The Assessment and Authorization process is implemented to ensure compliance with our organization's information security policies and is critical to minimizing the threat of breaches. Security assessments are conducted to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for each information system.

Authorization is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate
for a specified period of time. Authorization to operate information technology assets shall be controlled and managed to ensure that only authorized systems .

It is the purpose of this policy to document the security assessment and authorization process for our organization to establish the necessary
security best practices required to secure our information assets.

We have adopted the Security Assessment and Authorization principles established in NIST SP 800-53 Rev 4 “Security Assessment and Authorization,” control guidelines, as the official policy for this security domain. The following sections in this document outline the Security Assessment and Authorization requirements that each information system must develop, or adhere to in order to be compliant with this policy.


The organization shall assess the risk associated with each information system to determine what security requirements are applicable. The security assessment determines the appropriate placement of each system and application within the security framework and evaluates the network resources,
systems, data and applications based upon their criticality. As the critical nature of the data and applications increases, the security measures required to protect the data and applications also increase. Security assessments must observe the following requirements:

  • Security controls must be assessed under a Continuous Monitoring Plan supporting a frequency of every 3 years, or when significant changes are made to the system or supported environment; and until the system is decommissioned.

b. Agencies shall provide to the State CIO their annual compliance and assessments reports, no
later than September 1 of the given Calendar Year (CY). This certification includes compliance of
cloud service providers. Any deficiencies identified within the agency which would preclude
them from being compliant, must be addressed using the Corrective Action Plan (CAP) template.
Reports must be submitted using approved encryption methods.
c. Annual reportsmust ensure the agency has identified their security deficiencies and estimated
cost for remediation. The report may include, but is not limited, to the following:
i. Security boundary devices, e.g.firewalls, intrusion detection/prevention systems (lDPS)
ii. Vulnerability management e.g.scanning and patching systems
iii. Resource constraints
iv. Cybersecurity training deficiencies
v. System development lifecycle (SDLC) deficiencies
d. When changes are made to an information system, a Security Impact Analysis shall be
conducted to determine the extent to which changes to the information system will affect the
security state of the system. These analyses are conducted as part of the System Development
Lifecycle (SDLC) to ensure that security and privacy functional (and nonfunctional)
requirements are identified and addressed during the development and testing of the system.
e. Agencies shall follow the procedures below when significant changes are made to the
information system:
i. Document assessment results and include correction or mitigation recommendations, to
enable risk management and oversight activities.
ii. Provide the assessment results to the ESRMO by uploading the results into the Enterprise
Governance Risk and Compliance (EGRC) tool within thirty (30) days from the completion of
the assessment.
iii. The security controls in the information system will be assessed on an annual basis to
determine the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the security
requirements for the system.
iv. Cloud vendors must provide as an attestation of compliance an independent third-party
assessment report. Approved report types are provided in CA-7 of this policy.

  1. Provides the results of the security control assessment to the internal audit team.


The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.


The organization:

  1. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;
  2. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and
  3. Reviews and updates Interconnection Security Agreements [Assignment: organization-defined frequency].


The organization:

  1. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during

the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and

  1. Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.


The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].


Our organization has a continuous monitoring strategy and implements a continuous monitoring program that includes:

  1. Establishment of [Assignment: organization-defined metrics] to be monitored;
  2. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
  3. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
  4. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
  5. Correlation and analysis of security-related information generated by assessments and monitoring;
  6. Response actions to address results of the analysis of security-related information; and
  7. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].


Need to determine what components?

Authorizes internal connections of information system components to the information system; and documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.


The Management Oversight Policy and Procedure requires an annual review of this policy.

Revision 1.0.0 - last updated January 14, 2020