- System security plan (SSP)
- Incident response plan (IRP)
- Continuous monitoring plan
- Security assessment report
- Plan of action and milestones
The authorising officer could be more demanding and ask for more before they are convinced. Or they may see the business need for the system to be so high that they’re willing to authorise on less information. Again, this is why we can’t have universal declarations of a system being good for a particular classification. Interim or provisional authorisation doesn’t exist anymore. You either have a system that’s authorised, or it’s not. The authorisation could be constrained, and come with promises to implement changes in the future.