Role: Information System Security Authorizing Official
Critical Element: Leadership/Management
Objectives Activities Outcomes/Measures Results/Accomplishments
Assume responsibility for operating a. Ensure activities and functions Conduct annual Continuous Monitoring
an information system at an associated with an information system's activities for all operational information
acceptable level of risk based on the continuous monitoring and authorization systems. Ensure information systems
Risk Management Framework. are carried out. are reauthorized prior to expiration.
b. Ensure sufficient resources are available A minimum of 80% of Plans of Action
to implement and manage an information and Milestones (POA&Ms) are
system's security. completed on schedule. POA&Ms status,
including delays, are reviewed every 90
days.
Role: Information System Owner (ISO)
Critical Element: Leadership/Management
Objectives Activities Outcomes/Measures Results/Accomplishments
Ensure information system security a. System security authorization Documentation is updated within 90
documentation is developed and days of an implemented significant
maintained. change. Documentation presents an
accurate description of implemented
system security controls, and is in
accordance with DOC ITSPP and DOC OU
specific policies. A minimum of 80%
POA&Ms are completed on schedule, or
delays documented timely and POA&Ms
status reviewed every 60 days.
b. System security controls are System security controls are
implemented and monitored. implemented as defined in authorization
documentation, and Continuous
Monitoring activities conducted in
accordance with DOC ITSPP and DOC OU
specific policies.