Mechanisms exist to categorize systems and data in accordance with applicable local, state and Federal laws that: ? Document the security categorization results (including supporting rationale) in the security plan for systems; and ? Ensure the security categorization decision is reviewed and approved by the asset owner.