Which RMF step focuses on categorizing the system based on scope and impact?

The key idea here is categorization in the RMF: it classifies the system and the information it handles by defining its scope and the potential impact on security objectives. In this step you determine the system’s boundary, what data types and processing are involved, and assign impact levels to confidentiality, integrity, and availability. Those impact levels—low, moderate, or high—set the security baseline and shape subsequent decisions about which controls are appropriate. So, this step directly determines how stringent the safeguards need to be and informs the rest of the process. The other steps—selecting controls, assessing them, and monitoring—rely on that initial categorization to choose and evaluate the right safeguards and maintain ongoing oversight.