Create an authorization package

Release version: Australia

Updated March 12, 2026

1 minute to read

After you have defined the authorization boundaries for the assets or systems to send through the Authorization to Operate process, you must create an authorization package for that purpose. The package is processed through the seven steps mandated by the RMF.

Before you begin

Role required: sn_irm_cont_auth.system_owner or sn_irm_cont_auth.admin

Note:

The roles are required for accessing the authorization package only after it has transitioned beyond the Prepare state.

Procedure

Navigate to All > Continuous Authorization & Monitoring > All Authorization Packages.
Select New and then fill in the form.

The settings are described in Fields on the Authorization Package form.
Select the Roles and Responsibilities tab and specify the responsibilities of various stakeholders during the review and approval process.

The settings are described in Roles and Responsibilities.
Select the PTA/PIA tab and perform the Privacy Threshold Analysis by answering the questions.

The PTA identifies whether various types of the Personal Identifiable Information (PII) exist in the systems being authorized.
If you answered No to all of the questions, you are not required to take a Privacy Impact Analysis and can select Submit.
If you answered Yes to any of the questions, you must take a Privacy Impact Analysis.
1. In the Assessment respondents field, select the lock icon and select the users you want to take the assessment.
2. When you have selected the respondents, select the lock icon again.
3. Select Submit.
  The assessment request notification is sent to the selected respondents.
4. When the PIA has been completed, the assessment responses appear in a related list in the Authorization Package form.
Select the Notes and Comments tab to add any customer-facing notes to the package.
Select Proceed to Next Step to transition the package to the next step.
The authorization package is transitioned to categorize step.