Anthropic-Cybersecurity-Skills/skills/executing-nist-rmf-authorization-to-operate/assets/template.md

Authorization Package Summary (NIST RMF / SP 800-37 Rev 2) — Worked Example

Filled example for a Moderate-impact federal web application seeking an initial ATO. Replace bracketed content for your own system.

1. System & Authorization Boundary

• System name: Citizen Services Portal (CSP)
• System owner / ISSO / AO: [SO name] / [ISSO name] / [AO name]
• Description: Public-facing web portal for benefit applications; React frontend, containerized API, managed Postgres, all in an authorized cloud (FedRAMP Moderate) tenant.
• Boundary: The application containers, API gateway, database, and CI/CD pipeline within the project's cloud account. Inherited: physical, environmental, and hypervisor controls from the FedRAMP-authorized platform (documented in the CRM).
• Leveraged authorization: Platform IaaS at FedRAMP Moderate.

2. FIPS 199 Categorization

(generated by scripts/process.py from the information-type table; overall = high-water mark)

Objective	High-water mark
Confidentiality	Moderate
Integrity	Moderate
Availability	Moderate
Overall system impact	Moderate

Information types: PII (C:Mod / I:Mod / A:Low), Eligibility records (C:Mod / I:Mod / A:Mod), Public content (C:Low / I:Mod / A:Mod). Selected SP 800-53B baseline: Moderate. Privacy overlay applied (PII present).

3. Control Baseline & Tailoring

• Baseline: SP 800-53B Moderate + privacy controls (PT family).
• Tailoring decisions: PE family largely inherited from the platform (common controls). Organization-defined parameters set for AC-7 (lockout threshold = 5), AU-11 (log retention = 1 year), IA-5 (password/authenticator policy).
• Allocation: Common (inherited) — PE, parts of SC/CP; System-specific — AC, AU, SI, application-layer SC; Hybrid — IR, CM (platform + app split per CRM).

4. Control Implementation Status (from the SSP)

Family	Implemented	Total	%
AC	22	25	88%
AU	14	16	88%
SC	28	30	93%
SI	12	14	86%
Total	76	85	89%

(Each implemented control carries an implementation statement in the SSP — not a bare "yes." Open items map to the POA&M below.)

5. Assessment Results (SAR)

Independent assessment per SP 800-53A Rev 5 (examine / interview / test). Result: 3 controls "Other Than Satisfied", all with remediation plans. No Critical findings. Detailed evidence in the full SAR.

6. Plan of Action & Milestones (POA&M)

(generated by scripts/process.py, sorted by severity)

ID	Control	Weakness	Severity	Status	Remediation	Owner	Milestone
F-001	AC-7	No account lockout on the portal login	High	Other Than Satisfied	Configure lockout after 5 failed attempts	App team	2026-07-15
F-002	AU-6	Audit logs not reviewed on a defined cadence	Moderate	Other Than Satisfied	Stand up weekly SIEM review + alerting	SOC	2026-08-01
F-003	SI-2	Two medium CVEs unpatched in a dependency	Moderate	Other Than Satisfied	Patch in next sprint; add Dependabot gate	App team	2026-07-30

Open High/Critical findings: 1 (F-001) — track to closure before/within ATO conditions.

7. Authorization Decision

• Decision: ATO with conditions (effectively a cATO posture).
• Term: 3 years, contingent on continuous monitoring and POA&M adherence.
• Conditions: Close F-001 (High) within 30 days of authorization; F-002 and F-003 per their milestones.
• Residual-risk statement: Residual risk is Moderate and acceptable given the compensating monitoring and the committed remediation timeline.
• Authorizing Official: [AO name], [date].

8. Continuous Monitoring (ConMon) Plan

• Monitored continuously: vulnerability scans (weekly), configuration drift (CM), POA&M status (monthly to the AO), control effectiveness sampling (quarterly).
• Reporting cadence: Monthly ConMon report; immediate notification of any High/Critical finding or significant change.
• Reassessment triggers: new external interface, change of categorization, major architecture change, or a significant incident.
• Maturity goal: Move from periodic re-ATO toward ongoing authorization as ConMon evidence stabilizes.