What triggers a new authorization decision or reauthorization?

In RMF, an authorization decision or reauthorization is prompted by changes that affect risk. Significant system changes can alter the security controls or the risk posture, requiring a fresh assessment. Re-scoping changes the system boundary and can reveal new risks or require different controls, so reevaluation is needed. Major incidents expose weaknesses that may shift risk levels, signaling the need to reassess. A defined renewal interval ensures periodic review and authorization, even if no other changes occur. The option that includes all these triggers—significant system changes, re-scoping, major incidents, or renewal intervals—best captures when a new authorization decision or reauthorization is warranted. The other choices are too narrow: minor changes alone don’t typically drive a full reauthorization, renewal interval alone can miss changes between reviews, and re-scoping alone omits other triggers.