What is the authorization package comprised of in RMF?

In RMF, the authorization package is the collection of documents that show how the system’s security controls are planned, tested, and managed, so an authorizing official can assess risk and make an authorization decision. The System Security Plan explains which security controls are in place and how they’re implemented within the system. The Security Assessment Report captures the results of testing and evaluating those controls, including any weaknesses and their severity. The risk assessment analyzes overall risk to the system and its information, helping determine tolerable levels of risk. The Plan of Actions and Milestones records identified weaknesses and the remediation steps and timelines to address them. Privacy considerations ensure that handling of personal data complies with privacy requirements. Boundary documents define the system’s scope, interfaces, and connections to other systems or networks. Training records, while important for personnel readiness, are not part of the authorization package.