Link Search Menu Expand Document
NIST SP 800-37

TABLE E-5: ASSESSMENT TASKS, RESPONSIBILITIES, AND SUPPORTING ROLES

RMF TASKS PRIMARY RESPONSIBILITY SUPPORTING ROLES

TASK A-1
Assessor Selection
Select the appropriate assessor or assessment team for the type of control assessment to be conducted.

  • Authorizing Official or Authorizing Official Designated Representative
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy

TASK A-2
Assessment Plan
Develop, review, and approve plans to assess implemented controls.

  • Authorizing Official or Authorizing Official Designated Representative
  • Control Assessor
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Owner
  • Common Control Provider
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer

TASK A-3
Control Assessments
Assess the controls in accordance with the assessment procedures described in assessment plans.

  • Control Assessor
  • Authorizing Official or Authorizing Official Designated Representative
  • System Owner
  • Common Control Provider
  • Information Owner or Steward
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Security Officer
  • System Privacy Officer

TASK A-4
Assessment Reports
Prepare the assessment reports documenting the findings and recommendations from the control assessments.

  • Control Assessor
  • System Owner
  • Common Control Provider * System Security Officer
  • System Privacy Officer

TASK A-5
Remediation Actions
Conduct initial remediation actions on the controls and reassess remediated controls.

  • System Owner
  • Common Control Provider
  • Control Assessor
  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Information Owner or Steward
  • Systems Security Engineer
  • Privacy Engineer
  • System Security Officer
  • System Privacy Officer

TASK A-6
Plan of Action and Milestones
Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports.

  • System Owner
  • Common Control Provider
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Chief Acquisition Officer
  • Control Assessor