Control: The organisation:
C. Updates the security authorisation `{`Assignment: organisation-defined frequency`}`.
Supplemental Guidance: Security authorisations are official management decisions, conveyed through authorisation decision documents, by senior organisational officials or executives (i.e., authorising officials) to authorise operation of information systems and to explicitly accept the risk to organisational operations and assets, individuals, other organisations, and the Nation based on the implementation of agreed-upon security controls. Authorising officials provide budgetary oversight for organisational information systems or assume responsibility for the mission/business operations supported by those systems. The security authorisation process is an inherently federal responsibility and therefore, authorising officials must be federal employees. Through the security authorisation process, authorising officials assume responsibility and are accountable for security risks associated with the operation and use of organisational information systems. Accordingly, authorising officials are in positions with levels of authority commensurate with understanding and accepting such information security-related risks. OMB policy requires that organisations conduct ongoing authorisations of information systems by implementing continuous monitoring programs. Continuous monitoring programs can satisfy three-year reauthorisation requirements, so separate reauthorisation processes are not necessary. Through the employment of comprehensive continuous monitoring processes, critical information contained in authorisation packages (i.e., security plans, security assessment reports, and plans of action and milestones) is updated on an ongoing basis, providing authorising officials and information system owners with an up-to-date status of the security state of organisational information systems and environments of operation. To reduce the administrative cost of security reauthorisation, authorising officials use the results of continuous monitoring processes to the maximum extent possible as the basis for rendering reauthorisation decisions.