The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
Source(s):
NIST SP 800-137
under Authorization (to operate)
from
CNSSI 4009
NIST SP 800-161
under Authorization (to operate)
from
NIST SP 800-53 Rev. 4
NIST SP 800-30 Rev. 1
under Authorization (to operate)
from
CNSSI 4009
CNSSI 4009-2015
[Superseded]
under authorization to operate (ATO)
from
NIST SP 800-53 Rev. 4, NIST SP 800-53A Rev. 1, NIST SP 800-37 Rev. 1
NIST SP 800-37 Rev. 1
[Superseded]
under Authorization (to operate)
NIST SP 800-53 Rev. 4
[Superseded]
under Authorization (to operate)
See Authorization (to operate).
Source(s):
NIST SP 800-30 Rev. 1
under Security Authorization (to Operate)
NIST SP 800-39
under Security Authorization(to Operate)
See authorization to operate (ATO).
Source(s):
CNSSI 4009-2015
[Superseded]
from
NIST SP 800-37 Rev. 1
The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls and privacy controls.
Source(s):
NIST SP 800-53A Rev. 4
[Superseded]
under Authorization (to operate)
from
NIST SP 800-37 - Adapted