3.2 CATEGORIZE74
Purpose
The purpose of the Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.
CATEGORIZE TASKS
Table 3 provides a summary of tasks and expected outcomes for the RMF Categorize step. Applicable Cybersecurity Framework constructs are also provided.
TABLE 3: CATEGORIZE TASKS AND OUTCOMES
Tasks | Outcomes | |||
TASK C-1 SYSTEM DESCRIPTION | • The characteristics of the system are described and documented. [Cybersecurity Framework: Profile] | |||
TASK C-2 SECURITY CATEGORIZATION | • A security categorization of the system, including the information processed by the system represented by the organization-identified information types, is completed. [Cybersecurity Framework: ID.AM-1; ID.AM-2; ID.AM-3; ID.AM-4; ID.AM-5] • Security categorization results are documented in the security, privacy, and SCRM plans. [Cybersecurity Framework: Profile] • Security categorization results are consistent with the enterprise architecture and commitment to protecting organizational missions, business functions, and mission/business processes. [Cybersecurity Framework: Profile] • Security categorization results reflect the organization’s risk management strategy. | |||
TASK C-3 SECURITY CATEGORIZATION REVIEW AND APPROVAL | • The security categorization results are reviewed and the categorization decision is approved by senior leaders in the organization. |
Quick link to summary table for RMF tasks, responsibilities, and supporting roles.
74The RMF Categorize step is a precondition for the selection of security controls. However, for privacy, there are other factors considered by organizations that guide and inform the selection of privacy controls. These factors are described in the RMF Prepare-System Level step, Task P-15.
Table of contents
- • SYSTEM DESCRIPTION, TASK C-1
- • SECURITY CATEGORIZATION, TASK C-2
- • SECURITY CATEGORIZATION REVIEW AND APPROVAL, TASK C-3