Allocate security and privacy requirements to the system and to the environment of operation.
Potential Inputs: Organization- and system-level risk assessment results; documented security and privacy requirements; organization- and system-level risk assessment results; list of common control providers and common controls available for inheritance; system description; system element information; system component inventory; relevant laws, executive orders, directives, regulations, and policies.
Expected Outputs: List of security and privacy requirements allocated to the system, system elements, and the environment of operation.
Primary Responsibility: Security Architect; Privacy Architect; System Security Officer; System Privacy Officer.
Supporting Roles: Chief Information Officer; Authorizing Official or Authorizing Official Designated Representative; Mission or Business Owner; Senior Agency Information Security Officer; Senior Agency Official for Privacy; System Owner.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: Security and privacy requirements are allocated to guide and inform control selection and implementation for the organization, system, system elements, and/or environment of operation.73 Requirements allocation identifies where controls will be implemented. The allocation of requirements conserves resources and helps to streamline the risk management process by ensuring that requirements are not implemented on multiple systems or system elements when implementation of a common control or a system-level control on a specific system element provides the needed protection capability.
References: [SP 800-39] (Organization, Mission/Business Process, and System Levels); [SP 800-64]; [SP 800-160 v1] (System Requirements Definition Process); [NIST CSF] (Core [Identify Function]; Profiles); [OMB FEA].
73 The environment of operation for an information system refers to the physical surroundings in which the system processes, stores, and transmits information. For example, security requirements are allocated to the facilities where the system is located and operates. Those security requirements can be satisfied by the physical security controls in [SP 800-53]