Change Management, Control Oversight and Safeguard Assurance
LOW, MOD, HIGH
P2
Yes
August 24, 2016
Owners of mission-critical or sensitive information resources that are not centrally administered by Network & Information Systems shall complete a system security plan during the design phase of the systems development lifecycle. The plan shall conform to a format prescribed by the information security office, and contain the names and contact information for the resource's responsible officials, details regarding the information resource's operation and interconnections with other information resources, and required security controls beyond Agency-wide baseline controls. The plan must be reviewed and approved by the chief information security officer, who will forward the plan to the appropriate division head or higher authority for authorization.
Division heads or higher authority may choose from two options for security authorization, or reject the request outright:
Authority to Operate - Under an authority to operate, the division head or higher authority accepts the system security plan, as prescribed, for the information resource to operate in a production environment for a period not to exceed three (3) years, and assumes risk responsibility for the information resource in a production environment.
Provisional Authority to Operate - Under a provisional authority to operate, the division head or higher authority tentatively accepts the system security plan for operation in a development or testing environment. Additional work must be accomplished before the information resource may be implemented in a production environment.
Responsibility for the IT program has not been defined.
The organization:
a. Assigns a senior-level executive or manager as the authorizing official for the information system;
b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and
c. Updates the security authorization [Assignment: organization-defined frequency].
Each application system has a defined authorizing official.
The state organization authorizes the information system for processing before operations or when there is a significant change to the system.
A senior organizational official signs and approves the security accreditation.
Obtain certification and accreditation policy; procedures addressing security accreditation; NIST Special Publication 800-37; security accreditation package (including security plan; security assessment report; plan of action and milestones; authorization statement); other relevant documents or records and ascertain if :
(I)the organization defines in the security plan, explicitly or by reference, the frequency of authorization updates, not to exceed three years;
(ii)the organization authorizes (i.e., accredits) the information system for processing before operations and updates the authorization at an organization-defined frequency or when there is a significant change to the information system;
(iii)a senior organizational official signs and approves the security accreditation; and
(iv)the security accreditation process employed by the organization is consistent with NIST Special Publications 800-37.