NIST 800-53 REV 5 • PROGRAM MANAGEMENT
PM-10 — Authorization Process
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and Integrate the authorization processes into an organization-wide risk management program.
Supplemental Guidance
Authorization processes for organizational systems and environments of operation require the implementation of an organization-wide risk management process and associated security and privacy standards and guidelines. Specific roles for risk management processes include a risk executive (function) and designated authorizing officials for each organizational system and common control provider. The authorization processes for the organization are integrated with continuous monitoring processes to facilitate ongoing understanding and acceptance of security and privacy risks to organizational operations, organizational assets, individuals, other organizations, and the Nation.
Practitioner Notes
Every system that processes, stores, or transmits organizational data needs a formal authorization to operate (ATO). This control establishes the process for granting, reviewing, and revoking those authorizations.
Example 1: Define an authorization process where each system owner submits a security package (system security plan, risk assessment, POA&M) to an authorizing official. The AO reviews the package, accepts residual risk, and issues a signed ATO letter with a defined duration (typically 3 years with annual reviews).
Example 2: Use a GRC platform like eMASS, Xacta, or even a structured SharePoint site to manage authorization packages. Track each system's authorization status (Pre-ATO, ATO, DATO, ATO Expired) and set automated reminders 90 days before expiration so reauthorization starts on time.