In RMF, which role approves operation?

In RMF, the approval to operate a system is a formal risk-based decision made by the Authorizing Official. After the security controls are implemented and evaluated, the AO reviews the assessment package, weighs the residual risk against the organization’s risk tolerance, and decides whether to authorize operation. This official then issues the Authorization to Operate (ATO) or, if appropriate, Authorization to Accept Risk, signaling that the system may operate within acceptable risk levels. The RMF Lead coordinates the overall process, the Information System Owner is responsible for the system and its controls, and the Security Control Assessor evaluates the controls to provide the evidence the AO uses in the decision.