What triggers a re-assessment or reauthorization in RMF?

In RMF, ongoing monitoring ends with a decision about whether the authorization to operate remains valid. A reassessment or reauthorization is triggered whenever changes occur that could affect the system’s security posture. The key driver is significant changes to the system after it has been authorized—such as substantial hardware or software updates, configuration changes, or changes in the operating environment—that could alter how well security controls work. Routine events like password changes are handled through day-to-day control updates and don’t by themselves necessitate a full reassessment. Time-based schedule reviews may exist, but they don’t replace the need to reassess when meaningful changes happen.