NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING

CA-6(1)Joint Authorization — Intra-organization

Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Assigning multiple authorizing officials from the same organization to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It also implements the concepts of separation of duties and dual authorization as applied to the system authorization process. The intra-organization joint authorization process is most relevant for connected systems, shared systems, and systems with multiple information owners.

Practitioner Notes

This enhancement enables joint authorization within the same organization — multiple officials can share the authorization responsibility for a single system.

Example 1: A shared IT system used by both your HR and Finance departments gets a joint ATO signed by both department heads, each accepting the risk for their portion of the data.

Example 2: Document the joint authorization arrangement in your system security plan, clearly defining which authorizing official is responsible for which aspects of the system's risk.

More Assessment, Authorization, and Monitoring Controls

CA-1 Policy and Procedures CA-2 Control Assessments CA-2(1) Independent Assessors CA-2(2) Specialized Assessments