FISMA & NIST RMF

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

Authorize Step (RMF Step 5)

The fifth step of the Risk Management Framework, in which the Authorizing Official reviews the Security Assessment Report, the Plan of Action and Milestones, and the residual risk and either grants an Authority to Operate, grants a conditional ATO, or denies authorization. The decision is a formal acceptance of risk by a senior agency official and is the act that legally permits the system to process federal data.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.