FITSP-A
Module 6
Authorizing Information
Systems
Leadership
It is imperative that leaders and managers at all levels understand
their responsibilities and are held accountable for managing
information security risk.
SP 800-39 Managing Information Security Risk
(March 2011)
FITSP-A Exam Module Objectives
 Security Assessments and Authorization
– Assess and implement plans of action designed to correct
deficiencies and reduce or eliminate vulnerabilities in
organizational information systems
– Inspect mechanisms that authorize the operation of
organizational information systems and any associated
information system connections
Assessment and Authorization Overview
 Section A: Assessment and Authorization Tasks
–
–
–
–
Assess Security Controls
Authorization Package
Authorization Decisions
Authorization Decision Document
 Section B: Authorization Elements
– Ongoing Authorization
– Type Authorization
– Authorization Approaches
Section A
ASSESSMENT AND
AUTHORIZATION TASKS
RMF Step 4 – Assess Security
Controls




Assessment Preparation
Security Control Assessment
Security Assessment Report
Remediation Actions
RMF Step 5 – Authorize
Information System




Plan of Action and Milestones
Security Authorization Package
Risk Determination
Risk Acceptance
Authorization Package
Authorization Decisions
 Authorization to Operate
 Denial Of Authorization to Operate
 Interim Authorization to Test
 Interim Authorization to Operate
Authorization Decision Document




Authorization decision
Terms and conditions for the authorization
Authorization termination date
Risk executive (function) input (if provided)
Knowledge Check
 What is the first step in the Authorization RMF step?
 What documents the results of the security control
assessment and provides the authorizing official with
essential information needed to make a risk-based
decision on whether to authorize operation of an
information system or a designated set of common
controls?
 What are the contents of the Authorization Package,
from System Owner to Authorizing Official?
 The authorization decision document contains what
information?
Section B
AUTHORIZATION ELEMENTS
Ongoing Authorization




Maintains Knowledge of Current Security State
Re-execute RMF Step(s)
Maximize Use of Status Reports
Reauthorization
– Time-driven
– Event-driven
Type Authorization
 Definition of Type Authorization
– Official authorization decision to employ identical copies of an
information system or subsystem (including hardware, software,
firmware, and/or applications) in specified environments of
operation.
Authorization Approaches
 Single Authorizing Official
 Multiple Authorizing Officials
 Leveraging an Existing Authorization
Key Concepts & Vocabulary










Authorization Decisions
Authorization Decision Document
Authorization Package
Authorizing Official
IATO
IATT
POAM
SAR
SSP
Type Authorization
Questions?
Next Module: Continuous Monitoring