Designated Representative (AODR) and Security Control Assessors (SCA) to assess the security controls implemented in the system.

The AO is responsible for reviewing security authorization packages, which can include system security plans, security assessment reports, and risk assessment reports. They also review plan of action and milestones (POAM) documents and information security continuous monitoring (ISCM) plans.

The AO's decision is final, and they will sign an Authorization to Operate (ATO) document when an information system is deemed ready. This document includes the conditions under which the ATO is valid and an expiration date.

Here are the key roles and responsibilities of the AO: