Security Authorization Approaches

Applying the NIST risk management framework

Matthew Metheny, in Federal Cloud Computing (Second Edition), 2017

Security Authorization Approaches

The security authorization process is based on three different approaches.126 The first, and most commonly used, is the traditional approach, which involves only one authorizing official. In this approach, a single authorizing official has both the responsibility and accountability for accepting security risks. Next is the joint authorization127 approach, which includes a shared interest, usually between multiple authorizing officials because the information system ties directly into the strategic mission or business processes. In this approach, the authorizing officials are collectively responsible and accountable for accepting the security risks.

The final approach is used when the mission or business processes are supported by more than one federal agency. This approach is known as the leveraged authorization approach and can be used to authorize an information system, commonly a shared service,128 that can be used by more than one agency based on the original authorization package without requiring reauthorization by the leveraging organization.

Owing to the complexity in implementing the leveraged authorization approach, it is the one used least often of the three, but offers the most cost savings.129 The leveraging organization, usually through an assigned authorizing official, leverages the original authorization130 by accepting the risks, and assesses only those additional requirements beyond the original security control baseline established by the original.131 For example, if the leveraging organization determines that there is insufficient information in the authorization package or inadequate security measures in place for establishing an acceptable level of risk, the leveraging organization may negotiate for additional security measures132 and/or security-related information [3].

Another option that may be used by an organization when multiple instances of the same information system (or subsystem) are deployed in a number of different operational environments is the application of a type authorization [3]. In a type authorization a single authorizing package is used to reflect a common view for all of the instances deployed across all locations where the information system is hosted (also known as site-specific controls133).


Leave a Reply