Federal Information Processing Standards (FIPS) 199 – Categorization of Information and Information Systems

June 27, 2016 | Views: 5430

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

FIPS 199 – Categorization of Information and Information Systems

 

Introduction

The Federal Information Security Management Act (FISMA) tasked the National Institute of Standards and Technology (NIST) to develop standards and guidelines that all federal agencies must follow. Federal Information Processing Standards Publications (FIPS PUBS) were developed by NIST to guide the categorization of information and information systems to ensure a common understanding to promote:

·        Accuracy and proper management of the information security program.

·        Dependable reporting of the effectiveness of policies, procedures and process to the required authorities.

Categorization

Security categories are based on the impact to an organization’s information or information systems should an unexpected event occur. Threat and vulnerability data should be used to assess risk as it aligns with security categories.

According to FISMA there are three security objectives:

·        Confidentiality

·        Integrity

·        Availability

Potential Impact Levels:

·        Low – “The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.”

·        Moderate – “The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.”

·        High – “The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.”

·        NA – Not Applicable

Information Types – Includes electronic or non-electronic data that is associated with user and system information. The potential impact to the organization for each security objective of an information type determines the proper Security Category (SC).  The format can be expressed as the following:

SC Information Type = {(confidentiality, impact), (Integrity, impact), (Availability, impact)}

Information Systems – This process is more involved and requires the analysis of security categories of all the associated information types within an information system. The potential impact rating is based on the highest value from the included security categories related to the information system. The security category is expressed in the same manner, except that an impact level of NA is not permitted:

SC Information Type = {(confidentiality, impact), (Integrity, impact), (Availability, impact)}


References

Federal Information Processing Standards Publication(February, 2014), Standards for Security Categorization of Federal Information and Information Systems, Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

National Institute of Standards and Technology (August, 2008), Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf

National Institute of Standards and Technology (August, 2008), Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. Apparently Hilary Clinton was never briefed. Her server was not in compliance with FIMSA and NIST.

  2. Good article.

    • Thank you! I know compliance is not a sexy as getting a shell or developing your own exploit. Hopefully this helps others who need to understand FISMA.

      • Actually I guess I’m one of un-sexy people who are interested in compliance issues (HIPAA, SOX, etc.). Hey-somebody’s got to make sense of all the regulations.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 332 / December 14, 2019
How do I Get MTA Certified?
Views: 924 / December 12, 2019
How much does your PAM software really cost?
Views: 1377 / December 10, 2019
How Do I Get into Android Development?
Views: 1755 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel