Leveraged authorization is a process where an organization accepts an existing authorization of a system, service, or application from another organization to avoid redundant assessment and authorization efforts. In the scenario described, a single complex information system is used by two agencies. This system is defined by a single, unique accreditation boundary. One agency (the provider or owner) performs the initial authorization. The second agency then "leverages" this existing authorization package to grant its own Authority to Operate (ATO). Although two agencies issue separate ATOs, they are both for the same system contained within that single boundary. Therefore, the minimum number of system boundaries is one.

B. Only two, because there are two agencies.

This is incorrect. The number of agencies using a system does not dictate the number of system boundaries. Leveraged authorization is designed for a single system to be used by multiple entities.

C. At least two.

This is incorrect. The principle of leveraged authorization for a shared or common system is most efficient when applied to a single system with one boundary, making one the minimum.

D. A leveraged authorization cannot be conducted with more that one agency involved.

This is incorrect. The concept of "leveraged" authorization inherently requires at least two parties: the entity providing the authorization package and the entity leveraging it.

---

1. NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

Section 2.5, "Relationship Among Authorizations," describes leveraged authorizations: "An authorization based on a leveraged authorization is an authorization decision that is based, in part, on another authorization decision." This confirms that one system's authorization can be the basis for another agency's decision, implying a single system boundary is the subject.

Appendix F, "Authorization Boundary," defines the authorization boundary as encompassing all components of a single information system to be authorized. This supports the concept of one system having one boundary, regardless of the number of consuming agencies.

2. Federal Risk and Authorization Management Program (FedRAMP), Guide to Understanding FedRAMP.

"What is an Agency ATO?" section: This guide explains how federal agencies leverage the FedRAMP authorization of a Cloud Service Provider (CSP). The CSP's service has a single authorization boundary, and multiple agencies can grant their own ATOs by leveraging the single FedRAMP package. This is a direct, real-world application of the principle.

3. ISC2, (ISC)² CGRC Certified in Governance, Risk and Compliance Official Study Guide (1st ed.).

Chapter 4, "Select, Implement, and Assess Security and Privacy Controls": This chapter discusses the RMF process, including the concept of reciprocity and leveraging existing authorizations for common controls and shared systems, reinforcing that a single authorized system can serve multiple entities.