Create an authorization package

  • Release version: Washingtondc
  • Updated August 1, 2024
  • 2 minutes to read

    • After you have defined the authorization boundaries for the assets or systems that you want to send through the Authorization to Operate process, you must create an authorization package for that purpose. The package is then processed through the seven steps mandated by the RMF.

    Before you begin

    Role required: sn_irm_cont_auth.system_owner or sn_irm_cont_auth.admin

    Note:
    These roles are required for accessing the authorization package only after it has transitioned beyond the Prepare state.

    Procedure

    1. Navigate to All > Continuous Authorization & Monitoring > All Authorization Packages.
      Authorization packages
    2. Click New.
      Authorization package - new
    3. On the form, fill in the fields.
      Table 1. Authorization Package form
      Field Description
      Number Auto-generated Authorization Package number.
      Name A name for the package.
      Acronym If needed, an acronym for identifying the package.
      Missions/Business processes The appropriate business process for this authorization package. Business processes are defined on the ServiceNow AI Platform; for example, at Policy & Compliance > Scoping > Business Processes.
      Active Activate the authorization package.
      Step The RMF step currently assigned to the package.
      Authorization boundary The authorization boundary for this package.
      System purpose The purpose behind this authorization package.
    4. Click the Roles and Responsibilities tab and define the roles of various stakeholders during the review and approval process.
      Table 2. Roles and Responsibilities tab
      Field Description
      System owner The individual responsible for procuring, developing, integrating, modifying, operating, and maintaining an information system.
      Authorizing Official (AO) The individual responsible for accepting an information system into an operational environment at a known risk level. Typically, this person is at the CISO or deputy CISO level.
      Authorizing Official Designated Representatives (AODR) One or more AODRs.
      Security Control Assessors (SCA) The individuals responsible for conducting a thorough assessment of the controls of an information system.
      Information System Security Managers (ISSM) The individuals responsible for conducting information system security management activities as designated by the ISSO.
      Information System Security Officers (ISSO) The individuals responsible for ensuring that the appropriate operational security posture is maintained for an information system.
      Information owners The individuals responsible for statutory, management, and operational authority.
      System users The users responsible for performing the actual work on the system.
    5. Click the PTA/PIA tab and perform the Privacy Threshold Analysis by answering the questions.

      The PTA identifies whether various types of the Personal Identifiable Information (PII) exist in the systems being authorized.

      Privacy Threshold Analysis/Privacy Impact Assessment
    6. If you answered No to all of the questions, you are not required to take a Privacy Impact Analysis and can click Submit.
    7. If you answered Yes to any of the questions, you must take a Privacy Impact Analysis.
      1. In the Assessment respondents field, click the lock icon and select the users you want to take the assessment.
      2. When you have selected the respondents, click the lock icon again.
      3. Click Submit.
        The assessment request notification is sent to the selected respondents.
      4. When the PIA has been completed, the assessment responses appear in a related list in the Authorization Package form.
    8. Click the Notes and Comments tab to add any customer-facing notes to the package.
    9. Click Categorize to transition the package to the next step