In RMF, privacy controls are mapped to which framework and documented where?

Focusing on privacy within RMF, you rely on the NIST SP 800-53 privacy-related controls as the framework for addressing privacy requirements. These controls are not just checked off in isolation; they are described and traced in two key artifacts. First, the System Security Plan (SSP) lays out how each privacy-related control is implemented, providing the concrete details of safeguards, processes, and responsibilities. Second, the risk assessment captures the privacy risks associated with the system, assesses how well the controls mitigate those risks, and documents any residual risk and justifications. This combination ensures privacy considerations are integrated into both the implementation narrative and the risk posture of the system. ISO 27701 or documenting only in risk assessment wouldn’t align with RMF’s standard practice, and “boundary documents” isn’t the typical repository for these mappings.