3.6 AUTHORIZE
Purpose
The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable.
AUTHORIZE TASKS
Table 7 provides a summary of tasks and expected outcomes for the RMF Authorize step. Applicable Cybersecurity Framework constructs are also provided.
TABLE 7: AUTHORIZE TASKS AND OUTCOMES
| Tasks | Outcomes | |||
| TASK R-1 AUTHORIZATION PACKAGE | • An authorization package is developed for submission to the authorizing official. | |||
| TASK R-2 RISK ANALYSIS AND DETERMINATION | • A risk determination by the authorizing official that reflects the risk management strategy including risk tolerance, is rendered. | |||
| TASK R-3 RISK RESPONSE | • Risk responses for determined risks are provided. [Cybersecurity Framework: ID.RA-6] | |||
| TASK R-4 AUTHORIZATION DECISION | • The authorization for the system or the common controls is approved or denied. | |||
| TASK R-5 AUTHORIZATION REPORTING | • Authorization decisions, significant vulnerabilities, and risks are reported to organizational officials. | |||
Quick link to summary table for RMF tasks, responsibilities, and supporting roles.
Table of contents
- • AUTHORIZATION PACKAGE, TASK R-1
- • RISK ANALYSIS AND DETERMINATION, TASK R-2
- • RISK RESPONSE, TASK R-3
- • AUTHORIZATION DECISION, TASK R-4
- • AUTHORIZATION REPORTING, TASK R-5