assessment and authorization (A&A)

Assessment and authorization (A&A) is a formal, documented process used to evaluate the security and privacy controls of an information system and decide whether that system is approved to operate. It is widely used in government and regulated environments, and is often aligned with frameworks such as NIST SP 800-53.

What assessment and authorization includes

In most programs, A&A encompasses:

• Assessment: Planning and performing an evidence-based review of implemented controls (technical, physical, and administrative) to determine whether they are correctly implemented, operating as intended, and producing the desired security and privacy outcomes.
• Authorization: A risk-based decision by an authorizing official (or designated authority) to approve, conditionally approve, or reject system operation based on the assessment results and documented residual risks.

The output typically includes an assessment report, a risk or security posture summary, and an authorization decision with defined terms, conditions, and review cycles.

Use in industrial and manufacturing environments

In industrial and manufacturing contexts, A&A is applied to information systems and operational technology (OT) that handle production data, quality records, configuration data, or regulated product information. Examples include:

• Manufacturing execution systems (MES) and plant historians that store batch, genealogy, or traceability data.
• Industrial control systems and SCADA platforms that interface with regulated production lines.
• Integrated OT/IT environments where plant systems connect to enterprise ERP, quality, or supplier portals handling controlled technical data.

For organizations working with U.S. federal agencies or handling controlled unclassified information, A&A activities are often aligned with programs such as FISMA, FedRAMP, or CMMC, which reference NIST SP 800-53 control baselines.

Operational characteristics

Practically, an A&A process commonly includes:

• System categorization and definition of system boundaries.
• Selection and tailoring of applicable security and privacy controls.
• Implementation of controls and collection of objective evidence.
• Independent or designated assessment of control effectiveness.
• Documentation of findings, risks, and remediation plans.
• Formal authorization decision with periodic re-assessment or continuous monitoring.

In manufacturing operations, evidence may include configuration records, change control logs, access management records, network diagrams, backup and recovery test results, and monitoring or incident records relevant to production systems.

Common confusion

A&A vs. certification: A&A is a process and decision framework used within broader regulatory or contractual programs. It is not itself a certification and does not guarantee compliance to a particular standard. Instead, it uses control catalogs (such as NIST SP 800-53) as inputs to a documented risk decision.

A&A vs. routine audits: Routine internal audits or inspections may feed evidence into an A&A, but A&A culminates in a formal authorization decision about whether a system is allowed to operate under defined conditions.