Initial Authorization-Before the system is put into production (operation/maintenance phase). No assessment has been done before
Ongoing authorization-Subsequent risk determination base on agreed events. OA is event driven
Example of Events: New threat/vulnerability, increase number of weaknesses, change in Authorizing Official (AO), new business mission/requirement or significant operational or inventory change
Re authorization is time driven, mostly three years after the initial authorization