NIST 800-53 REV 5 • ASSESSMENT, AUTHORIZATION, AND MONITORING
CA-6(2) — Joint Authorization — Inter-organization
Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Assigning multiple authorizing officials, at least one of whom comes from an external organization, to serve as co-authorizing officials for the system increases the level of independence in the risk-based decision-making process. It implements the concepts of separation of duties and dual authorization as applied to the system authorization process. Employing authorizing officials from external organizations to supplement the authorizing official from the organization that owns or hosts the system may be necessary when the external organizations have a vested interest or equities in the outcome of the authorization decision. The inter-organization joint authorization process is relevant and appropriate for connected systems, shared systems or services, and systems with multiple information owners. The authorizing officials from the external organizations are key stakeholders of the system undergoing authorization.
Practitioner Notes
This enhancement extends joint authorization across different organizations — useful when multiple agencies or companies share a common system or platform.
Example 1: When your company and a partner company share a Microsoft GCC High tenant, both organizations' authorizing officials jointly approve the shared environment's authorization.
Example 2: Use the FedRAMP Joint Authorization Board (JAB) process as a model where multiple agencies accept a single cloud provider's authorization rather than each conducting separate reviews.