Link Search Menu Expand Document
NIST SP 800-37

TABLE E-6: AUTHORIZATION TASKS, RESPONSIBILITIES, AND SUPPORTING ROLES

RMF TASKS PRIMARY RESPONSIBILITY SUPPORTING ROLES

TASK R-1
Authorization Package
Assemble the authorization package and submit the package to the authorizing official for an authorization decision.

  • System Owner
  • Common Control Provider
  • System Security Officer
  • System Privacy Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Control Assessor

TASK R-2
Risk Analysis and Determination Analyze and determine the risk from the operation or use of the system or the provision of common controls.

  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy

TASK R-3
Risk Response
Identify and implement a preferred course of action in response to the risk determined.

  • Authorizing Official or Authorizing Official Designated Representative
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Owner or Common Control Provider
  • Information Owner or Steward
  • Systems Security Engineer
  • Privacy Engineer
  • System Security Officer
  • System Privacy Officer

TASK R-4
Authorization Decision
Determine if the risk from the operation or use of the information system or the provision or use of common controls is acceptable.

  • Authorizing Official
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Authorizing Official Designated Representative

TASK R-5
Authorization Reporting
Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk.

  • Authorizing Official or Authorizing Official Designated Representative
  • System Owner or Common Control Provider
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy