3.3 SELECT

Purpose

The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with risk to organizational operations and assets, individuals, other organizations, and the Nation.

SELECT TASKS

Table 4 provides a summary of tasks and expected outcomes for the RMF Select step. Applicable Cybersecurity Framework constructs are also provided.

TABLE 4: SELECT TASKS AND OUTCOMES


Tasks		Outcomes
TASK S-1 CONTROL SELECTION		• Control baselines necessary to protect the system commensurate with risk are selected. [Cybersecurity Framework: Profile]
TASK S-2 CONTROL TAILORING		• Controls are tailored producing tailored control baselines. [Cybersecurity Framework: Profile]
TASK S-3 CONTROL ALLOCATION		• Controls are designated as system-specific, hybrid, or common controls. • Controls are allocated to the specific system elements (i.e., machine, physical, or human elements). [Cybersecurity Framework: Profile; PR.IP]
TASK S-4 DOCUMENTATION OF PLANNED CONTROL IMPLEMENTATIONS		• Controls and associated tailoring actions are documented in security and privacy plans or equivalent documents. [Cybersecurity Framework: Profile]
TASK S-5 CONTINUOUS MONITORING STRATEGY—SYSTEM		• A continuous monitoring strategy for the system that reflects the organizational risk management strategy is developed. [Cybersecurity Framework: ID.GV; DE.CM]
TASK S-6 PLAN REVIEW AND APPROVAL		• Security and privacy plans reflecting the selection of controls necessary to protect the system and the environment of operation commensurate with risk are reviewed and approved by the authorizing official.

Quick link to summary table for RMF tasks, responsibilities, and supporting roles.

3.3 SELECT

Purpose

SELECT TASKS

TABLE 4: SELECT TASKS AND OUTCOMES

Table of contents