Who is primarily responsible for system-specific controls?

System-specific controls are driven by the information system owner and the authorizing official because they hold accountability for the system and its risk. The owner is responsible for selecting, implementing, and maintaining the controls tailored to that particular system, and for ongoing monitoring and assessment to ensure controls remain effective. The authorizing official has the final responsibility to review risk, authorize operation, and accept residual risk based on the implemented controls. The security operations center focuses on monitoring, detection, and incident response, not on owning or approving the system. External auditors provide independent assessment but do not set or implement controls or authorize operation. Network administrators handle the day-to-day setup and maintenance of network infrastructure but do not carry the ultimate responsibility for the system’s authorization decision.