Step 1 Categorize

Video Activity

This lesson covers the first step in the Risk Management Framework process, which is to Categorize. Upon completing this unit, participants will be able to identify the six steps in the RMF Process, produce or support the production of the key documents in the RMF process. In addition, participants will be able to categorize the security characteri...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

2 hours 22 minutes
Video Description

This lesson covers the first step in the Risk Management Framework process, which is to Categorize. Upon completing this unit, participants will be able to identify the six steps in the RMF Process, produce or support the production of the key documents in the RMF process. In addition, participants will be able to categorize the security characteristics of confidentiality, integrity and availability for an information system as high, medium or low as well as describe the information processed, stored, and transmitted by an information system. Finally, participants will be able to register an information system. Categorizing a system consists of the following tasks: 1-1: Security Categorization 1-2: Information System Description 1-3: Information System Registration

Video Transcription
welcome back to the idea of the risk management framework. Siris on Mike Redman here, helping you get through all the ins and outs of what you need to know to successfully navigate the deity risk management framework. We've made it to step number one. Categorize
through this chapter who we're going to identify the six steps within the Army process. By the end, you should be able to produce or at least support the key documents within the army of process. Categorize the security characteristics based on the sea, the eye in the A
for information system high, medium and low. Also, be able to describe the information processed,
stored and transmitted by your information system and registered your information system. For those of you studying for the I C Square cap examination, remember, this section is all about the content
that what the system is doing and how to develop the initial key steps off the system security plan or the SSP.
This is a critical step. Be sure to study the types of authorizations available within the risk management framework. So, as I always say, the best place to start is the beginning. Within the categorization step number one, we have three primary tasks. A security categorization,
information system description
and information system registration. It all starts with the SSP orthe E System security plan. You can find a basic how to with the special Publication 818
within the 818 it will outline the basic rules of responsibilities off this step.
In general, the system owner is the one that would put together a least authorized the final system security plan. It will include the basic description of the information system. Any applicability. P O sees a listing of all Apple controls, all approvals and all required artifacts.
So when looking at what to include within the SSP,
you're looking at basics. Don't go overboard, described the mission or vision of the system. Who is responsible for which parts of it a detailed assistant description and boundary. A comprehensive list of all security controls. The status is of those controls
any approvals that were prior given
and any appendix ease that were required as part of the overall package. Looking at the individual elements of this system security plan again, you begin with the basic system. Identify, depending on your component. Sure that would be the registration number that you receive from
registering the system may be with them, dipped A or e mass.
Next would be your decided system. Categorization will go over that in a bet and then the system owner name, title, agency, address, phone number and email address.
Next, you'll identify the authorising official any other designated contacts,
assignment of security control, responsibilities and the system operational status, for instance. Is it fully operational or under development?
Next will be the system type a good descriptive purpose of your system, the system environment in which it's going to be utilized, and any if apple system interconnection or information sharing that's happening within your information system.
Next would be the identification of any laws, regulations
or policies affecting the system. The security controls section itself that would come from the 853 and the minimum security controls required, as well as the identified completion and approval dates and the lock section should contain the ongoing system security plan maintenance,
for instance, the milestones of updating the plan itself. Maybe some controls where Taylor did
and some controls tailored out. We'll discuss that later section, so looking at step one. What are we truly doing? We're going to identify the categorization of the system we need to his best. We can adjudicate
the impact of confidentiality, integrity and availability
and the compromise of it, based on whether it would be a high, medium or low impact.
The rules required for this step is the information system owner themselves and the identified information. Stuart.
So this is probably one of the most critical steps in the entire framework is the initial stakeholder meeting Now it should include all key stakeholders, including the chief Information officer, this senior agency Information Security Officer.
The authorising official were designated official the Cross, the main solutions Office Representative
Any the risks executive function should be represented, as well as the information system owner N E. I S S O. C. And the user representatives, as well as an independent evaluation element.
Now it goes without saying it's odds are you won't see the c i, o or the Sasso or even the AO or across the main representative here. This is simply here for a list of purposes, so you can understand that they have a say in the beginning steps of an information system.
So as you begin the categorization itself, what types of information isn't necessary? Well, we've already walked through, for instance, the unique identify WR,
the system owner and contact information. The general governing locations and so forth, however, understand there are many more elements that need to be included. For instance, an organizational mission that is codified by U. S Law. Any hardware in firmware used throughout the system.
The status or the position within the acquisition. Life cycle,
the security administrative processes and roles, as well as the identification of the appropriate function and capabilities, and a strong, detailed architectural description and networked apology. When identifying these information types,
it comes from our own Bees business reference model. That's the basis of identifying the information types and all federal information systems. There are five core business areas
within those business areas. You need to identify the mission based information types, for instance, the service for citizens and the mode of delivery. And then finally, the management and support information types
like support, delivery of service is, and the management of government resource is such a
resource management functions.
So as we continue through the categorization process, remember there are sub tasks to each. For instance, step one, identify the information type that this system contains and then move on to selected a provisional impact level's review. The provisional impact levels
and a Justin finalized the information
impact levels themselves, which will lead us to assign the system security category.
So would we talk about impact values? What are we really saying? Well, impact is adjudicated as either low, moderate or high, and the core definition of each is applied. So for low or limited adverse effect,
you would define that as effectiveness is reduced
but with only minor damage loss of harm
for moderate, you would have a serious adverse effect, such as serious financial loss or harm to individuals, and then for a high impact value. We're looking at severe or catastrophic adverse effects,
such as loss of life or complete loss of mission capability.
It's important to treat the categorization process is somewhat cyclical. Information types live and breathe over the course of time. That means you're categorization could possibly adjust as well. So remember the five course steps.
Identify the information types, select the provisional impact levels,
review those impact levels, make your final adjustments and then finally assigned the system category.
This system categorization will feed into the overall fits 208 153 security control selections.
So looking at the core processes themselves in each step, the input of the identity of information types off course would have to come, for instance, from the mission owner. They're the ones that are going to begin the core categorization themselves,
so you will also need core input from the information owners.
Remember, Mission odors and information owners are often two independent individuals next to selecting those provisional impact levels. This is where the information systems security officer comes in. You'll do things like select thes security impact levels for the identified information types
determined the security categorization for each information type that is contained within the system
and then document the provisional impact levels of the C I. A and the A. Associate it with the system information types.
When considering these potential impacts, what you're looking to do is identify and isolate, at least for this part. But the individual information types themselves. For instance, p. I the loss of compromise a p I. I would probably be adjudicated as a moderator. Medium impact.
Where has protected health information
might also be moderate, but it also could be adjudicated up too high when it comes to, for instance, confidentiality. You're starting to get the idea. Once we look at the court information type itself, then we start folding in additional factors like the particular information type itself
and the compromise of
confidentiality or integrity or availability. It's not holistic. You're looking to do it one out of time and then look at the aggregate total of it.
Here's a look at some of the corps base information types. Easy. We have performances, business service, technicals and then data sharing. That is a family all to itself. So what we're concerned with is tthe e business information type.
For that, we will look to the Miss Special Publication
800 sixty's Volumes one and two.
Here's a look at what the 860 looks like. You will find your particular information type and correlated to specific types of information that you may be dealing with inside your information system. Once you identify that particular information type, then it will tell you a suggested
based category.
For instance, defense and national security with a subtype of homeland security with a subtype of border control and transportation security are based. Impact would be moderate, moderate, moderate. Well,
what if we have key asset in critical infrastructure protection types of information also within the information system
that will move our base to Hi. Hi, Hi.
Remember, you're looking for the aggregate of the hole. It will shift as you fold in Maur unique information types.
So looking at the 5th 1 99 here's a few categorization examples that you can go by. For instance, let's say we have a system that contains contract information, administrative information and information system information. Again, we're looking to isolate each
so first dealing with contract information.
We would identify it as moderate, moderate, low and then administrative information would have a base categorization of low, low, low. Then the core information system type would be adjudicated to be moderate, moderate, low. So, knowing what you know,
what should the final categorization level
be for this information system?
Let's try one more.
Let's say we have an information system that has a sensor data, administrative information and information system information. So for sensor data, you see that the base categorization is non applicability high and
hi, where administrative information would be low, low, low and then the information system dated itself would be low. Hi. Hi.
So what would the final categorization of this system
to help you through the process? Here are some simple guidelines for adjusting the system categorization. To meet with this system requirements, for instance, you begin with the base aggregation and then move on to the criticality of the system's functionality. Any extenuating circumstances.
Public information integrity,
catastrophic lost of system availability, large supporting an interconnecting systems, critical infrastructures and key resource is contained within the system. Any trade secrets that might be present overall information system impact and then, of course, privacy.
We're dealing with the potential impact level these air some considerations that you must keep in mind. A catastrophic loss of the system availability, large supporting systems that may be relying on your information system, any interconnected systems that are associated with it and
public data requirements such as confidentiality.
So let's walk through one example. You have a law enforcement investigation system. This particular information system is used for tracking of the current investigations, which could result in criminal prosecution. It includes case fax, investigative notes
and leads, as well as normal administrative data.
Looking at the 860 what data types and what categorization would you apply to this system?
Remember to take into account? There are always other considerations the total aggregation of data, meaning combinations of independent pieces of data that would increase the confidentiality, integrity and availability requirements off the system.
The total is greater than the sum of its parts,
for instance, especially when dealing with privacy or health data. And, of course, the criticality of the system. What would the impact on connected systems be if your system went down and a bear requiring on your systems data for their mission operations?
So you might be asking, Why do it? What is the purpose? Why do I need to categorize my system? Well, it goes into your final budget. Remember, all of us get our money from Congress specifically Oh, and B.
This system categorization is what they're using
for strategic planning. Feature budgeting, procurement requirements in any team management that may be required.
It helps in the overall capital planning and investment control to identify the baseline across the federal government be able to prioritize those requirements, conduct enterprise level prioritization and then conduct system level prioritization, as well as
developing supporting materials and the overall implementation of the portfolio,
as well as submitting Exhibit 300 Exhibit 53 as required within overall acquisition program management.
Next, let's take a look at some of the newest and most impactful guidance received from Miss Special Publication 800 won 22. It specifically addresses P II data. It instructs all organizations to identify P I residing within their environment
and then minimized the use collection
and retention of P I to what is strictly necessary to accomplish their business purpose and mission.
And finally, they should categorise the P I buy the P I competency. On the impact level, each organization should decide which factors it will use for determining the impact levels and then create an implement and
accurate policy procedure and control for all P I data.
So these specific security controls, when it comes to P I is creating policies and procedures, conducting training de identifying P I using access enforcement, implementing access control for mobile devices, providing transmission confidentiality and
auditing events.
Next information system description This is primarily the task of the information system owner themselves.
Within the description of the information system, you must clearly identify all boundaries. The good rule of thumb here is on Lee. Identify what belongs to you. Don't make it overly complex. You don't want to make your description too expansive because you will bring
far too much into scope.
However, you don't want to bring it into limited and to focus, because then you won't miss gaps that possibly you should be recovering. That the common control provider is not
so for especially complex information systems. System boundaries can be difficult to identify because it gets very gray in the middle. Remember, with changing technologies that ultimately can and usually do affect the information system boundaries themselves.
How should you identify your boundary?
Well, every time I'm asked that particular question, my answer simply is where your administrative control ends.
Somebody else's picks up that is your system boundary.
So, for instance, when looking at how changing technologies have a effect on information system boundaries, just consider some dynamic subsystems within themselves, like service oriented architecture or cloud computing, external subsystems like contractor systems
and any trust relationships within the information system boundaries.
To identify specifically how to work with the interconnections of the information system, you will find that in the Security Guide for Interconnecting Information Systems Technology Missed Special Publication 847
within 847. It defines four phases to interconnecting systems planning, establishing, maintaining and then disconnecting.
You should have a well documented plan for all interconnections within the information system for each of the four corresponding phases.
And of course, if you are dealing with a cloud implementation, you will need to submit through the process of what's called Fed Ramp the Federal Risk Authorization Management Program. It's there to assist and accelerate the adoption of secure cloud solutions
through the reuse of assessments and authorizations
again reciprocity.
The goal is increased confidence and security of cloud solutions, as well as the increased confidence and security assessments and the assistance and increased automation and near real time data for continuous monitoring.
Next would be a consideration for all standalone environments. They are still required to go through a certain level of assess and authorized. Now I can't tell you what your specific organisation or component has decided to do when it comes to stand alone. Environments, however, understand that
it must be assessed and
authorized at some level, even if it's a local authorization that is a little bit out of scope for this conversation. Just keep in mind it is available to you
that brings us to the information system registration. This is where you will formally, how've the information system exist? You'll identify the key characteristics of the information system and any security implications. This, again is the primary role or task of the information system owner.
Every component command has a different registration system of. For instance, the Army has a P. M s, Navy, Dichter, Air Force eater, and so on and so forth. Pretty much all of them, at this point are using E mass, with the exception of the United States Marine Corps,
and you'll get the picture. But
you will have a specific system that will handle your system registration for you, whatever that is. Be sure to execute it because you need that identification number for the first block of the system security plan
in the next section, we're going to move on to step two overall control selection
Up Next
What is the Risk Management Framework?

This course introduces the Department of Defense (DoD) Risk Management Framework (RMF). This course prepares participants to take the CAP Exam which consists of 125 multiple choice questions and covers the following domains:

Instructed By