Which of the following is NOT included in an Authorization Package?

Authorization packages bring together the documents that show a system’s security controls are in place, have been assessed, and have a plan to remediate any weaknesses. The System Security Plan describes how controls are implemented, the Security Assessment Report documents the findings of the assessment, and the Plan of Action and Milestones lays out the steps and timelines to address identified issues. The act of accepting residual risk—a management decision about how much risk the organization is willing to tolerate after mitigation—belongs to the authorization decision process. It is typically documented separately (for example, in the authorization decision letter or a separate risk-acceptance record), not as a component of the standard package of SSP, SAR, and POA&M.