How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
To apply the FIPS 199 security categorizations, the user will do the process in section 3 of the FGDC guidelines.
If the “Confidentiality” of the geospatial data is MODERATE to HIGH and the “Integrity” of it is LOW as the result of the assessment, you should take the recommendation of step 10 “Change these data”. Else, there would be potential compromises of security objectives mentioned above.
If the required “Availability” of the data is assessed to be LOW when the user pushes to step 13, you should perform “Extent of restrictions” as the safeguard to mitigate the risks. If not, the loss of “Availability” would compromise the right of legitimate users.
Hi Justin
If the availability of the data is assessed as low, do you agree that performing an “Extent of restrictions” as recommended in step 13 is necessary to mitigate risks and protect the rights of legitimate users?
Federal Information Processing System (FIPS) 199 addresses developing standards for the categorization of information types and information systems. The document highlights the importance of considering the potential impact either high, moderate, or low on the security objectives of confidentiality, integrity, and availability of the information system or information type. The Federal Geospatial Data Committee (FGDC) guidelines aim to ensure the protection of data by implementing appropriate safeguards based on the potential impact level of the information system. In cases where the potential impact on confidentiality is high, strong encryption and access controls should be put in place. Conversely, if the potential impact on confidentiality is moderate, standard encryption and access control measures are sufficient. In the same vein, robust integrity checks must be performed when the potential impact on integrity is high, and standard checks must be performed when the potential impact levels on integrity are moderate. When the potential impact on availability is high, a robust disaster recovery plan must be implemented, while a standard implementation must be made when the potential impact on availability is moderate.
Start by assessing each safeguard’s impact level on Confidentiality, Integrity, and Availability (CIA) as to whether the impact will be low, moderate, or high if a security breach is to occur. Continue by mapping out the safeguards to their respective impact levels. Proceed to evaluate the necessity of each safeguard. Conclude by prioritizing and implementing the safeguards based on the necessity levels
For companies that are interested in disseminating geospatial data taking into consideration FIPS 199 security categorizations can help in the decision making of whether to make the data public. For example, in 2023 the National Geospatial Intelligence Agency released the latest version of global population distribution data accounting for refugees and displaced persons. Before this data was made available to the public the NGI must take into consideration both the benefits that this would provide the public as well as the potential impact it might have on the confidentiality, integrity, and availability of the company. By determining whether the potential impact is low, moderate or high the organization would be able to determine whether or not the release the data. If confidentiality, integrity and availability is low, geospatial data can be released with little to no worry about data breaches. However, if confidentiality, integrity, and availability are moderate or high then organizations should ensure that the data has appropriate safeguards in place.
Hi Lily,
Thank you for your response. Applying the FIPS 199 security categorizations to Geospatial data would be an interesting task due to the intersectionality of the CIA Triade at work. In my head I picture a balance of all three objectives of confidentiality, integrity, and availability and once one scale is tipped in one direction the other two are affected. Are you able to think of scenario where all three of the CIA objectives could be given a high level of impact if certain geospatial data was comprised or too restricted?
Hello Lily,
Your write-up accurately highlights the importance of FIPS 199 security categorizations in geospatial data dissemination. By assessing potential risks to confidentiality, integrity, and availability, organizations can make informed decisions about data release, ensuring appropriate safeguards are in place to protect sensitive information.
The FDGC guidelines recommends that if data is found to pose a risk (of several listed on the guidelines) then the data should be changed, restricted, or not disseminated (if the risk is not worth the benefit of sharing the data). The FIPS 199 categorizes information and information systems as low, moderate, or high risk to CIA. If the data is categorized as moderate or high risk to CIA if security is compromised the organization should decided to either change or restrict the data. However the organization should also consider the fact that the FGDC guidelines themselves affect the CIA of data. For example if the data is found to be a HIGH for Integrity, then changing the data may not be the best action as this will affect the integrity of the data before security is compromised.
Hey Sara,
Great response! You’ve highlighted an important consideration when applying the FGDC guidelines and FIPS 199 standards, particularly the tension between data integrity and security measures. Great point about balancing FGDC guidelines with the CIA triad, especially when considering data integrity. One additional thought is the importance of context in decision-making. For instance, if the data’s accuracy is paramount then altering it could undermine its value even if it reduces risk. Additionally, organizations should explore alternative methods, such as enhancing access controls or employing encryption to mitigate risks without compromising data integrity. It’s crucial to continually reassess both the data’s value and the evolving threat landscape to make informed, dynamic decisions that best protect the organization’s interests.
In order to determine the security levels according to FIPS 199, the Federal Geographic Data Committee (FGDC) is used. This committee classifies the impact on confidentiality, integrity, and availability as low, moderate, or high. For low-impact systems, basic safeguards such as physical security and standard access controls may be adequate. Moderate-impact systems require stronger measures, like multi-factor authentication and encryption. High-impact systems need strict safeguards including advanced encryption, comprehensive incident response, and continuous monitoring.
Hello Steven
Defining security levels requires an overview of FIPS 199 and FGDC. The FGDC’s classification system presents a systematic approach to risk assessment and implementing relevant safeguards. By considering the potential impact on confidentiality, integrity, and availability, an organization can customize its security measures to align with its specific needs and comply with regulatory standards.
In order to apply the FIPS 199 security categorizations to determine if there is a need for the FGDC safeguards, you would first determine what impact a loss of confidentiality, integrity, and availability could have on the data. This impact can be categorized by a low, moderate, or high impact and is described in the FIPS 199 publication. After categorizing the data into impact level, the data can then be organized into the generalized format with each equation representing an information type within an organization, or an information system as a whole. An example of this format can be seen when discussing the security categorization of public information: SC public information = {(confidentiality, na), (integrity, moderate), (availability, moderate)}. Using this generalized format of your data’s security categorization, you can now apply it to the FGDC safeguards of either restricting the data, or changing the data. From the example used above, the data in question has no potential impact for loss of confidentiality so restricting the data is not necessary. Furthermore, the integrity of the data was determined to have a moderate impact so the changing of the data should not be applied as a safeguard in this scenario. Lastly, the availability of the data was determined to be of moderate impact so the release of this data to the public has a higher priority helping you determine which safeguard to use, if any.
Hello Charles,
Your explanation of how the FIPS 199 security categorization could be applied to the FGDC safeguards was well-written and easy to understand. Your example shows how an organization might use the different impact standards described in the FIPS 199, allowing these organizations to apply these standards to fit their data. You also did a good job of addressing the impact of loss and how an organization might deal with that data. Using this generalized format allows an organization to tailor it to their needs.
FIPS 199 is a federal standard that provides a categorization scheme for information systems based on the potential impact of a compromise.
There are 3 Steps in applying FIPS 199
1.Identifying the data based on Value and impact.
2. Would be to categorize the data based on the factors and to pick a FIPS 199 categorization levels such as low, moderate and high.
3. Now according to FDGC safeguards we have to select our course of action.
For Low value or low impact data we use normal or basic safeguards like access controls and data backups might be sufficient. and for Moderate level we would have to use much more durable safeguards like encryption and IDPS. Lastly if the impact and value is high we use complex Safeguards such as IRP, Advanced Encryption.
Hi Rohith,
I appreciate your clear response and the way you effectively outlined the steps. However, it might be beneficial to emphasize the importance of accurately assessing the potential impact during the categorization process. Misjudgment of the impact level could lead to either insufficient protection for high-risk data or unnecessary resource allocation for low-risk data. Companies should continuously reassess these controls to ensure that they remain effective over time.
Classify the information or system according to the effect levels (Low, Moderate, High) for confidentiality, integrity, and availability before applying FIPS 199 categorizations to FGDC safeguards. Compare these levels to the FGDC recommendations to determine what safeguards apply. Apply basic controls for low effect, increased procedures for moderate impact, and extreme care for high impact. Determine if each measure is necessary by weighing the risks and consequences involved. Justify and implement safeguards appropriately, and keep an eye on their efficacy over time to make sure they adequately handle emerging risks and weaknesses.
Hi Sara! I agree that using the categorizations of low, moderate, and high will then allow you to apply a FGDC safeguard. I also mentioned weighing the risks and consequences that would occur is information is disseminated. You mentioned applying basic controls for low effect, increased for moderate impact, and extreme care for high impact, but what FGDC safeguards specifically do you correlate with low, moderate, and high?
Yes, using the low, moderate, and high categories to apply FGDC safeguards is effective. For minimal impact, consider basic limitations such as limited access and simple encryption. For moderate impact, you would strengthen security by implementing enhanced access controls, encryption, and audit logs. For maximum impact, use the most rigorous precautions, such as multi-factor authentication, robust encryption, and real-time monitoring. Weighing the risks and consequences is critical in determining the appropriate level of these safeguards.
According to FIPS 199, we would first begin by defining our security objective for the information. This would define the severity that a breach to the integrity, availability, or confidentiality (CIA) of the information may cause. The severity is calculated by interpreting the level of potential impact. A low risk means a limited adverse effect may occur. A moderate risk means a serious adverse effect may occur. A high risk means a severe or catastrophic adverse effect may occur. Assuming the information originated inside the organization, we must first decide whether safeguarding the information is justified. If the data is not useful in planning/executing an attack, the information is not expressly unique to the data, or if the security costs do not outweigh the benefits of disseminating the data, then safeguarding is not justified, and the risk should be defined as low. If this is not the case, the severity of making the information public is most likely moderate or high. In this case, if applicable, the data should be changed for the public to still have access to the non-sensitive data. This would remove all sensitive data from public access and mitigate risk. If this is not applicable, step 13 should be taken, which would be to safeguard the data based on our assessment of the severity of the information. A decision on the extent of the restrictions placed on the data would need to be made.
To apply the FIPS 199 categorizations to FDGC guideline safeguards, we need to assess the potential impact (low, moderate, or high) on confidentiality, integrity, and availability of information. The highest impact level determines the overall security category. With this guide, higher categories will require stricter safeguards and extreme care (advance encryption, MFA, continuous traffic monitoring) where as a lower category requires basic controls (regular backups). Evaluate each FGDC safeguard’s relevance to your system’s security objectives and impact level. It is important to Implement appropriate safeguards based on the severity assessment, document decisions and regularly reassess as conditions change. This risk-based approach aligns with federal standards while addressing specific security needs and balancing public access to non-sensitive data.
Safeguarding is justified only for data that contain sensitive information, that are the unique source of this sensitive information, and for which the security risk outweighs the societal benefit of dissemination. This is when the requirement for safeguards will come in place.
Considering that data to be protected has been identified and categorized for its importance according to FIPS-199 guidelines, the originating organization also to be sure that it has the authority to undertake the planned safeguards.
Depending upon the categorization of data under FIPS-199, for example low risk, we can think of changing the data if it serves the public and risk is mitigated through the change.
If the risk to the Confidentiality, Availability or Integrity turns out to be anything other than low, let’s say moderate or high, but also sometimes in the case of low risk, the implementation of safeguards needs to be done considering the following factors:
1. Does the data serve the public interest and if so, will changing it in some manner reduce the risk while still serving the public? If yes, then does the organization have the authority to change the data? If not, then the organization needs to weigh in on the efforts it would require in order to appeal to a legal/government body for the permission to change it.
2. Again, depending on the organization’s decision, data with moderate or high risk can be dealt with by restricting it to the public and other bodies in accordance with laws of the land. If the organization does not have the permission to restrict the data then they can appeal to the responsible authority for the same. Post that the extent of restriction needs to be determined based on the category of data like restricted, internal etc and the risk pertaining to it.
To apply FIPS 199 categorizations to the FGDC guideline safeguards, you must first assess the potential impact that’s categorized as low, moderate, or high, on the three aspects of confidentiality, integrity, and availability of your information system. The highest impact level across these three objectives determines the overall security category of your system. With this categorization as a guide, systems with higher security categories will require more safeguards, such as multi-factor authentication. In contrast, systems in lower categories may only need basic controls like security backups. Appropriate safeguard measures will have to match the potential impact level and security objective.
I agree with your statement that assessing the level of security categories can provide an indicator of whether to apply stronger safeguards. But isn’t it necessary to select your safeguard based on its impact on security objectives( CIA triad ) not solely categorize by the security level of the safeguards?
To apply FIPS 199 security categorizations for deciding on FGDC safeguards, I would first assess the potential impact on confidentiality, integrity, and availability (CIA) and categorize the information as low, moderate, or high based on this impact. For high-impact scenarios, more stringent safeguards such as encryption or multi-factor authentication are necessary, whereas low-impact scenarios might only need basic controls.
Next, I would align the chosen safeguards with the assessed impact levels. High-impact information would require robust safeguards, while low-impact information might only need basic protection measures. I believe it’s also important to periodically reassess the risk environment to ensure that the safeguards remain effective.
To apply FIPS 199 security categorizations to decide on the necessary
information security risk mitigations from the FGDC guidelines:
Categorize Information: Use FIPS 199 to assign a security category (low, moderate,
high) based on the potential impact on confidentiality, integrity, and availability.
Assess Risk: Evaluate the geospatial data’s risk, uniqueness, and net benefit of
dissemination as per FGDC guidelines.
Determine Safeguards: Implement safeguards based on the FIPS 199
categorization. High-impact data requires stringent controls, while low-impact data
may need less rigorous measures.
This ensures that the appropriate safeguards are applied based on the level of risk
and impact.