System and Common Control Authorizations (NIST 837)

Jun 6, 2024

Lecture: System and Common Control Authorizations (NIST 837)

Overview

  • Topic: System and Common Control Authorizations
  • Framework: NIST 837 (Risk Management Framework)
  • Focus: Authorization step
  • Reference Document: NIST Special Publication 808 Rev 2 (draft form)
  • Five Core Federal Risk Management Documents:
    1. 839: Managing security at organizational levels
    2. 830: Risk assessments
    3. 837: Risk Management Framework
    4. 853: Catalog of security controls
    5. 853A: Guidance for assessing security controls

Main Topics Covered

  1. Types of Authorizations
  2. Authorization Package
  3. Types of Authorization Decisions
  4. Information Included in an Authorization Decision
  5. Special Authorization Types
  6. Future Topics (Next Lecture)

Types of Authorizations

  • Initial Authorization: First comprehensive risk assessment; assesses system-level and hybrid controls, reviews inherited common controls
  • Ongoing Authorization: Continuous risk determinations and assessments post-initial authorization; relies on continuous monitoring
  • Reauthorization: Time or event-driven; conducted when risk level escalates beyond acceptable thresholds

Authorization Package

  • Definition: Record of results from control assessments used by the authorizing official to make risk-based decisions
  • Contents:
    • Executive Summary: Consolidated view of security/privacy info
    • Security and Privacy Plans: Overview of requirements, controls, and their implementations
    • Assessment Reports: Findings from control assessments, ongoing updates, recommendations for corrective actions
    • Plans of Action and Milestones (POA&Ms): Prioritized risk management actions based on control deficiencies and available resources
    • Appendices/References: Privacy Impact Assessments, interconnection security agreements, configuration management plans, etc.

Types of Authorization Decisions

  • Authorization to Operate (ATO): AO determines if the system or common control risk is acceptable; specifies conditions and termination date
  • Common Control Authorization: Similar to ATO but for common controls; AO authorizes controls for organizational use
  • Authorization to Use (ATU): For cloud/shared services; based on provider's authorization package
  • Denial of Authorization: Issued when risks are unacceptable; operation isn’t authorized
  • Authorization Rescission: Previous authorization is rescinded due to violations or inadequate risk management

Information Included in an Authorization Decision

  • Authorization Decision Document: Communicates decision, terms, frequency, and possible review triggers
  • Additional Information: Executive summary, security/privacy plans, assessment reports, POA&Ms
  • Ongoing Monitoring: Ensures compliance with terms and conditions

Special Authorization Types

  • Type Authorization: For systems deployed across multiple locations; uniform hardware/software controls
  • Facility Authorization: Focuses on specific controls within a facility supporting multiple systems

Next Lecture Topics

  • Ongoing Authorization
  • Reauthorization
  • Event-Driven Triggers and Significant Changes

Additional Notes

  • Date of next lecture content not specified, but will cover above-focused topics.

Action Items

  • Like and subscribe to channel for updates
  • Questions and feedback to be submitted via comments