Adequate security 

The purpose of the #Select step is to select, tailor, and document the controls necessary to protect the information system and organization commensurate with the risk to organizational operations and assets, individuals, other organizations, and the Nation.

Security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information. This includes ensuring that information hosted on behalf of an agency and information systems and applications used by the agency operate effectively and provide appropriate confidentiality, integrity, and availability protections through the application of cost-effective security controls. 

Agency 

Any executive agency or department, military department, Federal Government corporation, Federal Governmentcontrolled corporation, or other establishment in the Executive Branch of the Federal Government, or any independent regulatory agency.

 Allocation

 The process an organization employs to assign security or privacy requirements to an information system or its environment of operation; or to assign controls to specific system elements responsible for providing a security or privacy capability (e.g., router, server, remote sensor). 

Application

 A software program hosted by an information system. assessment See control assessment or risk assessment. 

Assessment plan

 The objectives for the control assessments and a detailed roadmap of how to conduct such assessments.

 assessor 

The individual, group, or organization responsible for conducting a security or privacy assessment.

Assignment statement

 A control parameter that allows an organization to assign a specific, organization-defined value to the control or control enhancement (e.g., assigning a list of roles to be notified or a value for the frequency of testing). See organization-defined control parameters and selection statement. 

The purpose of the #Categorize step is to inform organizational risk management processes and tasks by determining the adverse impact to organizational operations and assets, individuals, other organizations, and the Nation with respect to the loss of confidentiality, integrity, and availability of organizational systems and the information processed, stored, and transmitted by those systems.

The purpose of the #Assess step is to determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.

The purpose of the #Prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework.