Ongoing Authorization (OA) Program
What is the Ongoing Authorization (OA) Program? GSA has established an Ongoing Authorization (OA) Program to achieve Ongoing Authorization to Operate (OATO) for GSA managed information systems. OA provides a more frequent view into the security posture of the onboarded systems. The OA Program uses biannual reviews to ensure all responsible parties are executing their responsibilities according to the defined OA Program requirements and system OATOs are maintained.
For more information, visit the IT Security and Privacy Site.
OA Program Qualification
GSA information systems must meet the following requirements before it can be considered for onboarding into the OA Program. The following prerequisites are part of the pre-assessment conducted by the OA Team and determine the eligibility of the system to receive an OATO.
The information system must have had all of its NIST SP 800-53 Revision B security controls for its applicable FIPS 199 level, and any additional controls required by the GSA CISO assessed within the past 18 months and issued an ATO.
The information system must have deployed GSA's enterprise Information System Continuous Monitoring (ISCM) tools, based on applicable system requirements, defined within the GSA ISCM Enterprise Security Management Tools.
Request the OA template through your ISSM or via https://ociso.gsa.gov/ for more insight into qualification. The OA Checklist is completed by the OA Team in coordination with the system team members (SO, OA ISSO and OA ISSM).
OATO vs. 3-Year cycle ATO
The key difference between the classic 3-Year ATO and an OATO is that the latter does not require re-authorization every three years, however an event driven reauthorization will be required if the system:
Has a significant change as defined in NIST SP 800-37, Appendix F.
Has a security breach that impacts the security posture of the system.
Important: GSA information systems that do not meet the qualifying requirements for transitioning into the OA Program must follow one of the A&A processes defined by CIO-IT Security-06-30.
Figure 2: OA RACI Legend
| Letter | Role | Description |
|---|---|---|
| (R) esponsible | Responsible | This team member does the work to complete the task. Every task needs at least one Responsible party, but it's okay to assign more. |
| (A) ccountable | Accountable | This person delegates work and is the last one to review the task or deliverable before it's deemed complete. On some tasks, the Responsible party may also serve as the Accountable one. |
| (C) onsulted | Consulted | Consulted parties are the people who provide input based on either how it will impact GSA work or their domain of expertise on the item itself. |
| (I) nformed | Informed | These team members simply need to be kept in the loop on progress, rather than roped into the details of everything. |
Figure 3: OA Program Tasks and Responsibilities RACI Table
| Phase | Tasks | ISCM Team | ISSO/SO | ISSM | ISP | CISO | AO |
|---|---|---|---|---|---|---|---|
| Pre OA | Define GSA's ISCM Strategy & Program (CIO-IT Security-12-66) | C | I | I | AC | RA | I |
| Preliminary Vetting | R | C | I | A | I | I | |
| ISCM Kick Off | R | C | C | AI | I | I | |
| Full Performance Metric Review / ISCM Checklist | R | RC | I | AC | I | I | |
| ISCM OAR | AC | RA | R | C | I | I | |
| OA Letter Draft | C | C | RA | I | I | I | |
| Signed OA Letter | I | I | C | C | RA | R | |
| Onboarding Documentation | R | C | C | RA | I | I | |
| OA | Maintenance and updates of System Documentation | C | R | A | CI | I | I |
| ISCM Annual ISSO Checklist | I | R | A | CI | I | I | |
| Biannual PMR | R | R | C | AC | I | I | |
| ISCM documentation maintenance | R | CI | CI | A | I | I | |
| ISCM Process/Program improvements | R | C | C | A | I | I |