In RMF-5, which item communicates the decision to accept residual risk?

In RMF-5, the decision to proceed with the remaining, unmitigated risk is put into a formal risk acceptance decision. After security controls are implemented and assessed, some residual risk typically remains. The Authorizing Official (or designated official) evaluates whether that residual risk fits the organization’s risk tolerance and, if it does, communicates this with a risk acceptance decision. This document explicitly states that the residual risk is accepted and that the system may be authorized to operate despite it. This is distinct from other artifacts: a risk determination would be about assessing risk levels prior to acceptance, a Plan of Action and Milestones lists tasks and timelines to remediate issues, and a System Security Plan describes the system, its security requirements, and implemented controls. None of those alone communicates the formal acceptance of residual risk.