Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

M3 Framework Introduction M3 Framework Overview M3 Phase 0 - Assessment M3 Phase 1 - Readiness M3 Phase 2 - Selection M3 Phase 3 - Engagement M3 Phase 4 - Migration M3 Phase 5 - Operations M3 Resources
M3 Playbook > Phase 4: Migration
4.11 Conduct Security and Privacy Reviews
4.10 Execute Labor Relations Strategy
4.12 Define Roles and User Access
Image Map Phase 0: Assessment Phase 1: Readiness Phase 2: Selection Phase 3: Engagement Phase 4: Migration Phase 5: Operations
Objective: Conduct security & privacy reviews to validate the system (data, applications, interfaces, network) is protected, personally identifiable information (PII) & data are secure.

Phase 4 GuidanceLegend - Customer, Provider, Shared
Conduct Privacy Reviews:
1. Develop Privacy Framework to include system categorization, data type, handling, storing and sharing method, and incident response process (S)
2. Develop Privacy documentation and training material (if needed) to provide guidance to all stakeholders (S)
3. Implement Privacy training roadmap and integrate with overall training plan (S)
4. Roll out privacy regulations to all users (S)
5. Document and receive Systems of Record Notice (SORN), if required (S)
Conduct Security Reviews:
1. Understand provider security environment and assess against requirements (S)
2. Develop Security documentation and Security Test Plan if applicable (S)
3. Execute security test according to test plan to include both physical and logical security, document and correct issues (S)
4. Request and receive Authority to Operate (ATO) if necessary (S)

• Requirements Traceability Matrix (RTM)
• Gap Analysis Report
• Target State Concept of Operations (CONOPS)
• Technical Strategy

• Security Documentation, including Security Test Results and ATO • Privacy Documentation, including Initial Privacy Assessment, FIPS 199, SORN, Privacy Impact Assessment
• Program Manager (C, P)
• Functional Lead (C, P)
• Functional SME (C,P)
• Data SME (C)
• Technical Lead/Solution Architect (C, P)
• Security Lead (C, P)
• ISSO (C, P)
• Network SME (C, P)
• PMO Lead (C, P)

Best Practice
• Understand the customer’s ATO process and allow sufficient time to get documentation through review and approvals
• Develop and define Security/Privacy plan before development as part of the Target State Solution Architecture
• Begin security and privacy planning early and include security steps across all migration phases