Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
NIST 800-53 (r4) Supplemental Guidance:
Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60.
NIST 800-53 (r5) Discussion:
Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.
Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.
Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.
38North Guidance:
Meets Minimum Requirement:
Organization must have documented analysis on the categorization of the information system along with supporting rationale based on the perceived impact for the system as to importance of the system, sensitivity of the data, and would impact if system experienced a breach. FedRAMP requires this to documented in a FIPS 199 template and reviewed/approved/signed by the Authorizing Official (AO) or AO designate. Additionally, the FIPS 199 should be represented within the information system System Security Plan (SSP)
Best Practice:
Ensure that the system is categorized correctly based on the data type and impact if the system or data experienced a breach. Would the impact to the system be catastrophic, severe, etc.? Would the impact cause a loss of life, serious injury, or simple availability outage? The aforementioned are things to consider when categorizing an information system.
Unofficial FedRAMP Guidance: TBD
Assessment Evidence:
Valid reviewed, approved, and signed FIPS 199 document represented within the information system SSP along with justification as to why the system was categorized at the level it is considered to be.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse