A. RMF Step 1 Categorize Information System
B. RMF Step 2 Select Security Controls
C. RMF Step 3 Implement Security Controls
D. RMF Step 5 Authorize Information System
Answer is B.
The system security plan is first approved by the authorizing official or AO designated representative during execution of RMF Step 2, Task 2-4.
Security Plan Approval. See: CAP® CBK® Chapter 2, Task 2-4: Approval Security Plan; NIST SP 800-37, Revision 1, RMF Step 2, Task 2-4: Security Plan Approval.