What does PM-10 Security Auth Process require?

The essential requirement is a formal risk management approach applied through the Risk Management Framework with the use of the related security standards and guidelines. This framework provides a repeatable lifecycle—categorize the system, select and implement controls, assess them, obtain an authorization to operate, and then continuously monitor the system. The standards and guidelines come from NIST, notably the RMF guidance and the security controls catalog (for example, SP 800-37 and SP 800-53), ensuring a comprehensive set of protections that are tested and maintained over time. Relying only on FIPS 140-2 would address cryptographic module requirements but miss the broader spectrum of controls necessary for a federal system. Without a formal framework, informal best practices do not provide the structured assessment and ongoing oversight required for authorization. And NIST does not issue deployment certifications; an Authorizing Official makes the authorization decision after the RMF assessment.