FIPS 199 – Categorization of Information and Information Systems
Introduction
The Federal Information Security Management Act (FISMA) tasked the National Institute of Standards and Technology (NIST) to develop standards and guidelines that all federal agencies must follow. Federal Information Processing Standards Publications (FIPS PUBS) were developed by NIST to guide the categorization of information and information systems to ensure a common understanding to promote:
- Accuracy and proper management of the information security program.
- Dependable reporting of the effectiveness of policies, procedures and process to the required authorities.
Categorization
Security categories are based on the impact to an organization's information or information systems should an unexpected event occur. Threat and vulnerability data should be used to assess risk as it aligns with security categories.
According to FISMA there are three security objectives:
- Confidentiality
- Integrity
- Availability
Potential Impact Levels:
- Low - "The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals."
- Moderate - "The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals."
- High - "The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals."
- NA - Not Applicable
Information Types - Includes electronic or non-electronic data that is associated with user and system information. The potential impact to the organization for each security objective of an information type determines the proper Security Category (SC). The format can be expressed as the following:
SC Information Type = {(confidentiality, impact), (Integrity, impact), (Availability, impact)}
Information Systems - This process is more involved and requires the analysis of security categories of all the associated information types within an information system. The potential impact rating is based on the highest value from the included security categories related to the information system. The security category is expressed in the same manner, except that an impact level of NA is not permitted:
SC Information Type = {(confidentiality, impact), (Integrity, impact), (Availability, impact)}
References
Federal Information Processing Standards Publication(February, 2014), Standards for Security Categorization of Federal Information and Information Systems, Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
National Institute of Standards and Technology (August, 2008), Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf
National Institute of Standards and Technology (August, 2008), Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, Retrieved from http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf