SECURITY CATEGORIZATION REVIEW AND APPROVAL
TASK C-3
Review and approve the security categorization results and decision.
Potential Inputs: Impact levels determined for each information type and for each security objective (confidentiality, integrity, availability); security categorization based on high-water mark of information type impact levels; list of high value assets for the organization.
Expected Outputs: Approval of security categorization for the system.
Primary Responsibility: Authorizing Official or Authorizing Official Designated Representative; Senior Agency Official for Privacy.75
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Chief Information Officer; Senior Agency Information Security Officer.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: For information systems that process PII, the senior agency official for privacy reviews and approves the security categorization results and decision prior to the authorizing official’s review.76 Security categorization results and decisions are reviewed by the authorizing official or a designated representative to ensure that the security category selected for the information system is consistent with the mission and business functions of the organization and the need to adequately protect those missions and functions. The authorizing official or designated representative reviews the categorization results and decision from an organization-wide perspective, including how the decision aligns with the categorization decisions for all other organizational systems. The authorizing official collaborates with the senior accountable official for risk management or the risk executive (function) to ensure that the categorization decision for the system is consistent with the organizational risk management strategy and satisfies requirements for high value assets. As part of the approval process, the authorizing official can provide specific guidance to the system owner with respect to any limitations on baseline tailoring activities for the system that occur at the RMF Select step (see Task S-2). If the security categorization decision is not approved, the system owner initiates steps to repeat the categorization process and resubmits the adjusted results to the authorizing official or designated representative. System registration information is subsequently updated with the approved security categorization information (see Task P-18).
References: [FIPS 199]; [SP 800-30]; [SP 800-39] (Organization Level); [SP 800-160 v1] (Stakeholder Needs and Requirements Definition Process); [CNSSI 1253]; [NIST CSF] (Core [Identify Function]).
75 The senior agency official for privacy participates in determining whether the information processed by the information system is considered PII, and is involved in reviewing and approving the categorization for such systems.
76 The responsibilities of the senior agency official for privacy are detailed in [OMB A-130].