This publication is intended to serve a diverse group of individuals and organizations in both the public and private sectors including, but not limited to:

•Individuals with system development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, system/security engineers, systems integrators);

•Individuals with acquisition or procurement responsibilities (e.g., contracting officers);

•Individuals with system, security, or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, system owners, information security managers); and

•Individuals with security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts).

The above roles and responsibilities can be viewed from two distinct perspectives: the federal perspective as the entity establishing and conveying the security requirements in contractual vehicles or other types of inter-organizational agreements; and the nonfederal perspective as the entity responding to and complying with the security requirements set forth in contracts or agreements.