home || catalog: SP800-53rev3 / class: Management / family: (CA) Security Assessment and Authorization ||
search controls:
search nistpubs:

AC
AT
AU
CA

CA-01
CA-02
CA-03
CA-04
CA-05
CA-06 *
CA-07

CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CA-06: Security Authorization  

base control objective:
The organization:
a. Assigns a senior-level executive or manager to the role of authorizing official for the information system;
b. Authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].

supplemental objective information:
Authorizing officials are senior officials or executives with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. Authorizing officials typically have budgetary oversight for information systems or are responsible for the mission or business operations supported by the systems. Security authorization is an inherently federal responsibility and therefore, authorizing officials must be federal employees. Through the security authorization process, authorizing officials are accountable for the security risks associated with information system operations. Accordingly, authorizing officials should be in management positions with a level of authority commensurate with understanding and accepting such information system-related security risks. Through the employment of a comprehensive continuous monitoring process, the critical information contained in the authorization package (i.e., the security plan (including risk assessment), the security assessment report, and the plan of action and milestones) is updated on an ongoing basis providing the authorizing official and the information system owner with an up-to-date status of the security state of the information system. To reduce the administrative cost of security reauthorization, the authorizing official uses the results of the continuous monitoring process to the maximum extent possible as the basis for rendering a reauthorization decision. OMB policy requires that federal information systems are reauthorized at least every three years or when there is a significant change to the system. The organization defines what constitutes a significant change to the information system.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

CA-02   Security Assessments
CA-07   Continuous Monitoring
PM-09   Risk Management Strategy
PM-10   Security Authorization Process

documents referenced in SP800-53rev3 for CA-06:

Document Date Status Title
OMB Circular A-130 November, 2000 current   Management of Federal Information Resources
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-79 June, 2008 current   Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations

Search SP800-53rev3 catalog: