Plan of Action and Milestone (POA&M)-Identifies vulnerability, resources, impact, recommendation and time needed to resolve identified vulnerabilities during the assessment phase. This is prepared by the C&A analyst and the system Owner.
Security Authorization Package is reviewed by the AO to issue
ATO Authorize to Operate (ATO) letter-AO accepts all risks associated with the system
Interim Authorize to Operate letter-AO issues a conditional ATO pending system owner solving all POAM items within a specific period of time, usually 6 months
Denial Authorization to Operate-AO does not issue ATO pending system owner solving all POAM items identified