Link Search Menu Expand Document
NIST SP 800-37

PLAN REVIEW AND APPROVAL

TASK S-6

Review and approve the security and privacy plans for the system and the environment of operation.
Potential Inputs: Security and privacy plans; organization- and system-level risk assessment results.
Expected Outputs: Security and privacy plans approved by the authorizing official.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Chief Acquisition Officer; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Development/Acquisition. Existing – Operations/Maintenance.
Discussion: The security and privacy plan review by the authorizing official or designated representative with support from the senior accountable official for risk management or risk executive (function), chief information officer, senior agency information security officer, and senior agency official for privacy, determines if the plans are complete, consistent, and satisfy the stated security and privacy requirements for the system. Based on the results from this review, the authorizing official or designated representative may recommend changes to the security and privacy plans. If the plans are unacceptable, the system owner or common control provider make appropriate changes to the plans. If the plans are acceptable, the authorizing official or designated representative approves the plans.

The acceptance of the security and privacy plans represents an important milestone in the SDLC and risk management process. The authorizing official or designated representative, by approving the plans, agrees to the set of controls (i.e., system-specific, hybrid, or common controls) and the description of the proposed implementation of the controls to meet the security and privacy requirements for the system and the environment in which the system operates.84 The approval of the plans allows the risk management process to proceed to the RMF Implement step. The approval of the plans also establishes the level of effort required to successfully complete the remainder of the RMF steps and provides the basis of the security and privacy specifications for the acquisition of the system or individual system elements.

References: [SP 800-30]; [SP 800-53]; [SP 800-160 v1] (System Requirements Definition, Architecture Definition, and Design Definition Processes).

84 After the initial review and approval of the system security plan by the authorizing official, any subsequent authorization-related actions (e.g., reauthorizations or ongoing authorizations) provide an inherent review and approval of the system security plan since it is included in the authorization package.