The purpose of the Authorize step is to provide organizational accountability by requiring a senior management official to determine if the security and privacy risk (including supply chain risk) to organizational operations and assets, individuals, other organizations, or the Nation based on the operation of a system or the use of common controls, is acceptable.
Table 7 provides a summary of tasks and expected outcomes for the RMF Authorize step. Applicable Cybersecurity Framework constructs are also provided.
TABLE 7: AUTHORIZE TASKS AND OUTCOMES
| TASK R-1|
| • An authorization package is developed for submission to the authorizing official.|
| TASK R-2|
RISK ANALYSIS AND DETERMINATION
| • A risk determination by the authorizing official that reflects the risk management strategy including risk tolerance, is rendered.|
| TASK R-3|
| • Risk responses for determined risks are provided.|
[Cybersecurity Framework: ID.RA-6]
| TASK R-4|
| • The authorization for the system or the common controls is approved or denied.|
| TASK R-5|
| • Authorization decisions, significant vulnerabilities, and risks are reported to organizational officials.|
Quick link to summary table for RMF tasks, responsibilities, and supporting roles.
Table of contents
- • AUTHORIZATION PACKAGE, TASK R-1
- • RISK ANALYSIS AND DETERMINATION, TASK R-2
- • RISK RESPONSE, TASK R-3
- • AUTHORIZATION DECISION, TASK R-4
- • AUTHORIZATION REPORTING, TASK R-5