DOI Security Assessment & Authorization
The A&A process is a comprehensive assessment and/or evaluation of an information system policies, technical / non-technical security components, documentation, supplemental safeguards, policies, and vulnerabilities. The A&A process establishes the extent to which a particular design and implementation, meet a set of specified security requirements defined by the organization, government guidelines, and federal mandates into a formal authorization package. This authorization package is reviewed by the Authorizing Official (AO) and a formal declaration of an information system accreditation is either granted as an Authorization to Operate (ATO) or ATO with conditions or outright denial of authorization to operate. Given the ATO the information system is to operate in a particular security mode using a prescribed set of safeguards and function at an acceptable level of risk to the agency. Each information system is placed into the Information Security Continuous Monitoring (ISCM) (NIST SP 800-137) program which maintains the ongoing awareness of information security, vulnerabilities, and threats to an information system.