Authorizing Official (AO)

The Authorizing Official (AO) is the senior government official who has the authority to formally accept the security risks of an information system and grant (or deny) its Authority to Operate. The AO takes personal responsibility for the decision to allow a system to operate, accepting any residual risk.

AOs are typically senior leaders — flag officers, SES civilians, or other designated officials. They rely on security assessments, risk analyses, and recommendations from their security teams to make authorization decisions, but the final responsibility rests with them personally.

Why It Matters

Understanding what the AO needs to make their decision helps you prepare better RMF packages. The AO wants clear risk information, not technical jargon — presenting security findings in business risk terms helps your authorization package move faster.