Certified Administrative Professional (CAP) Practice Exam 2025 – Your All-in-One Guide to Exam Mastery!

The Categorization step of the Risk Management Framework (RMF) focuses on identifying and classifying information systems based on their impact level concerning confidentiality, integrity, and availability. This process is essential for understanding the potential risks associated with the system and determining the appropriate security controls needed.

While evaluating the risks and impacts of an information system is an important part of the overall RMF process, the specific tasks traditionally included in the Categorization step are to categorize the system based on its impact and to describe its characteristics, which account for options B and C. Additionally, the term "register" typically refers to creating an inventory or official record of the information systems involved, which is also outside the specific tasks of the Categorization step.

Hence, option A, "Evaluate," is not actually a task involved in the Categorization step itself, but rather a part of the broader risk management process. The focus during Categorization is on determining how to classify the system appropriately rather than evaluating its risks directly.