Link Search Menu Expand Document
NIST SP 800-37

TABLE E-7: MONITORING TASKS, RESPONSIBILITIES, AND SUPPORTING ROLES

RMF TASKS PRIMARY RESPONSIBILITY SUPPORTING ROLES

TASK M-1
System and Environment Changes
Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system.

  • System Owner or Common Control Provider
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer

TASK M-2
Ongoing Assessments Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy.

  • Control Assessor
  • Authorizing Official or Authorizing Official Designated Representative
  • System Owner or Common Control Provider
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy

TASK M-3
Ongoing Risk Response Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in plans of action and milestones.

  • Authorizing Official
  • System Owner
  • Common Control Provider
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy; Authorizing Official Designated Representative
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Systems Security Engineer
  • Privacy Engineer
  • Security Architect
  • Privacy Architect

TASK M-4
Authorization Package Updates
Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process.

  • System Owner
  • Common Control Provider
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Senior Agency Official for Privacy
  • Senior Agency Information Security Officer

TASK M-5
Security and Privacy Reporting
Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy.

  • System Owner
  • Common Control Provider
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • System Security Officer
  • System Privacy Officer

TASK M-6
Ongoing Authorization
Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable.

  • Authorizing Official
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Chief Information Officer
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy
  • Authorizing Official Designated Representative

TASK M-7
System Disposal
Implement a system disposal strategy and execute required actions when a system is removed from operation.

  • System Owner
  • Authorizing Official or Authorizing Official Designated Representative
  • Information Owner or Steward
  • System Security Officer
  • System Privacy Officer
  • Senior Accountable Official for Risk Management or Risk Executive (Function)
  • Senior Agency Information Security Officer
  • Senior Agency Official for Privacy