AP – Authority and Purpose

The RMF Control Family AP, Authority and Purpose, addresses the need for organizations to have a formal process for authorizing information systems and ensuring that they are used for their intended purposes.

Controls in the AP Control Family

The AP Control Family includes the following controls:

  • AP-1: Information System Authorization: This control requires organizations to have a formal process for authorizing information systems. The authorization process should consider the following factors:
    • The security categorization of the information system
    • The risks to the information system
    • The organization’s mission and business needs
  • AP-2: Information System Designation: This control requires organizations to designate a system owner for each information system. The system owner is responsible for the overall security of the information system.
  • AP-3: Information System Purpose: This control requires organizations to document the purpose of each information system. The purpose statement should define the intended use of the information system and the users who are authorized to access it.
  • AP-4: Information System Risk Assessment: This control requires organizations to conduct risk assessments for each information system. The risk assessment should identify the threats and vulnerabilities to the information system, and the likelihood and impact of those threats and vulnerabilities.
  • AP-5: Information System Security Requirements: This control requires organizations to develop security requirements for each information system. The security requirements should be based on the risk assessment and should address the following:
    • Access control
    • Audit and accountability
    • Awareness and training
    • Configuration management
    • Contingency planning
    • Identification and authentication
    • Incident response
    • Maintenance
    • Media protection
    • Physical and environmental protection
    • Risk assessment
    • Security assessment
    • System and communications protection
    • System and information integrity

Benefits of Implementing the AP Control Family

There are a number of benefits to implementing the AP Control Family, including:

  • Improved security: The AP Control Family helps to improve the security of information systems by ensuring that they are authorized and used for their intended purposes.
  • Reduced risk: The AP Control Family helps to reduce the risk of security incidents by identifying and mitigating the risks to information systems.
  • Compliance: The AP Control Family can help organizations comply with applicable laws and regulations, such as the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA).
  • Increased trust: By implementing the AP Control Family, organizations can demonstrate to their customers and partners that they are taking steps to protect their data.

How to Implement the AP Control Family

To implement the AP Control Family, organizations should follow these steps:

  1. Develop an information system authorization process.
  2. Designate a system owner for each information system.
  3. Document the purpose of each information system.
  4. Conduct a risk assessment for each information system.
  5. Develop security requirements for each information system.
  6. Implement the security requirements.
  7. Monitor and audit the security requirements to ensure that they are effective.
  8. Regularly review and update the information system authorization process, system designations, purpose statements, risk assessments, and security requirements.

Conclusion

The AP Control Family is an essential part of the RMF. By implementing the AP Control Family, organizations can improve the security of their information systems, reduce the risk of security incidents, comply with applicable laws and regulations, and increase trust with their customers and partners.