Authorize Information System

The authorization of an information system’s operation is based on a determination of the risk to organizational operations and individuals, assets, other organizations and the nation resulting from the operation of the information system and the decision that this risk is acceptable. Using a risk assessment report (RAR) and a security assessment report (SAR) will help develop a POA&M (Plan of Action & Milestones) report. This provides the tracking and status for any failed controls and a determination of how risky or not risky the system is. A quality authorization package would include a multitude of documents to determine an accurate risk of the system. The authorization official would then determine whether or not a system can have the authority to operate (ATO) or denial of authority to operate (DATO).