In the NIST Risk Management Framework (RMF), authorization is the process by which a senior management official, the authorizing official, reviews security and privacy information describing the current security and privacy posture of information systems or common controls that are inherited by systems. Which of the following is not an authorization decision of the process?
A. Authorization to operate
B. Ongoing authorization
C. Denial of authorization
D. Common control authorization
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Ongoing authorization.
Source: NIST SP 800-37 R2
Systems and common security controls shall be authorized before being put into operations. According to NIST SP 800-37 R2, there are four types of authorization decisions that can be rendered by authorizing officials:
- Authorization to operate
- Common control authorization
- Authorization to use
- Denial of authorization
Ongoing authorization is not an authorization decision. It is a risk-based decision process of determining whether or not to accept the risk of continual system authorization to operate. It typically leverages the security and privacy information generated by the continuous monitoring program.