1 1 00:00:00,090 --> 00:00:00,960 In this lesson, 2 2 00:00:00,960 --> 00:00:04,020 we're going to talk about Step 6 in the Real World. 3 3 00:00:04,020 --> 00:00:06,240 Now, step six is the authorized step, 4 4 00:00:06,240 --> 00:00:07,980 and the purpose of the authorized step 5 5 00:00:07,980 --> 00:00:11,070 is to provide accountability by requiring a senior official 6 6 00:00:11,070 --> 00:00:13,590 to determine if the security and privacy risk 7 7 00:00:13,590 --> 00:00:15,330 based on the operation of a system 8 8 00:00:15,330 --> 00:00:18,480 or the use of common controls is acceptable. 9 9 00:00:18,480 --> 00:00:22,560 At the end of step six, we want to achieve four main outcomes. 10 10 00:00:22,560 --> 00:00:25,500 First, we want to ensure an authorization package, 11 11 00:00:25,500 --> 00:00:28,110 including the executive summary, system security 12 12 00:00:28,110 --> 00:00:30,420 and privacy plan, assessment reports 13 13 00:00:30,420 --> 00:00:33,750 and the plan of action of milestones has been created. 14 14 00:00:33,750 --> 00:00:36,600 Second, we want to ensure a risk determination 15 15 00:00:36,600 --> 00:00:37,920 has been rendered. 16 16 00:00:37,920 --> 00:00:39,420 Third, we want to ensure 17 17 00:00:39,420 --> 00:00:41,670 that risk responses have been provided. 18 18 00:00:41,670 --> 00:00:44,040 And fourth, we want to ensure that the authorization 19 19 00:00:44,040 --> 00:00:46,650 for the system or common controls have been approved 20 20 00:00:46,650 --> 00:00:49,770 or denied at the end of this authorized step. 21 21 00:00:49,770 --> 00:00:51,270 All right, let's take a look 22 22 00:00:51,270 --> 00:00:54,420 at what step six looks like in the real world. 23 23 00:00:54,420 --> 00:00:56,100 Now, when it comes to step six, 24 24 00:00:56,100 --> 00:00:57,720 which is the authorized step, 25 25 00:00:57,720 --> 00:00:59,760 it can get a little tricky in the real world 26 26 00:00:59,760 --> 00:01:02,610 because sometimes you may have a hard time figuring out 27 27 00:01:02,610 --> 00:01:04,650 exactly who is the senior official 28 28 00:01:04,650 --> 00:01:07,590 who will be responsible for making that risk decision. 29 29 00:01:07,590 --> 00:01:10,080 If you took the time back in the preparation stage 30 30 00:01:10,080 --> 00:01:13,200 to figure that out, this is going to go a lot smoother for you. 31 31 00:01:13,200 --> 00:01:16,080 But if not, it may be sitting in somebody's queue 32 32 00:01:16,080 --> 00:01:17,580 in this digital system 33 33 00:01:17,580 --> 00:01:19,260 waiting for them to look at your package. 34 34 00:01:19,260 --> 00:01:20,670 And if you don't even know who's supposed to be 35 35 00:01:20,670 --> 00:01:22,140 on the hook for doing that, 36 36 00:01:22,140 --> 00:01:24,540 it can actually slow down the entire process 37 37 00:01:24,540 --> 00:01:26,730 and the decision you're hoping to receive. 38 38 00:01:26,730 --> 00:01:28,350 So in step number six 39 39 00:01:28,350 --> 00:01:30,330 of the risk management framework process, 40 40 00:01:30,330 --> 00:01:32,370 we're going to try to go ahead and get authorization 41 41 00:01:32,370 --> 00:01:35,910 to operate the system which is known as an ATO. 42 42 00:01:35,910 --> 00:01:37,470 This is where your senior official 43 43 00:01:37,470 --> 00:01:38,940 is going to make their risk decision 44 44 00:01:38,940 --> 00:01:42,000 based on whether or not they want to authorize your system 45 45 00:01:42,000 --> 00:01:44,760 to be able to actually operate in the real world. 46 46 00:01:44,760 --> 00:01:46,590 For example, if I was still working 47 47 00:01:46,590 --> 00:01:47,910 in a military environment, 48 48 00:01:47,910 --> 00:01:50,550 I might have a brand new system that we decided 49 49 00:01:50,550 --> 00:01:52,260 what kind of controls we were going to use for it 50 50 00:01:52,260 --> 00:01:54,060 and we've implemented those controls. 51 51 00:01:54,060 --> 00:01:55,860 Then we assess those controls, 52 52 00:01:55,860 --> 00:01:58,380 and now we're going to go over to a senior decision maker 53 53 00:01:58,380 --> 00:01:59,213 and ask them 54 54 00:01:59,213 --> 00:02:02,400 can I connect this new system to this top secret network? 55 55 00:02:02,400 --> 00:02:04,170 And they're going to look at all the data 56 56 00:02:04,170 --> 00:02:06,360 and all the mitigations and controls we put in place 57 57 00:02:06,360 --> 00:02:09,660 and determine do they accept what residual risk is there 58 58 00:02:09,660 --> 00:02:11,430 and allow me to connect that system. 59 59 00:02:11,430 --> 00:02:13,320 Because when we talk about a system, 60 60 00:02:13,320 --> 00:02:15,810 there's always going to be some level of risk there. 61 61 00:02:15,810 --> 00:02:18,390 The question is, is this an acceptable level 62 62 00:02:18,390 --> 00:02:21,150 that is low enough that we can accept the residual risk 63 63 00:02:21,150 --> 00:02:24,180 or do we need to go back and lower that risk again? 64 64 00:02:24,180 --> 00:02:26,970 To do that, that may involve adding additional controls. 65 65 00:02:26,970 --> 00:02:29,317 Or maybe our authorizing official said, 66 66 00:02:29,317 --> 00:02:30,210 "I don't like the fact 67 67 00:02:30,210 --> 00:02:32,460 that you categorize that system as a low. 68 68 00:02:32,460 --> 00:02:33,660 I think it should be a medium 69 69 00:02:33,660 --> 00:02:35,790 and therefore it needs additional controls." 70 70 00:02:35,790 --> 00:02:38,310 In which case, you're going to go back into step two, 71 71 00:02:38,310 --> 00:02:40,800 recategorize the system, then go to step three, 72 72 00:02:40,800 --> 00:02:43,350 select additional controls, go into step four, 73 73 00:02:43,350 --> 00:02:45,690 implement those controls, go into step five, 74 74 00:02:45,690 --> 00:02:47,880 bring that assessor back in to make sure those controls 75 75 00:02:47,880 --> 00:02:50,850 have been implemented properly and then you can ask again 76 76 00:02:50,850 --> 00:02:53,850 for that risk decision here in the authorized step. 77 77 00:02:53,850 --> 00:02:55,800 So sometimes, these things aren't linear 78 78 00:02:55,800 --> 00:02:57,390 and we do have to circle back 79 79 00:02:57,390 --> 00:02:59,070 and start earlier again in the process 80 80 00:02:59,070 --> 00:03:01,320 if we didn't get approval as we went along 81 81 00:03:01,320 --> 00:03:02,820 with all of our different things we did, 82 82 00:03:02,820 --> 00:03:04,860 such as categorization, selection, 83 83 00:03:04,860 --> 00:03:06,630 implementation, assessment 84 84 00:03:06,630 --> 00:03:09,030 and now here in the authorized step. 85 85 00:03:09,030 --> 00:03:10,860 Now, when it comes to authorization, 86 86 00:03:10,860 --> 00:03:13,440 sometimes you are going to have difficulty figuring out 87 87 00:03:13,440 --> 00:03:16,230 who is going to be the authority for that package. 88 88 00:03:16,230 --> 00:03:18,300 Now in general, you do want to figure this out 89 89 00:03:18,300 --> 00:03:20,460 back in step one with the preparation step, 90 90 00:03:20,460 --> 00:03:23,190 but sometimes the operating environment changes 91 91 00:03:23,190 --> 00:03:25,440 while you're working on an RMF package. 92 92 00:03:25,440 --> 00:03:27,570 For example, about 10 years ago, 93 93 00:03:27,570 --> 00:03:29,820 I was working with the Navy and the Navy created 94 94 00:03:29,820 --> 00:03:32,610 a new command called Fleet Cyber Command. 95 95 00:03:32,610 --> 00:03:34,680 Now, Fleet Cyber Command was now going to be 96 96 00:03:34,680 --> 00:03:37,080 the organization in charge of authorization 97 97 00:03:37,080 --> 00:03:39,720 for all packages no matter where it was going to operate 98 98 00:03:39,720 --> 00:03:40,560 in the world. 99 99 00:03:40,560 --> 00:03:42,690 As long as it was operating on a Navy network 100 100 00:03:42,690 --> 00:03:45,090 or a Navy system, it would have to go back 101 101 00:03:45,090 --> 00:03:47,310 to Fleet Cyber Command for their approval. 102 102 00:03:47,310 --> 00:03:48,840 Now, a lot of the other commanders 103 103 00:03:48,840 --> 00:03:51,750 in different areas of the world, such as the Pacific region 104 104 00:03:51,750 --> 00:03:53,947 or the Africa region or the Europe region thought, 105 105 00:03:53,947 --> 00:03:56,220 "Hey, that doesn't seem right to me. 106 106 00:03:56,220 --> 00:03:57,930 I used to be the authorizing official 107 107 00:03:57,930 --> 00:04:00,780 for all the computer networks in my region of the world. 108 108 00:04:00,780 --> 00:04:02,310 I should still be able to do that 109 109 00:04:02,310 --> 00:04:03,960 because it's operating on my network 110 110 00:04:03,960 --> 00:04:05,820 in my geographical region." 111 111 00:04:05,820 --> 00:04:07,860 And so, there were a lot of fights that were happening 112 112 00:04:07,860 --> 00:04:09,660 between different admirals and staffs 113 113 00:04:09,660 --> 00:04:11,220 trying to determine who was going to be 114 114 00:04:11,220 --> 00:04:13,650 the authorizing official and why were the people 115 115 00:04:13,650 --> 00:04:15,480 who used to be the authorizing official 116 116 00:04:15,480 --> 00:04:18,240 no longer able to be the authorizing official anymore 117 117 00:04:18,240 --> 00:04:19,980 because it was all being recentralized 118 118 00:04:19,980 --> 00:04:22,140 back at Fleet Cyber Command. 119 119 00:04:22,140 --> 00:04:24,870 So when that change happened, there was actually packages 120 120 00:04:24,870 --> 00:04:26,790 that were going through the RMF process, 121 121 00:04:26,790 --> 00:04:28,350 and when they started in step one, 122 122 00:04:28,350 --> 00:04:29,760 they thought that the regional commander 123 123 00:04:29,760 --> 00:04:31,560 was going to be their authorizing official, 124 124 00:04:31,560 --> 00:04:34,740 so they built out the system based on that risk level 125 125 00:04:34,740 --> 00:04:37,440 and that risk tolerance that those commanders had. 126 126 00:04:37,440 --> 00:04:39,660 But by the time the package got to step six 127 127 00:04:39,660 --> 00:04:40,830 for the authorization, 128 128 00:04:40,830 --> 00:04:42,930 it was now a different authorizing official 129 129 00:04:42,930 --> 00:04:45,300 and this meant there was a lot of differences 130 130 00:04:45,300 --> 00:04:48,090 between what was delivered as the RMF package 131 131 00:04:48,090 --> 00:04:49,620 to one commander's level 132 132 00:04:49,620 --> 00:04:51,450 instead of the current commander's level 133 133 00:04:51,450 --> 00:04:53,370 and this additionally caused problems 134 134 00:04:53,370 --> 00:04:56,130 where a lot of packages got held up because of this. 135 135 00:04:56,130 --> 00:04:58,830 Now, luckily, over the last five to 10 years, 136 136 00:04:58,830 --> 00:05:00,450 a lot of that has gotten sorted out 137 137 00:05:00,450 --> 00:05:01,770 and people now understand 138 138 00:05:01,770 --> 00:05:03,720 which is the right authorizing person. 139 139 00:05:03,720 --> 00:05:05,640 But as everything in the government, 140 140 00:05:05,640 --> 00:05:07,290 what's old becomes new again 141 141 00:05:07,290 --> 00:05:09,240 and changes happen all the time. 142 142 00:05:09,240 --> 00:05:11,580 So if there's a big organizational shift 143 143 00:05:11,580 --> 00:05:13,710 in your company or your organization, 144 144 00:05:13,710 --> 00:05:15,330 you may have an authorizing official 145 145 00:05:15,330 --> 00:05:17,190 who you thought was going to review your package 146 146 00:05:17,190 --> 00:05:19,350 who is no longer going to be that person 147 147 00:05:19,350 --> 00:05:21,330 and this can cause issues for you. 148 148 00:05:21,330 --> 00:05:23,550 So like I said, I saw this issue happen 149 149 00:05:23,550 --> 00:05:24,930 with operational commanders 150 150 00:05:24,930 --> 00:05:26,550 having the issue with Fleet Cyber Command 151 151 00:05:26,550 --> 00:05:28,170 being the authorizing official. 152 152 00:05:28,170 --> 00:05:29,550 The operational commanders thought 153 153 00:05:29,550 --> 00:05:31,140 they should still be able to approve it 154 154 00:05:31,140 --> 00:05:33,810 because it's the things they wanted done. 155 155 00:05:33,810 --> 00:05:36,930 And if they wanted something done, such as a new system, 156 156 00:05:36,930 --> 00:05:37,800 they didn't want to have to wait 157 157 00:05:37,800 --> 00:05:39,180 for somebody on the other side of the world 158 158 00:05:39,180 --> 00:05:40,290 to approve it for them. 159 159 00:05:40,290 --> 00:05:42,420 And so you could see that there was this difference 160 160 00:05:42,420 --> 00:05:44,910 between who wanted to be the authorizing official 161 161 00:05:44,910 --> 00:05:47,370 and who was dictated as the authorizing official 162 162 00:05:47,370 --> 00:05:50,160 and this can lead to a lot of delays in the process. 163 163 00:05:50,160 --> 00:05:53,310 Now overall, if you do a good job in your preparation phase, 164 164 00:05:53,310 --> 00:05:55,920 you'll be able to identify these pain points early on 165 165 00:05:55,920 --> 00:05:58,470 and be able to find ways to get around these blockages 166 166 00:05:58,470 --> 00:06:00,570 and be able to get things going again. 167 167 00:06:00,570 --> 00:06:02,130 Now, the biggest thing that I find 168 168 00:06:02,130 --> 00:06:03,390 that's the issue these days 169 169 00:06:03,390 --> 00:06:05,280 when it comes to the authorization step, 170 170 00:06:05,280 --> 00:06:07,110 is actually finding somebody who has time 171 171 00:06:07,110 --> 00:06:10,650 to go through that package and then say yes or no to it. 172 172 00:06:10,650 --> 00:06:13,470 In the case of the Navy, they were using Fleet Cyber Command 173 173 00:06:13,470 --> 00:06:15,930 as their single authorization authority 174 174 00:06:15,930 --> 00:06:17,970 and the person who is in charge of Fleet Cyber Command 175 175 00:06:17,970 --> 00:06:19,620 is a three-star admiral. 176 176 00:06:19,620 --> 00:06:21,780 Now, unfortunately, this three-star admiral 177 177 00:06:21,780 --> 00:06:24,660 is a really busy person, and so they don't have time 178 178 00:06:24,660 --> 00:06:28,440 to read through two or three or 400 pages of documentation 179 179 00:06:28,440 --> 00:06:31,650 every time somebody wants something approved inside of RMF. 180 180 00:06:31,650 --> 00:06:35,070 So they delegated it down from the admiral level 181 181 00:06:35,070 --> 00:06:37,290 into a senior officer level. 182 182 00:06:37,290 --> 00:06:39,540 Generally, this was somebody as a civilian 183 183 00:06:39,540 --> 00:06:42,090 who was a GS-13, 14, or 15, 184 184 00:06:42,090 --> 00:06:45,360 or an officer as an 04, 05 or 06 185 185 00:06:45,360 --> 00:06:47,010 inside of Fleet Cyber Command. 186 186 00:06:47,010 --> 00:06:49,140 And so, instead of having a single authority 187 187 00:06:49,140 --> 00:06:50,340 which was the admiral, 188 188 00:06:50,340 --> 00:06:52,110 that was now delegated down to this team 189 189 00:06:52,110 --> 00:06:55,650 of authorizing officials which had about five to 10 people. 190 190 00:06:55,650 --> 00:06:58,320 Now, that means for everybody in the Navy worldwide, 191 191 00:06:58,320 --> 00:07:00,150 which is millions of end users, 192 192 00:07:00,150 --> 00:07:01,470 anything that need to be approved 193 193 00:07:01,470 --> 00:07:03,870 had to go through these five to 10 people. 194 194 00:07:03,870 --> 00:07:05,160 And that's what I mean by the fact 195 195 00:07:05,160 --> 00:07:06,270 that it's important to understand 196 196 00:07:06,270 --> 00:07:09,120 who is going to be the one making this authorization decision 197 197 00:07:09,120 --> 00:07:11,910 because everybody has a different risk tolerance 198 198 00:07:11,910 --> 00:07:13,200 and everybody has a different way 199 199 00:07:13,200 --> 00:07:15,090 that they like to see their packages. 200 200 00:07:15,090 --> 00:07:17,130 Now, in addition to the fact that different people 201 201 00:07:17,130 --> 00:07:19,260 like to look at packages a different way, 202 202 00:07:19,260 --> 00:07:20,400 there's also the issue 203 203 00:07:20,400 --> 00:07:22,920 of some people are just busier than others. 204 204 00:07:22,920 --> 00:07:25,530 So as I said, there may have been five or 10 people 205 205 00:07:25,530 --> 00:07:28,860 who are authorized to look at and approve these RMF packages 206 206 00:07:28,860 --> 00:07:30,870 but those five to 10 people 207 207 00:07:30,870 --> 00:07:34,110 didn't all operate at the same speed or in the same ways. 208 208 00:07:34,110 --> 00:07:36,990 So you may be assigned person number one 209 209 00:07:36,990 --> 00:07:38,790 and person number one might tell you, "Yes, 210 210 00:07:38,790 --> 00:07:41,910 I've got time to go through your 300-page RMF package, 211 211 00:07:41,910 --> 00:07:44,100 I'll be happy to go ahead and get that done for you." 212 212 00:07:44,100 --> 00:07:46,710 And you think it's going to take maybe a couple of days. 213 213 00:07:46,710 --> 00:07:49,590 Well, a week or two goes by and it's still not back. 214 214 00:07:49,590 --> 00:07:52,200 Another week or two goes by and it's still not back. 215 215 00:07:52,200 --> 00:07:53,580 At this point, it's been a month. 216 216 00:07:53,580 --> 00:07:55,050 Maybe we're getting into month number two 217 217 00:07:55,050 --> 00:07:56,910 and it still hasn't come back yet. 218 218 00:07:56,910 --> 00:07:59,167 So you reach out to that authorizing official and say, 219 219 00:07:59,167 --> 00:08:00,330 "What's going on?" 220 220 00:08:00,330 --> 00:08:01,470 And they say, "Oh, yeah, yeah 221 221 00:08:01,470 --> 00:08:02,670 I just didn't have time for it. 222 222 00:08:02,670 --> 00:08:03,503 It's in my pile. 223 223 00:08:03,503 --> 00:08:05,490 I'll get to it, I'll get to it, I'll get to it." 224 224 00:08:05,490 --> 00:08:06,510 Well, the problem with that is 225 225 00:08:06,510 --> 00:08:07,920 it's still sitting in their pile. 226 226 00:08:07,920 --> 00:08:09,960 And so, if it's stuck in that person's pile 227 227 00:08:09,960 --> 00:08:11,820 and new ones are coming in all the time, 228 228 00:08:11,820 --> 00:08:14,160 you may be getting buried towards the bottom of that pile. 229 229 00:08:14,160 --> 00:08:16,980 So again, this is where your soft skills can come and help 230 230 00:08:16,980 --> 00:08:18,960 where you can work with that person to get your package 231 231 00:08:18,960 --> 00:08:20,940 back up to the top of their priorities 232 232 00:08:20,940 --> 00:08:22,230 so they can hopefully, get through it 233 233 00:08:22,230 --> 00:08:24,420 and get you an answer in a timely manner. 234 234 00:08:24,420 --> 00:08:27,240 Now also, when you're going through this authorized step, 235 235 00:08:27,240 --> 00:08:29,790 it's important to understand what you're trying to achieve 236 236 00:08:29,790 --> 00:08:32,310 as the result of this authorized step. 237 237 00:08:32,310 --> 00:08:35,760 You are looking to get one of three possible outcomes. 238 238 00:08:35,760 --> 00:08:37,740 The first outcome is that your package 239 239 00:08:37,740 --> 00:08:40,770 can be accepted the way it is and you get a full ATO, 240 240 00:08:40,770 --> 00:08:42,900 which is an authorization to operate. 241 241 00:08:42,900 --> 00:08:45,840 This ATO is valid for three years on average 242 242 00:08:45,840 --> 00:08:48,210 and allows you to be able to go and connect your system 243 243 00:08:48,210 --> 00:08:50,520 to the network and start using it. 244 244 00:08:50,520 --> 00:08:53,460 The second thing you can get is a straight up denial. 245 245 00:08:53,460 --> 00:08:55,440 Basically, they'll say, "There's too much risk. 246 246 00:08:55,440 --> 00:08:56,880 I am not having it. 247 247 00:08:56,880 --> 00:08:58,470 No, you cannot connect this." 248 248 00:08:58,470 --> 00:09:00,420 And in that case, you need to ask them 249 249 00:09:00,420 --> 00:09:01,800 what things would I need to do? 250 250 00:09:01,800 --> 00:09:03,690 What is the level of risk that you want? 251 251 00:09:03,690 --> 00:09:05,957 And that way you can go back and recategorize, 252 252 00:09:05,957 --> 00:09:08,070 reselect and re-implement those controls 253 253 00:09:08,070 --> 00:09:10,620 to get that risk down to an acceptable level. 254 254 00:09:10,620 --> 00:09:12,120 And the third thing you might get is 255 255 00:09:12,120 --> 00:09:16,200 what's called an interim authority to operate or an IATO. 256 256 00:09:16,200 --> 00:09:19,410 Now, an IATO is basically a mini ATO. 257 257 00:09:19,410 --> 00:09:22,560 With the IATO, we call this an interim ATO 258 258 00:09:22,560 --> 00:09:26,040 because it's only valid for one year or 12 months. 259 259 00:09:26,040 --> 00:09:28,110 Essentially with an IATO, 260 260 00:09:28,110 --> 00:09:30,180 you're able to connect your system to the network 261 261 00:09:30,180 --> 00:09:31,590 for the next 12 months. 262 262 00:09:31,590 --> 00:09:32,730 And during that time, 263 263 00:09:32,730 --> 00:09:35,910 you can work on mitigating that risk down to a lower level. 264 264 00:09:35,910 --> 00:09:38,190 For example, let's say the authorizing official 265 265 00:09:38,190 --> 00:09:39,877 looked at all of your documentation and they said, 266 266 00:09:39,877 --> 00:09:40,860 "You know what? 267 267 00:09:40,860 --> 00:09:42,540 This system is pretty risky. 268 268 00:09:42,540 --> 00:09:45,570 It's not so risky that I'm going to deny you 269 269 00:09:45,570 --> 00:09:47,850 but I'm not going to give you a full authorization 270 270 00:09:47,850 --> 00:09:50,280 to operate where I'm not going to look at this package again 271 271 00:09:50,280 --> 00:09:51,480 for another three years. 272 272 00:09:51,480 --> 00:09:54,030 So in this case, here are the things I want you to do 273 273 00:09:54,030 --> 00:09:56,970 to get this risk level down in the next 12 months." 274 274 00:09:56,970 --> 00:09:58,530 So during that next 12 months, 275 275 00:09:58,530 --> 00:09:59,940 you're able to connect the system, 276 276 00:09:59,940 --> 00:10:02,070 you can continue to implement your controls, 277 277 00:10:02,070 --> 00:10:03,780 you can continue to assess your controls 278 278 00:10:03,780 --> 00:10:06,810 and show what you're going to do to get that level of risk 279 279 00:10:06,810 --> 00:10:08,430 down to an acceptable level. 280 280 00:10:08,430 --> 00:10:12,180 Once you do, that IATO or interim authority to operate 281 281 00:10:12,180 --> 00:10:14,940 can then transition into a full authority to operate 282 282 00:10:14,940 --> 00:10:17,880 or ATO that gives you the full 36 month 283 283 00:10:17,880 --> 00:10:20,190 or three-year refresh cycle. 284 284 00:10:20,190 --> 00:10:23,190 So at this point, you'll now have POA&M 285 285 00:10:23,190 --> 00:10:25,110 or a Plan of Action and Milestones 286 286 00:10:25,110 --> 00:10:26,400 that you can then implement 287 287 00:10:26,400 --> 00:10:28,440 based on those new controls you've been selecting 288 288 00:10:28,440 --> 00:10:30,510 to bring that risk down to an acceptable level 289 289 00:10:30,510 --> 00:10:33,300 and it'll move you from an IATO into an ATO 290 290 00:10:33,300 --> 00:10:34,980 if you've been able to mitigate that risk 291 291 00:10:34,980 --> 00:10:36,390 down to an acceptable level 292 292 00:10:36,390 --> 00:10:39,432 that works with the authorization step for you. 293 293 00:10:39,432 --> 00:10:41,625 (dramatic music)