Meetings seem to be the sole job of an ISSO. How does one argue that a system/application is not robust enough to fit in as something that requires a full ATO and is more like a minor application or a PIT? What points should be emphasized to explain the limitations of the app and that its assess only under RMF and not a fully developed major system.
@Pyrosis22 these are terminologies from DoD RMF. The best way is to follow the guidelines in the business rules document as it relates to the requirements for the different authorization paths. There is typically a checklist or form or questionnaire that will address these questions. Yes ISSOs attend a lot of meetings, helping to manage risk
Meetings seem to be the sole job of an ISSO. How does one argue that a system/application is not robust enough to fit in as something that requires a full ATO and is more like a minor application or a PIT? What points should be emphasized to explain the limitations of the app and that its assess only under RMF and not a fully developed major system.
@Pyrosis22 these are terminologies from DoD RMF. The best way is to follow the guidelines in the business rules document as it relates to the requirements for the different authorization paths. There is typically a checklist or form or questionnaire that will address these questions. Yes
ISSOs attend a lot of meetings, helping to manage risk