a. Assign a senior official as the authorizing official for the system;
b. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
c. Ensure that the authorizing official for the system, before commencing operations:
1. Accepts the use of common controls inherited by the system; and
2. Authorizes the system to operate;
d. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
e. Update the authorizations [Assignment: organization-defined frequency].
Obtaining a formal ATO for a spacecraft is often more complex than for a terrestrial system because pre-launch configuration may differ from on-orbit operation, and the vehicle’s risk posture can evolve with each orbital maneuver or payload activation. The authorization process typically integrates the results of extensive ground testing, final flight readiness checks, and post-launch verification. This ensures that the authorizing official understands the baseline security posture and the spacecraft’s capability to adapt if unknown threats emerge once it is fully operational. By aligning authorization milestones with mission-critical events, the organization maintains a clear view of residual risks at each phase of the mission lifecycle.
The A&A process establishes the extent to which a particular design and implementation, meet a set of specified security requirements defined by the organization, government guidelines, and federal mandates into a formal authorization package.
Space Threats Tagged by Control
ID
Description
Sample Requirements
Requirement
Rationale/Additional Guidance/Notes
The [organization] shall designate an authorizing official for the system.{CA-6}
These officials must be federal employees, and are responsible for reviewing the security authorization package, assessing the risks, and making the decision to authorize system operation. They shall ensure compliance with relevant organizational policies and standards and are accountable for the decision to accept the risks associated with operating the system. The authorizing officials must be empowered with the authority to oversee and enforce the implementation and maintenance of security controls in accordance with organizational requirements and applicable regulations.