PM-10: Security Authorization Process

Control Family:

Program Management

CSF v1.1 References:

PF v1.0 References:


  • Low


  • Moderate


  • High


Next Version:

Control Statement

The organization:

  1. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
  2. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
  3. Fully integrates the security authorization processes into an organization-wide risk management program.

Supplemental Guidance

Security authorization processes for information systems and environments of operation require the implementation of an organization-wide risk management process, a Risk Management Framework, and associated security standards and guidelines. Specific roles within the risk management process include an organizational risk executive (function) and designated authorizing officials for each organizational information system and common control provider. Security authorization processes are integrated with organizational continuous monitoring processes to facilitate ongoing understanding and acceptance of risk to organizational operations and assets, individuals, other organizations, and the Nation.