You are the system owner of the newly implemented Transportation Management System in your organization. You have compiled a package of documentation for authorization to operate (ATO). Which of the following is least likely to be included in the authorization package?
A. Risk Management Strategy
B. Security and privacy plans
C. Security and privacy assessment reports
D. Executive summary
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Risk Management Strategy.
The authorization package provides a record of the results of the control assessments and provides the authorizing official with the information needed to make a risk-based decision on whether to authorize the operation of a system or common controls.
The system owner or common control provider is responsible for the development, compilation, and submission of the authorization package. This includes information available from reports generated by an automated security/privacy management and reporting tool.
The system owner or common control provider receives inputs from many sources during the preparation of the authorization package (e.g., senior agency information security officer; senior agency official for privacy, senior accountable official for risk management or risk executive [function]; control assessors; system security or privacy officer; and the continuous monitoring program).
Source: NIST SP 800-37
The authorization package includes the following:
- Executive summary
- Security and privacy plans
- Security and privacy assessment reports
- Plans of action and milestones