Federal GRC Engineering

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Authorizing Official (AO)

The senior federal official with the authority to formally accept the risk of operating an information system on behalf of the agency, defined in NIST SP 800-37 Revision 2 Appendix D. The AO is typically a senior executive at the assistant secretary or component head level, never the system owner. The AO reviews the Security Assessment Report, the Plan of Action and Milestones, and the residual risk, and either grants the Authority to Operate, grants a conditional ATO, or denies authorization. The AO signature is the legal act that permits the system to process federal data.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.