Link Search Menu Expand Document
NIST SP 800-37

TABLE E-3: SELECTION TASKS, RESPONSIBILITIES, AND SUPPORTING ROLES

RMF TASKS PRIMARY RESPONSIBILITY SUPPORTING ROLES

TASK S-1
Control Selection
Select the controls for the system and the environment of operation.

  • System Owner
  • Common Control Provider
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • Systems Security Engineer
  • Privacy Engineer
  • System Security Officer
  • System Privacy Officer

TASK S-2
Control Tailoring
Tailor the controls selected for the system and the environment of operation.

  • System Owner
  • Common Control Provider
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • Systems Security Engineer
  • Privacy Engineer
  • System Security Officer
  • System Privacy Officer

TASK S-3
Control Allocation
Allocate security and privacy controls to the system and to the environment of operation.

  • Security Architect
  • Privacy Architect
  • System Security Officer
  • System Privacy Officer
  • Chief Information Officer
  • Authorizing Official or Authorizing Official Designated Representative
  • Mission or Business Owner
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Owner

TASK S-4
Documentation of Planned Control Implementations
Document the controls for the system and environment of operation in security and privacy plans.

  • System Owner
  • Common Control Provider
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • Systems Security Engineer
  • Privacy Engineer
  • System Security Officer
  • System Privacy Officer

TASK S-5
Continuous Monitoring Strategy—System
Develop and implement a system- level strategy for monitoring control effectiveness that is consistent with and supplements the organizational continuous monitoring strategy.

  • System Owner
  • Common Control Provider
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • Security Architect
  • Privacy Architect
  • Systems Security Engineer
  • Privacy Engineer
  • System Security Officer
  • System Privacy Officer

TASK S-6
Plan Review and Approval
Review and approve the security and privacy plans for the system and the environment of operation.

  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Chief Acquisition Officer