Authorizing Official Handbook

This book provides an overview of the Authorizing Official (AO) role in the Risk Management Framework (RMF) process, discusses implications of performing AO duties and emphasizing RMF as a continuous process. In addition, it provides guidance for analyzing the Security Authorization Package (SAP) and making the authorization decision. It provides a means to protect the information system (IS), the information it processes, and thus, the Authorization Official from civil prosecution (or if appropriate military prosecution) by providing evidence of the AO’s intentions to manage the system’s risk. WHY CERTIFY AND ACCREDIT? The Authorization Official is professionally accountable and responsible for: • Securing the operations and system under their jurisdiction. • Supplying documentation that verifies a System Security Plan (SSP) and adequate security measures have been implemented. • Maintaining documentation that ongoing operational procedures are being monitored and updated to meet system and regulatory changes. Risk Management Framework (RMF) protects against system operations failures, fraud, and misuse of sensitive information as well as personal prosecution. Following the RMF process, as outlined in this book, will help ensure that the system is operating at an acceptable level of risk, and that the AO has shown clear intention to comply with all applicable laws, standards, and policies for information technology (IT) security in an attempt to perform their designated duties. RMF when properly accomplished helps protect the AO from: • Civil and criminal prosecution (i.e., due to noncompliance with Privacy Act of 1974, Computer Security Act of 1987, HIPAA Act of 1996, eGov Act of 2002, etc.), • If appropriate court martial (dereliction of duty) and/or • Financial hardship (due to loss of job and private defense expenses). AUTHORIZING OFFICIAL’S LIABILITY. It is imperative that the Authorizing Official (AO) understands the ramifications of signing the authorization document. It is the duty of the AO of the system, to see that the appropriate security measures, documentation, and a RMF process have been implemented and maintained throughout the life cycle of the system in their charge. This means that the AO must ensure that the level of security employed and maintained on the system is adequate to protect the people, technology, and its information from unauthorized access, unauthorized changes, and unavailability. When the AO grants approval for the system to operate, he is accepting the ultimate responsibility for the operation of a system and officially declares (1) the specified system adequately protects the system and the information on that system, and (2) accepts the residual risks involved in operating that system. Further, the AO must be able to show sufficient documentation to support his authorization decision as well as to verify the ongoing implementation and operational maintenance of designated security controls, which also shows the AO’s intent to provide adequate protection. "Breach of Duty, Standards of Due Care, Proximate Cause, Negligence Per Se, and Res Ipsa Loquitor (i.e. the thing speaks for itself) are but a few of the concepts affecting litigation. Litigation that you may find yourself facing should the security mechanisms validated by your authorization plan fail to prevent, for example, unauthorized access to, modification of, or dissemination of sensitive or classified information.” (Ref. NCSC-TG-032, Version 1, 6 March 1997) The organization’s system operations failures due to insufficient implementation and verification of adequate security controls should be viewed as a breach of fiduciary duty or dereliction of duty. Additionally, an individual who fails to follow applicable computer security laws (i.e. Computer Security Act of 1987, Privacy Act of 1974, Freedom of Information Act, FISMA, HIPAA…etc.) may be criminally liable and may face additional civil prosecution.