myctrl.tools
Compare

PM-10Authorization Process

PRIVACY

>Control Description

a

Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes;

b

Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and

c

Integrate the authorization processes into an organization-wide risk management program.

>Cross-Framework Mappings

SCF

IAO-01
Compare

>Supplemental Guidance

Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.

>Related Controls

CA-6
CA-7
PL-2

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern authorization of information systems and common controls?
  • How does the organization determine authorization boundaries and appropriate authorization types?
  • Who serves as authorizing officials, and what is their authority and responsibility?
  • What is the process for granting, maintaining, and revoking system authorizations?
  • What governance exists for monitoring authorized systems and ensuring ongoing authorization?

Technical Implementation:

  • What systems track system authorization status and artifacts?
  • How are authorization packages developed and managed?
  • What workflows enforce authorization processes and decision-making?
  • How is continuous monitoring data integrated with authorization activities?
  • What tools support authorization boundary documentation and management?

Evidence & Documentation:

  • Provide authorization policies and procedures.
  • Provide authorization boundary documentation for systems.
  • Provide authorization decision documents for systems.
  • Provide evidence of ongoing authorization through continuous monitoring.
  • Provide records of authorization updates when significant changes occur.

Ask AI

Configure your API key to use AI features.