NIST SP 800-37 Rev 2 defines seven steps. Prepare is the foundation; the rest run in order and then loop through Monitor.
Establish context: roles (AO, SO, ISSO, assessor), risk-management strategy and tolerance (ties to SP 800-39), a control baseline strategy, common controls available for inheritance, and the system's mission/business context. Define the authorization boundary precisely — scope creep here inflates the whole package.
Determine the impact level for confidentiality, integrity, and availability for each information type, then take the high-water mark across the three to set the overall system categorization: Low, Moderate, or High. Document in the SSP. This single decision drives the entire control baseline.
Start from the SP 800-53B baseline matching the categorization (Low/Moderate/High). Then tailor: apply scoping guidance, select compensating controls where needed, and assign values to organization-defined parameters. Add overlays (e.g., privacy, FedRAMP). Record the tailored set and the rationale in the SSP. Identify which controls are common (inherited), system-specific, or hybrid.
Deploy the selected controls and document how each is implemented in the SSP — the implementation statement, not just "yes." This is the artifact assessors read first; vague statements generate findings.
An independent assessor evaluates controls using the examine / interview / test methods against assessment objectives. Findings of "other than satisfied" become weaknesses. Output is the Security Assessment Report (SAR). Remediate what you can before authorization; the rest flows to the POA&M.
Assemble the authorization package: SSP + SAR + POA&M (plus supporting artifacts). The AO reviews residual risk and renders a decision:
The decision and its rationale are captured in the authorization decision document.
Authorization is not a one-time gate. Maintain an ongoing posture: track control effectiveness, ingest scan/config drift, update the SSP on change, work the POA&M to closure, report per the ConMon plan, and feed significant changes back into reassessment. Mature programs move from periodic re-ATO to ongoing authorization.
| Concept | Definition |
|---|---|
| Authorization boundary | The set of components, data flows, and inherited services covered by the authorization. |
| FIPS 199 categorization | Low/Moderate/High per C/I/A; overall = high-water mark across the three. |
| Control baseline | The SP 800-53B starting control set for the categorization, before tailoring. |
| Tailoring | Adjusting the baseline via scoping, compensating controls, and parameter values. |
| Common / inherited control | A control provided by another entity (e.g., the platform) and inherited by the system. |
| SSP | System Security Plan — describes the system, boundary, and how each control is implemented. |
| SAR | Security Assessment Report — the assessor's findings on control effectiveness. |
| POA&M | Plan of Action & Milestones — tracked weaknesses with owners and remediation dates. |
| ATO / cATO / DATO | Authorize / conditional (ongoing) / denial of authorization to operate. |
| Authorizing Official (AO) | The senior official who accepts residual risk and signs the authorization. |
| ConMon | Continuous monitoring — ongoing control-effectiveness and risk tracking post-ATO. |
Produce an Authorization Package summary using assets/template.md, containing:
Use scripts/process.py to select the right SP 800-53B baseline from a FIPS 199 categorization, summarize control-implementation status, and generate a POA&M table from a findings JSON.