>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CA-6Authorization

LI-SaaS
Low
Moderate
High

>Control Description

a

Assign a senior official as the authorizing official for the system;

b

Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;

c

Ensure that the authorizing official for the system, before commencing operations:

1.

Accepts the use of common controls inherited by the system; and

2.

Authorizes the system to operate;

d

Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;

e

Update the authorizations organization-defined frequency.

>FedRAMP Baseline Requirements

Parameter Values

e
in accordance with OMB A-130 requirements or when a significant change occurs

Additional Requirements and Guidance

CA-6 (e) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F. Additional guidance related to significant changes can be found in the FedRAMP Continuous Monitoring Playbook. The service provider describes the types of changes to the information system or the environment of operations that would impact the risk posture.

>Discussion

Authorizations are official management decisions by senior officials to authorize operation of systems, authorize the use of common controls for inheritance by organizational systems, and explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of agreed-upon controls. Authorizing officials provide budgetary oversight for organizational systems and common controls or assume responsibility for the mission and business functions supported by those systems or common controls. The authorization process is a federal responsibility, and therefore, authorizing officials must be federal employees.

Authorizing officials are both responsible and accountable for security and privacy risks associated with the operation and use of organizational systems. Nonfederal organizations may have similar processes to authorize systems and senior officials that assume the authorization role and associated responsibilities. Authorizing officials issue ongoing authorizations of systems based on evidence produced from implemented continuous monitoring programs.

Robust continuous monitoring programs reduce the need for separate reauthorization processes. Through the employment of comprehensive continuous monitoring processes, the information contained in authorization packages (i.e., security and privacy plans, assessment reports, and plans of action and milestones) is updated on an ongoing basis. This provides authorizing officials, common control providers, and system owners with an up-to-date status of the security and privacy posture of their systems, controls, and operating environments.

To reduce the cost of reauthorization, authorizing officials can leverage the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorization decisions.

>Cross-Framework Mappings

SCF

IAO-07
Compare

>Programmatic Queries

Beta

Related Services

AWS Audit Manager
AWS Security Hub
AWS Artifact

CLI Commands

List Audit Manager assessments for ATO tracking
aws auditmanager list-assessments --status ACTIVE --output json
Get assessment details including framework
aws auditmanager get-assessment --assessment-id ASSESSMENT_ID
List evidence for assessment control
aws auditmanager get-evidence-folder --assessment-id ASSESSMENT_ID --control-set-id CONTROL_SET_ID --evidence-folder-id FOLDER_ID
Get compliance summary from Security Hub
aws securityhub get-findings --filters '{"ComplianceStatus":[{"Value":"PASSED","Comparison":"EQUALS"}]}' --max-items 10
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CA-6 (Authorization)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CA-6?
  • How frequently is the CA-6 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CA-6?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CA-6 requirements.
  • What automated tools, systems, or technologies are deployed to implement CA-6?
  • How is CA-6 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CA-6 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CA-6?
  • What audit logs, records, reports, or monitoring data validate CA-6 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CA-6 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CA-6 compliance?

Ask AI

Configure your API key to use AI features.