Authorizing Official Handbook

This book provides an overview of the Authorizing Official (AO) role in the Risk Management Framework (RMF) process, discusses implications of performing AO duties and emphasizing RMF as a continuous process. In addition, it provides guidance for analyzing the Security Authorization Package (SAP) and making the authorization decision. It provides a means to protect the information system (IS), the information it processes, and thus, the Authorization Official from civil prosecution (or if appropriate military prosecution) by providing evidence of the AO’s intentions to manage the system’s risk.

WHY CERTIFY AND ACCREDIT?
The Authorization Official is professionally accountable and responsible for:
• Securing the operations and system under their jurisdiction.
• Supplying documentation that verifies a System Security Plan (SSP) and adequate security measures have been implemented.
• Maintaining documentation that ongoing operational procedures are being monitored and updated to meet system and regulatory changes.
Risk Management Framework (RMF) protects against system operations failures, fraud, and misuse of sensitive information as well as personal prosecution. Following the RMF process, as outlined in this book, will help ensure that the system is operating at an acceptable level of risk, and that the AO has shown clear intention to comply with all applicable laws, standards, and policies for information technology (IT) security in an attempt to perform their designated duties. RMF when properly accomplished helps protect the AO from:
• Civil and criminal prosecution (i.e., due to noncompliance with Privacy Act of 1974, Computer Security Act of 1987, HIPAA Act of 1996, eGov Act of 2002, etc.),
• If appropriate court martial (dereliction of duty) and/or
• Financial hardship (due to loss of job and private defense expenses).