Assessment, Authorization, and Monitoring Plan

Approach basics → §4.x

Authorization type, who assesses, who authorizes, the ConMon framework.

Authorization type * — Select — Full Authority to Operate (ATO) Provisional ATO (FedRAMP/JAB) Conditional ATO (with stipulations) Ongoing Authorization (continuous) Authority to Test (ATT) Interim Authority to Test (IATT) Denial of Authorization to Operate (DATO)

Authorizing Official (AO) role * Role that holds authorization decision authority (e.g., 'Department CIO', 'Program AO', 'Designated Approving Authority'). Use the role title, not a named individual.

Assessment authority * Who performs control assessments (e.g., 'Independent Internal Audit team', 'Third-party 3PAO', 'In-house ISSO with peer review', 'FedRAMP-accredited 3PAO').

Current ATO grant date When the current authorization was granted.

ATO expiration / re-authorization due Traditional 3-year cycle, or 'Ongoing' for continuous-authorization regimes.

ConMon framework reference Authoritative ConMon strategy document (e.g., 'Org ConMon Strategy v2.1', 'FedRAMP ConMon Strategy & Guide', 'NIST SP 800-137 derived plan').

Control Assessment Strategy (CA-2) → §4.x

Assessment methodology, scope per cycle, and reporting.

Assessment methods used

Test (technical testing) Examine (document review) Interview (stakeholder discussion) Automated assessment (config scanning, compliance scanning) Continuous (ConMon-derived evidence)

Assessment cadence — Select — Annual full assessment Continuous ConMon-driven (ongoing) Triennial full + annual subset Quarterly subset rotating across all controls Other (specify)

Assessor independence — Select — Fully independent (3PAO / external) Organizationally independent (separate from system team, same org) Peer review (in-house, separate function) Self-assessment (lowest assurance)

Subset / rotation strategy If not all controls assessed every cycle: how the subset is selected (risk-based, rotation, ConMon-driven). Reference NIST SP 800-53A r5 §3 for guidance.

SAR distribution / recipients Who receives the Security Assessment Report (System Owner, AO, ISSO, ISSM, audit committee). Distribution control given the SAR contains finding details.

Information Exchange (CA-3) → §4.x

External system connections, ISAs / MOUs / IAs, and ongoing review.

External-connection inventory location Where the inventory of external system connections is maintained (e.g., 'Boundary diagram in SSP §4.2 + ISA register in Confluence'). The inventory drives this group.

ISA / MOU / IA management process How agreements are negotiated, approved (by AO), tracked, and reviewed. Reference NIST SP 800-47 r1 for federal interconnection guidance.

ISA review cadence — Select — Annual Bi-annual On material change to either party Annual + on material change

Categories of external connections

Federal-agency-to-federal-agency Federal to federal contractor (cleared facility) Federal to commercial (non-federal) Cloud service provider (CSP) integration Public-internet-facing (no agreement needed) Vendor support / break-glass connection Sister-system within same organization

Connection decommission process How a connection is properly torn down when no longer needed (network rules removed, access revoked, ISA formally terminated).

Plan of Action and Milestones (CA-5) → §4.x

POA&M tooling, lifecycle, and SLAs.

POA&M tooling / system of record System holding POA&M items (e.g., 'eMASS', 'Xacta 360', 'CSAM', 'ServiceNow GRC', 'Confluence + Jira tracker').

Remediation SLAs by severity How long POA&M items can stay open by severity. Federal references: BOD 22-01 for KEVs (15-30 days), FedRAMP for non-KEV (Critical 30 / High 90 / Medium 180). Adapt to your authority.

POA&M review cadence — Select — Weekly status review Monthly with leadership Quarterly formal review Continuous (real-time dashboard)

Risk-acceptance criteria When can a POA&M item be closed by risk acceptance rather than remediation? Who must concur? What documentation is required?

Closure validation How a POA&M item is validated as closed (re-test by assessor, ISSO sign-off, automated re-scan). Independent validation requirement.

Authorization Process (CA-6) → §4.x

How authorization decisions are made and documented.

ATO decision package contents

System Security Plan (SSP) Security Assessment Plan (SAP) Security Assessment Report (SAR) Plan of Action and Milestones (POA&M) Risk Assessment Report (RAR) Privacy Impact Assessment (PIA) Contingency Plan Incident Response Plan Configuration Management Plan Boundary diagram / data-flow diagram Hardware / software inventory

ATO decision workflow Step-by-step from package submission to AO decision. SCA review → ISSM concurrence → AO decision → ATO letter issued.

Authorization revocation / denial criteria Conditions that trigger AO consideration of DATO (Denial of ATO) or revocation: critical unaddressed POA&Ms, high-impact incident, compliance violation.

Interim authorization (IATT/ATT) approach When and how IATT (Interim Authority to Test) is used for development / test environments before full ATO. Time-bound, scope-limited.

Continuous Monitoring Strategy (CA-7) → §4.x

The strategy that every other family plan's §7 references back to.

ConMon metric categories

Vulnerability metrics (from SI plan) Configuration drift metrics (from CM plan) Account / access metrics (from AC plan) Authentication metrics (from IA plan) Audit-pipeline health (from AU plan) Incident metrics (from IR plan) Recovery / RTO metrics (from CP plan) Privacy / PII handling metrics Supply-chain / SBOM metrics

ConMon reporting cadence — Select — Continuous dashboard with daily exec summary Weekly status report to AO Monthly ConMon report Quarterly ConMon report Per-event escalation only

Material-change reauthorization triggers What constitutes a 'material change' that requires AO notification or re-assessment of authorization (significant architecture change, scope expansion, new data category, control failure trend).

ConMon dashboard location Where the live ConMon dashboard lives (Splunk, Tableau, eMASS, custom).

ConMon evidence retention How long ConMon-derived evidence (scan results, audit-trail snapshots) is retained for re-authorization use.

Penetration Testing (CA-8) → §4.x

Pen-test scope, frequency, and reporting.

Pen-test authority — Select — Internal red team External commercial firm Mixed (internal recurring + external annual) Coordinated disclosure / bug bounty Not currently performed

Pen-test scope

External (public-facing) network Internal network (assumed-breach) Web applications API / microservices Mobile applications Wireless infrastructure Social engineering / phishing Physical security Insider-threat scenarios

Pen-test frequency — Select — Annually Biennially Continuous (ongoing red-team operation) Per major release Triennial baseline + annual targeted

Rules of engagement reference Where the ROE document lives (defines scope, timing, prohibited actions, escalation contacts).

Pen-test report handling Who receives the report, how it's stored, and how findings flow into the POA&M. Reports often warrant tighter access controls than other documentation.

Internal System Connections (CA-9) → §4.x

Connections within the authorization boundary that warrant explicit authorization.

Internal connections inventory Connections between distinct components within the boundary (DMZ→app tier→DB; admin VLAN→production; jump-host→target). Many systems document these in a network diagram + flow table.

Connection authorization mechanism How each internal connection is authorized — usually via the architecture-decision record reviewed by the CCB at design time, then enforced by network policy / security groups.

Assessment Scope and Boundary → §2.x

What's in scope for assessment, in plain terms.

Approximate control count in scope Total controls + enhancements applicable to the chosen baseline.

Number of external system connections Approximate count of distinct external connections (each typically requires an ISA / IA).

Data categories in scope Brief enumeration of data categories the system handles (informs assessment depth — PII / PHI / classified data warrant heightened assessment).

Published ConMon Metrics → §6.x

Specific metric values reported to the AO.

Tracked metrics

Add item

Suggested: + % controls assessed within current cycle + Open POA&M items by severity (count + age) + Mean time to remediate POA&M (by severity) + % POA&M items overdue + ConMon report on-time rate (% reports issued by SLA) + Material changes notified to AO (count per quarter) + External-connection ISA review compliance (%) + Pen-test findings closed within target + Time since last full assessment

ConMon Review Cadence → §6.x

How and when ConMon outputs drive decisions.

ConMon review meeting frequency — Select — Weekly operational review Monthly with system stakeholders Quarterly with leadership Annually with AO

ConMon review attendees

System Owner ISSO ISSM AO (or designate) SOC representative Engineering lead Privacy Officer External assessor (3PAO when applicable)

Decision rights at review What decisions are made at review (POA&M reprioritization, risk acceptance, AO escalation, plan revisions).

Cross-references to other RMF artifacts → §7

This plan is the integration hub — it both references and is referenced by every other plan.

SSP section reference Where in the SSP the CA control implementations are summarized (e.g., 'SSP §13.2').

POA&M ID prefix for CA findings Convention for CA-related POA&M items (e.g., 'POAM-CA-').

Subordinate plan inventory List the family plans that feed CA: CM, AC, AU, IA, IR, CP, SI plus any others. Each plan's CA-7 ConMon section ties back to this plan.

Risk Assessment Report (RAR) location Where the current RAR lives. Authoritative input to the AO's decision.

SSP owner role Role responsible for keeping the SSP current (typically ISSO).