RMF step 1 - Categorize the authorization package

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read

    • In the Categorize step, you define the criticality or sensitivity of your information system according to potential worst-case scenarios. This involves selecting NIST information types for the package and using the information types to define the impact levels for the package.

    Before you begin

    Role required to use Categorize:
    • sn_irm_cont_auth.system_owner
    • sn_irm_cont_auth.info_system_sec_manager
    • sn_irm_cont_auth.info_system_sec_officer
    Role required to write to an authorization package:
    • sn_irm_cont_auth.admin
    • sn_irm_cont_auth.system_owner
    • sn_irm_cont_auth.info_system_sec_manager
    • sn_irm_cont_auth.authorization_official
    • sn_irm_cont_auth.info_system_sec_officer
    Role required to select information types:
    • sn_irm_cont_auth.admin
    • sn_irm_cont_auth.system_owner

    Role required to write to overridden fields on the Package form: sn_irm_cont_auth.system_owner

    About this task

    When you click Categorize on the Authorization Package form, an Impact field, an Impact tab, and an Information Types related list appear on the form.

    Procedure

    1. In the Information Types tab, select Edit.
      Note:
      As you select the information types, guidance about the selected information type appears, including name, categories, and the Confidentiality, Integrity, and Availability (CIA) ratings for the information type.
      Information Types selection form
    2. Multi-select the information types you want to select for this authorization package and move them to the Information Type List box.
    3. When you have completed your selections, select Save.

      The Information Types related list now contains the guidance information for the information types you selected.

      Information Types list
    4. Select the Impact tab and review the recommended impacts for the information types you selected.
      Note:
      The impacts displayed in the Recommended fields reflect the worst-case scenario of the information types you selected. For example, if you selected an information type with High CIA levels, the Recommended fields under the Impact tab would all show High levels of risk. The CIA levels are used to calculate the overall impact of the information types you selected, which is now displayed in the Impact field.
    5. To skip the attestation stage for all controls in this package, select the Skip attestations check box.
      This option is editable until the package reaches the Implement step, after which it becomes read-only. When enabled, the Attest button is unavailable for all controls generated from this package, and controls move directly from Draft to Review.

      When enabled, the following changes apply to all controls generated from this package:

      • The Attest button is not available across all views: form view, list view, related list view, hierarchical grid view, and classic view.
      • Controls move directly from Draft to Review instead of passing through the attestation stage.
      • A Review button is available in the controls list view in the CAM workspace. When selected, the system checks each control's package configuration and moves only eligible controls to Review; controls from packages where Skip attestations is not enabled are skipped.
      • The following attestation-related UI elements are hidden on control and control requirement records:
        • Attestations related list on the control record
        • Attestation widgets on the control overview page
        • Attestations related list on the control requirement record
        • Attestation section in the control requirement details view

      This configuration applies only to controls generated from packages where Skip attestations is enabled. Controls from other packages, including other CAM packages where this option is not selected, continue to follow the standard attestation workflow and are not affected by this setting. Standard compliance controls on instances without CAM are also unaffected.

    6. You can override any of the impact levels by modifying the Overridden fields and providing a justification.

      As you provide overrides, the Impact field is updated accordingly based on the update CIA levels.

      Impact override fields
      Important:
      It is vital that the Impact field accurately reflects the impact of the data you are authorizing. All processes downstream from this point relies on that impact level. According to NIST guidelines, the number of controls you must implement depends on the Impact, as follows:
      • High risk = 343 controls
      • Moderate risk = 262 controls
      • Low risk = 125 controls
    7. After you have defined the impact, select Request Approval.
      Authorization Package categorize to request for approval.
      An approval request is sent to the Authorizing Official, who will access My Approvals from the navigation pane and review the information in the package. When approval is received, the package transitions to the Select state.