“New AO, new game?” writes:
We just found out our Authorizing Official will be retiring next month and there is still no word on who his replacement will be. What sort of problems can we anticipate when a new AO takes over the reins? How much flexibility will he/she have to “change the rules of the game,” so to speak? What additional problems would we face if there turns out to be a “gap” between the old AO’s retirement and the appointment of a new one?
Dr. RMF Responds:
Transitioning to a new AO should be a smooth and seamless transition. It will not invalidate your existing ATOs, nor should it necessitate any new system assessments. That doesn’t mean there will be absolutely no changes, though. Perhaps the new AO will ask for some additional reporting on a regular basis, especially if there are numerous systems within their purview. Sometimes a new AO will request a one-time brief from each system owner to help him/her become familiar with their systems.
If there turns out to be a “gap” between old and new AOs, this will only be a problem if an existing ATO is due to expire during the gap. If you see that coming, it is important you reach out to the existing AO (or AO Designated Rep) now to get some guidance on how to best handle the situation. Perhaps the existing AO has already arranged for someone to be able to sign ATOs during the gap. In some cases, the existing AO will agree to sign a short-term “ATO Extension” to bridge the gap and allow the new AO some time to “settle in” before having to address your next ATO.
Do you have an RMF dilemma that you could use advice on how to handle? If so, Ask Dr. RMF! BAI’s Dr. RMF consists of BAI’s senior RMF consultants who have decades of RMF experience as well as peer-reviewed published RMF research.
Want to see more of Dr. RMF? Watch our Dr. RMF video collection at https://www.youtube.com/c/BAIInformationSecurity
Dr. RMF submissions can be made at https://rmf.org/dr-rmf/