NIST RMF
click to edit
click to edit
click to edit
click to edit
click to edit
CATEGORIZATION
Primary Responsibilities
Information System Owner
Information Owner
Supporting Roles
Risk Executive
Senior ISSO
ISSO
CIO
Authorizating Official or Designated Representative
Main Objectives or Task
STEPS
1. Identify Information Types (FIPS 199, FIPS 200)
2. Determine Category Values (FIPS 199 - defines 3 Security Objectives)
- Determine potential Impact on org/individuals (FIPSS 199 defines 3 potential impact levels of CIA)
- Categorize Information Types
- Categorize Information System (High Watermark) Note: DoD and Intelligence communities do not use High Watermark. They use the exact categorization for the CIA (e.g High Low Moderate or HLM)
Defined by Organization
Or defined by Law, Executive Order, Directive, Policy or Regulation
A specific category of Information (e.g Privay, Medical, Financial, etc)
SC(Information Type) = {(Confidentiality, Impact), (Integrity, Impact), (Availability, Impact)} NIST 800-60
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
MODERATE (Serious Adverse Effect)
HIGH (Severe or Catastrophic Adverse Effect)
LOW (Limited Adverse Effect)
Minor financial loss or
Minor harm to individuals
Minor damage to org assets or
Significant financial loss
Significant harm to individuals but not life threatening or loss of life
Significant damage to org assets
Significant degradation to mission capability. Org is still able to perform primary functions but functions is significantly reduced
Major damage to organizational assets
Major financial loss
Severe degradation to mission capability, org will not be able to perform one or more of primary functions
Severe or catastrophic harm to individuals including life threatening and loss of life
SC(Information Type) = {(Confidentiality, Impact), (Integrity, Impact), (Availability, Impact)} NIST 800-60
click to edit
click to edit
click to edit
click to edit
click to edit
click to edit
click to edit
click to edit