This assessment objective requires your organization to define and document all system roles that exist within your environment. Each role should represent a specific set of responsibilities, access levels, or functions tied to business or technical needs—particularly where access to Controlled Unclassified Information (CUI) is involved.