RMF step 1 - Categorize the authorization package

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • In the Categorize step, you define the criticality or sensitivity of your information system according to potential worst-case scenarios. This involves selecting NIST information types for the package and using the information types to define the impact levels for the package.

    Before you begin

    Role required to use Categorize:
    • sn_irm_cont_auth.system_owner
    • sn_irm_cont_auth.info_system_sec_manager
    • sn_irm_cont_auth.info_system_sec_officer
    Role required to write to an authorization package:
    • sn_irm_cont_auth.admin
    • sn_irm_cont_auth.system_owner
    • sn_irm_cont_auth.info_system_sec_manager
    • sn_irm_cont_auth.authorization_official
    • sn_irm_cont_auth.info_system_sec_officer
    Role required to select information types:
    • sn_irm_cont_auth.admin
    • sn_irm_cont_auth.system_owner

    Role required to write to overridden fields on the Package form: sn_irm_cont_auth.system_owner

    About this task

    When you click Categorize on the Authorization Package form, an Impact field, an Impact tab, and an Information Types related list appear on the form.

    Procedure

    1. In the Information Types tab, select Edit.
      Note:
      As you select the information types, guidance about the selected information type appears, including name, categories, and the Confidentiality, Integrity, and Availability (CIA) ratings for the information type.
      Information Types selection form
    2. Multi-select the information types you want to select for this authorization package and move them to the Information Type List box.
    3. When you have completed your selections, select Save.

      The Information Types related list now contains the guidance information for the information types you selected.

      Information Types list
    4. Select the Impact tab and review the recommended impacts for the information types you selected.
      Note:
      The impacts displayed in the Recommended fields reflect the worst-case scenario of the information types you selected. For example, if you selected an information type with High CIA levels, the Recommended fields under the Impact tab would all show High levels of risk. The CIA levels are used to calculate the overall impact of the information types you selected, which is now displayed in the Impact field.
    5. You can override any of the impact levels by modifying the Overridden fields and providing a justification.

      As you provide overrides, the Impact field is updated accordingly based on the update CIA levels.

      Impact override fields
      Important:
      It is vital that the Impact field accurately reflects the impact of the data you are authorizing. All processes downstream from this point relies on that impact level. According to NIST guidelines, the number of controls you must implement depends on the Impact, as follows:
      • High risk = 343 controls
      • Moderate risk = 262 controls
      • Low risk = 125 controls
    6. After you have defined the impact, select Request Approval.
      Authorization Package categorize to request for approval.
      An approval request is sent to the Authorizing Official, who will access My Approvals from the navigation pane and review the information in the package. When approval is received, the package transitions to the Select state.