Authorization (to operate)

The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. (SP 800-53; SP 800-53A; CNSSI-4009; SP 800-37) (NISTIR).

Source: The Cyber Glossary, National Security Archive, George Washington University,