Link Search Menu Expand Document
NIST SP 800-37

SYSTEM STAKEHOLDERS

TASK P-9

Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system.
Potential Inputs: Organizational mission statement; mission or business objectives; missions, business functions, and mission/business processes that the system will support; other mission/business process information; organizational security and privacy policies and procedures; organizational charts; information about individuals or groups (internal and external) that have an interest in and decision- making responsibility for the system.
Expected Outputs: List of system stakeholders.
Primary Responsibility: Mission or Business Owner; System Owner.
Supporting Roles: Chief Information Officer; Authorizing Official or Authorizing Official Designated Representative; Information Owner or Steward; Senior Agency Information Security Officer; Senior Agency Official for Privacy; Chief Acquisition Officer.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: Stakeholders include individuals, organizations, or representatives that have an interest in the system throughout the system life cycle—for design, development, implementation, delivery, operation, and sustainment of the system. It also includes all aspects of the supply chain. Stakeholders may reside in the same organization or they may reside in different organizations in situations when there is a common interest by those organizations in the information system. For example, this may occur during the development, operation, and maintenance of cloud-based systems, shared service systems, or any system where organizations may be adversely impacted by a breach or a compromise to the system or for a variety of considerations related to the supply chain. Communication among stakeholders is important during every step in the RMF and throughout the SDLC to ensure that security and privacy requirements are satisfied, concerns and issues are addressed expeditiously, and risk management processes are carried out effectively.
References: [SP 800-39] (Organization Level); [SP 800-64]; [SP 800-160 v1] (Stakeholder Needs and Requirements Definition and Portfolio Management Processes); [SP 800-161]; [NIST CSF] (Core [Identify Function]).