Link Search Menu Expand Document
NIST SP 800-37

TABLE E-1: PREPARE TASKS, RESPONSIBILITIES, AND SUPPORTING ROLES

RMF TASKS PRIMARY RESPONSIBILITY SUPPORTING ROLES
Organization Level

TASK P-1
Risk Management Roles
Identify and assign individuals to specific roles associated with security and privacy risk management.

  • Head of Agency
  • Chief Information Officer
  • Senior Agency Official for Privacy
  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer

TASK P-2
Risk Management Strategy
Establish a risk management strategy for the organization that includes a determination of risk tolerance.

  • Head of Agency
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy

TASK P-3
Risk Assessment—Organization
Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis.

  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Mission or Business Owner

TASK P-4
Organizationally-Tailored Control Baselines and Cybersecurity Framework Profiles (Optional)
Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles.

  • Mission or Business Owner
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy

TASK P-5
Common Control Identification
Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.

  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Mission or Business Owner
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Common Control Provider
  • System Owner

TASK P-6
Impact-Level Prioritization (Optional)
Prioritize organizational systems with the same impact level.

  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Mission or Business Owner
  • System Owner
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative

TASK P-7
Continuous Monitoring Strategy—Organization
Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.

  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Mission or Business Owner
  • System Owner
  • Authorizing Official or Authorizing Official Designated Representative
System Level

TASK P-8
Mission or Business Focus
Identify the missions, business functions, and mission/business processes that the system is intended to support.

  • Mission or Business Owner
  • Authorizing Official or Authorizing Official Designated Representative
  • System Owner
  • Information Owner or Steward
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy

TASK P-9
System Stakeholders
Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system.

  • Mission or Business Owner
  • System Owner
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Chief Acquisition Officer

TASK P-10
Asset Identification
Identify assets that require protection.

  • System Owner
  • Authorizing Official or Authorizing Official Designated Representative
  • Mission or Business Owner
  • Information Owner or Steward
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Administrator

TASK P-11
Authorization Boundary
Determine the authorization boundary of the system.

  • Authorizing Official
  • Chief Information Officer
  • Mission or Business Owner
  • System Owner
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Enterprise Architect

TASK P-12
Information Types
Identify the types of information to be processed, stored, and transmitted by the system.

  • System Owner
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Mission or Business Owner

TASK P-13
Information Life Cycle
Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system.

  • Senior Agency Official for Privacy
  • System Owner
  • Information Owner or Steward
  • Chief Information Officer
  • Mission or Business Owner
  • Security Architect
  • Privacy Architect
  • Enterprise Architect
  • Systems Security Engineer
  • Privacy Engineer

TASK P-14
Risk Assessment—System
Conduct a system-level risk assessment and update the risk assessment results on an ongoing basis.

  • System Owner
  • System Security Officer
  • System Privacy Officer
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Authorizing Official or Authorizing Official Designated Representative
  • Mission or Business Owner
  • Information Owner or Steward
  • System Security Officer

TASK P-15
Requirements Definition
Define the security and privacy requirements for the system and the environment of operation.

  • Mission or Business Owner
  • System Owner
  • Information Owner or Steward
  • System Privacy Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Security Officer
  • Chief Acquisition Officer
  • Security Architect
  • Privacy Architect
  • Enterprise Architect

TASK P-16
Enterprise Architecture
Determine the placement of the system within the enterprise architecture.

  • Mission or Business Owner
  • Enterprise Architect
  • Security Architect
  • Privacy Architect
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Owner
  • Information Owner or Steward

TASK P-17
Requirements Allocation
Allocate security and privacy requirements to the system and to the environment of operation.

  • Security Architect
  • Privacy Architect
  • System Security Officer
  • System Privacy Officer
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Mission or Business Owner
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Owner

TASK P-18
System Registration
Register the system with organizational program or management offices.

  • SystemOwner
  • Mission or Business Owner
  • Chief Information Officer
  • System Security Officer
  • System Privacy Officer