APPENDIX E

SAMPLE TRANSMITTAL AND DECISION LETTERS AUTHORIZATION, INTERIM AUTHORIZATION, AND DENIAL OF AUTHORIZATION

Security Accreditation Package Transmittal Letter

From: Information System Owner

Date:

Thru: Senior Agency Information Security Officer

To: Authorizing Official

Subject: Security Accreditation Package for [INFORMATION SYSTEM]

A security certification of the [INFORMATION SYSTEM] and its constituent subsystem-level components (if applicable) located at [LOCATION] has been conducted in accordance with Office of Management and Budget Circular A-130, Appendix III, Security of Federal Automated Information Resources; NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal information systems; and the [AGENCY] policy on security accreditation. The attached security accreditation package contains: (i) current system security plan; (ii) security assessment report; and (iii) plan of action and milestones.

The security controls listed in the system security plan have been assessed by [CERTIFICATION AGENT] using the assessment methods and procedures described in the security assessment report to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. The plan of action and milestones describes the corrective measures that have been implemented or are planned to address any deficiencies in the security controls for the information system and to reduce or eliminate known vulnerabilities.

Signature

Title

Enclosures

Security Accreditation Decision Letter (Authorization to Operate)

From: Authorizing Official

Date:

Thru: Senior Agency Information Security Officer

To: Information System Owner

Subject: Security Accreditation Decision for [INFORMATION SYSTEM]

After reviewing the results of the security certification of the [INFORMATION SYSTEM] and its constituent system-level components (if applicable) located at [LOCATION] and the supporting evidence provided in the associated security accreditation package (including the current system security plan, the security assessment report, and the plan of action and milestones), I have determined that the risk to agency operations, agency assets, or individuals resulting from the operation of the information system is acceptable. Accordingly, I am issuing an authorization to operate the information system in its existing operating environment. The information system is accredited without any significant restrictions or limitations. This security accreditation is my formal declaration that adequate security controls have been implemented in the information system and that a satisfactory level of security is present in the system.

The security accreditation of the information system will remain in effect as long as: (i) the required security status reports for the system are submitted to this office every [TIME PERIOD]; (ii) the vulnerabilities reported during the continuous monitoring process do not result in additional agency-level risk which is deemed unacceptable; and (iii) the system has not exceeded the maximum allowable time period between security accreditations in accordance with federal or agency policy.

A copy of this letter with all supporting security certification and accreditation documentation should be retained in accordance with the agency's record retention schedule.

Signature

Title

Enclosures

Security Accreditation Decision Letter (Interim Authorization to Operate)

From: Authorizing Official

Date:

Thru: Senior Agency Information Security Officer

To: Information System Owner

Subject: Security Accreditation Decision for [INFORMATION SYSTEM]

After reviewing the results of the security certification of the [INFORMATION SYSTEM] and its constituent system-level components (if applicable) located at [LOCATION] and the supporting evidence provided in the associated security accreditation package (including the current system security plan, the security assessment report, and the plan of action and milestones), I have determined that the risk to agency operations, agency assets, or individuals resulting from the operation of the information system is not acceptable. However, I have also determined that there is an overarching need to place the information system into operation or continue its operation due to mission necessity. Accordingly, I am issuing an interim authorization to operate the information system in its existing operating environment. An interim authorization is a limited authorization to operate the information system under specific terms and conditions and acknowledges greater agency-level risk for a limited period of time. The information system is not considered accredited during the period of limited authorization to operate. The terms and conditions of this limited authorization are described in Attachment A.

A process must be established immediately to monitor the effectiveness of the security controls in the information system during the period of limited authorization. Monitoring activities should focus on the specific areas of concern identified during the security certification. Significant changes in the security state of the information system during the period of limited authorization should be reported immediately.

This interim authorization to operate the information system is valid for [TIME PERIOD]. The limited authorization will remain in effect during that time period as long as: (i) the required security status reports for the system are submitted to this office every [TIME PERIOD]; (ii) the vulnerabilities reported during the continuous monitoring process do not result in additional agency-level risk which is deemed unacceptable; and (iii) continued progress is being made in reducing or eliminating vulnerabilities in the information system in accordance with the plan of action and milestones. At the end of the period of limited authorization, the information system must be either authorized to operate or the authorization for further operation will be denied. Renewals or extensions to this interim authorization to operate will be granted only under the most extenuating of circumstances. This office will monitor the plan of action and milestones submitted with the accreditation package during the period of limited authorization.

A copy of this letter with all supporting security certification and accreditation documentation should be retained in accordance with the agency's record retention schedule.

Signature

Title

Enclosures

Security Accreditation Decision Letter (Denial of Authorization to Operate)

From: Authorizing Official

Date:

Thru: Senior Agency Information Security Officer

To: Information System Owner

Subject: Security Accreditation Decision for [INFORMATION SYSTEM]

After reviewing the results of the security certification of the [INFORMATION SYSTEM] and its constituent system-level components (if applicable) located at [LOCATION] and the supporting evidence provided in the associated security accreditation package (including the current system security plan, the security assessment report, and the plan of action and milestones), I have determined that the risk to agency operations, agency assets, or individuals resulting from the operation of the information system is unacceptable. Accordingly, I am issuing a denial of authorization to operate the information system in its existing operating environment. The information system is not accredited and [MAY NOT BE PLACED INTO OPERATION or ALL CURRENT OPERATIONS MUST BE HALTED]. Failure to receive an authorization to operate the information system indicates that there are major deficiencies in the security controls in the system and that a satisfactory level of security is not present in the system at this time.

The plan of action and milestones should be revised immediately to ensure that proactive measures are taken to correct the security deficiencies in the information system. The security certification should be repeated at the earliest opportunity to determine the effectiveness of the security controls in the information system after the reduction or elimination of identified vulnerabilities.

A copy of this letter with all supporting security certification and accreditation documentation should be retained in accordance with the agency's record retention schedule.

Signature

Title

Enclosures