How you would apply the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Andrea Baum says
To apply FIPS 199 security categorizations to determine the necessity of information security safeguards, first identify the information types and assess the impact of potential breaches on confidentiality, integrity, and availability. Assign impact levels (LOW, MODERATE, HIGH) for each security objective based on the severity of potential adverse effects. Categorize the information by summarizing these impact levels, which will guide the selection of appropriate safeguards. The need for specific safeguards, as described in the FGDC guidelines, is determined by the highest impact level identified in the security categorization. For instance, if confidentiality is categorized as HIGH, safeguards addressing high-impact confidentiality risks must be implemented. This approach ensures that security measures are aligned with the criticality and sensitivity of the information.
James Nyamokoh says
Hi Andrea,
Your post is thought provoking and provides a solid overview of the FIPS 199 process. I agree with the importance of assigning impact levels to confidentiality, integrity, and availability for determining safeguards. However, this approach might sometimes lead to excessive security measures if the highest impact level dictates all actions. What if, instead of focusing exclusively on the highest impact level, organizations implemented a strategy that tiers safeguards based on the specific impact levels of each objective? I think this could result in a more balanced and effective security posture.
Gbolahan Afolabi says
The FIPS 199 security Categories were made to help determine the impact of breaches to security objectives on information systems and the information they hold. The categorizations should be analyzed in addition to potential threats and vulnerabilities that exist within the systems when trying to understand the risk to an organization. The Security Objectives that are sought to be maintained are the Confidentiality, Integrity, and Availability (CIA) of information and Information Systems. When analyzing the risk to information, a Security Category expresses the impact (low, moderate, high) against each Security Objective of an Information System and the type of information within it.
The FGDC guidelines provide standardized procedures for identifying the risks of sharing potentially sensitive data for the benefit of the geospatial community (Government agencies, private organizations, and individual civilians) at large. Decisions are made on the safeguarding of geospatial data based on the assessment of potential risks to national security and the benefits of dissemination.
To apply the FIPS 199 security categorization to geospatial data, an understanding of the type of data that is being shared including the impact of potential loss to the Confidentiality, Integrity, and Availability of the information and the system it resides in must be achieved. This can be done by assessing the level of impact on an organization’s assets, core operations/functions, and staff against the security objectives in the event of a breach. After achieving and understanding the Security Categorization of the data, it becomes possible to determine the appropriate safeguards, if at all, to implement. The safeguards should be in balance with the benefits of disseminating the information, if the security risk (discovered during security categorization) is lower than the benefit of sharing the data, safeguarding is not Justified. Safeguarding is also not justified if it is analyzed that the information that no proprietary/confidential information would aid an attack. If it has been determined that there could be adverse or catastrophic impacts to the government, private organizations, and the general public, a decision can be made to change or restrict the data as appropriate and should be documented. Periodic re-assessments of the safeguards on the sharing of geospatial including the decisions that have been made should be done.
Cyrena Haynes says
If I were to apply FIPS 199 security categorizations (low, moderate, and high) to determine the need for safeguards as described in the FGDC guidelines, I would begin by categorizing the information systems based on the potential impact on the security objectives of confidentiality, integrity, and availability. For low-impacted systems, where the risk of breach is minimal, I would recommend data modification or removal to address confidentiality and availability concerns. This safeguard would be sufficient because the potential damage is limited, and maintaining availability is more critical than the exactness of the data. For moderate-impact systems, where a breach could cause more significant harm, restricting access becomes more critical to protect confidentiality and integrity. The damage from unauthorized access or modification is more severe, so stronger controls are required.
For high-impacted systems, where a breach could have catastrophic consequences, strict access controls are essential. Data modification could compromise the integrity of critical information, so limiting access ensures that confidentiality and integrity are preserved at the highest level.This approach ensures that each safeguard is applied appropriately based on the impact level and potential risk to the organization.
Nelson Ezeatuegwu says
Interesting! if Fips 199 outlines the standard for categorizing information systems and the FDGC states .” Safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination”. does it mean the impact level determines the sensitivity of the data. I am curious to know.
Brittany Pomish says
Nelson brings up a good point. The FDGC decision tree starts with did the organization originate the data and is the information unique. It seems like that may be step 1 to this process. Determine if the data is both of these things and then apply the FIPS 199 security categorization. However, does that mean not categorizing the nonunique data and not safeguarding?
Cyrena Haynes says
Hi Brittany,
Great point and I agree that the origin of the data should be the first step.
If the organization did not originate the data, it should still be safeguarded based on the categorization of the organization who did originate the data. However, if the data is not unique and can be easily found on public resources, it should not be categorized/safeguarded.
Cyrena Haynes says
Hi Nelson,
Happy to elaborate a bit more on my thought process here. The sensitivity of the data determines the impact level, but this does not apply in the reverse order. For example, a social security number being stolen by hackers would be a medium threat as it can result in identity theft/financial loss.
Gbolahan Afolabi says
This is great Cyrena!
When determining the potential impact to Information systems, it is also helpful to use the FIPS 199 security categorizations for the types of information within the systems. This would help with assessing the risk and potential impact of compromised security objectives on the systems as a whole.
Nelson Ezeatuegwu says
Fips 199 outlines the standard for categorizing information systems considering the impact a breach will have on confidentiality, integrity and availability, it also stipulates the high-water mark which is the potential impact values assigned to the respective security objectives are the highest value. In applying the FIPS 199 security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed. I would make sure that each data is categorized in the right category to make sure the impact level to confidentiality, availability and integrity is determined, misplacing of a low or moderate data to a high for instance; will result to a false high-water mark, therefore the risk mitigation will not be complying to the provisions. Secondly before determining the category a data falls into, I will apply the FDGC guidelines to determine if the data needs to be safeguarded or not.” Safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination”.
Christopher Williams says
Nelson, your response accurately describes how FIPS 199 categorizes information systems according to the potential impacts on confidentiality, integrity, and availability. Correctly classifying data is essential to apply the appropriate risk mitigations effectively. Additionally, using FGDC guidelines to assess the need for safeguards is crucial, particularly for protecting sensitive information where the risk outweighs the benefit of its transmission. This approach ensures that security measures are both effective and appropriately targeted.
Brittany Pomish says
To apply the FIPS 199 security categorizations to decide if the information security risk mitigations described in the FGDC guidelines are needed, you would need to evaluate the potential impact on confidentiality, integrity, and availability if the data were compromised. FIPS 199 defines three impact levels: low, moderate, and high. You would need to assign/categorize the information into one of these impact levels. Then, based on the security categorization, decide if the safeguards described in the FGDC guidelines are necessary.
If the impact is high, indicating severe or catastrophic effects, then the safeguards outlined in the FGDC guidelines are likely necessary, especially if the data contains sensitive and unique information. For example, for confidentiality, if the impact is high, the safeguards of changing the data or restricting the data should be put in place. Lastly, you would want to regularly review and reassess the security categorizations.
Ericberto Mariscal says
Hi Brittany,
Very well said! I wanted to note the importance of your last sentence, as regularly reviewing and reassessing is very much an ongoing theme with how rapidly technology is advancing. I’m curious as to what the guidelines or timeframe is to revisiting categorization, or if there is any sort of federal requirement for it?
Dawn Foreman says
Brittany- very well said. I agree that assessing and categorizing into an impact level is going to be crucial for next steps after a security breach. Similarly to Ericberto, your last line, “you would want to regularly review and reassess the security categorizations.” Depending on the impact level, compromising CIA may occur. As time goes on, the impact level may change and the goal should always be to maintain the confidentiality, integrity, and availability of the data.
Benjamin Rooks says
The decision tree that is provided is the perfect place to practice the FIPS guidelines, specifically at steps 4-6,8. These guidelines actually provide a perfect use case to determine how severe losses of CIA could be using the FIPS model. Since both of these models are abstract I am going to elect to provide an example and walk through the process.
In this example I am going to assume that we are evaluating how we should classify and protect information documentation of survey data of a new military base in the Chagos Archipelago. This data would be useful for planning and executing an attack. The geographic location would be a unique set of documentation, and the societal benefits of having early knowledge of an attempt to build a new military base is minimal. Because of all of that it will need to be protected, but due to the fact that this is hypothetical survey data for a plan in the future and not something that would potentially endanger current facilities and personnel I would rate the potential impact as the following:
Confidentiality: Low – No assets or personnel are in danger if this information leaks, but a leak may cause protests or the need for more diplomatic discussions.
Integrity: High – Presumably this survey data will be presented to engineers who will need to know the terrain in order to make design decisions. Allowing the information to be modified or destroyed could result in damage or loss of equipment or personnel.
Availability: Low – Engineers would need to access this information irregularly, and temporary loss of access would result in at worst a delay in project plans.
Recommendation: Taking all of this into account my recommendation would be focused around data recovery, logging, and integrity verification. Standard MFA solutions should be used to grant access to the data, but the data should both be backed up to a disconnected data storage solution that is physically secured and have version tracking and logging enabled to both see earlier versions of the document and which logged in users have made modifications.
Vincenzo Macolino says
FIPS 199 security categorization includes three impact levels, low, moderate, and high across three security objectives: confidentiality, integrity, and availability. To apply FIPS 199 security categorization to decide if each of the information security risk mitigations described in the FGDC guidelines is needed you first need to identify the types of information and data processed by the system and how they align with FIPS 199 security objectives. The information then needs to be categorized based on the impact levels, this includes determining if the impact level is low, moderate, or high, for all three of the security objectives: confidentiality, integrity, and availability. The safeguards that will be used need to align with the impact level. low impacts on confidentiality, integrity, and availability do not need extreme safeguarding. If all three objectives are at a moderate impact level, then access control needs to be stricter for confidentiality and integrity as the data cannot be leaked as it will affect employees, nor can the data be altered as this will affect the business, agency, etc… A backup and recovery plan also needs to be implemented as the data/information cannot become lost if unavailable. At a high impact level for all three objectives, multi-factor authentication, and enhanced encryption need to be ensured to protect confidentiality and integrity. Data needs to be backed up and potentially stored offsite and physically secured and monitored to ensure availability.
Ericberto Mariscal says
The FIPS categorization formula can help in identifying the risks that can have a negative impact on an organization.
SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}
FISMA defines the negative impact in security objective as such: Confidentiality – the unauthorized disclosure of information, Integrity – the unauthorized modification or destruction of information, and Availability – the disruption of access to or use of information or an information system. An organization can assign Low, Moderate, or High impact severity for each security objective to determine whether or not a safeguard is needed. For all three categories, if the risk is considered moderate to high, then I believe that a safeguard should be in place.
James Nyamokoh says
When implementing FIPS 199 security classifications in practice I would start by evaluating how a potential breach could affect the confidentiality and integrity of the information system along with its availability. I would then assess each security measure outlined in the FGDC recommendations according to the systems classification, whether it falls under impact or high impact rating. For instance, a high impact system would necessitate defenses such as multifactor authentication and advanced encryption techniques. On the hand, a low impact system may require less rigorous security measures to maintain data protection.
Andrea Baum says
Your approach to implementing FIPS 199 security classifications is thorough and practical. Evaluating the potential impact on confidentiality, integrity, and availability is a crucial first step in determining the appropriate security measures.
Vincenzo Macolino says
I understand how you would go about implementing safeguards based on FIPS 199 security classifications and objectives. However, in specific circumstances a decision must be made on what safeguards should be implemented based on if risk is low for one objective, like integrity, but high for another, like availability. Some would argue that you need to take all this into consideration and ask the question of what safeguards should be used and when for this specific situation. I think it’s worth mentioning that on top of using FIPS 199 to determine if safeguards are necessary, it’s also very important to create a balance between confidentiality, integrity, and availability.
Jocque Sims says
To decide if each of the information security risk mitigation safeguards is needed, I would apply the FIPS 199 security categorizations to the formula outlined in section three, the sub-section entitled Security Categorization Applied to Information Types and Security Categorization Applied to Information Types, of the publication (Department of Commerce, 2004, page 3).
Using example five from the sub-section mentioned above and following the formula, the security category is assessed on its confidentiality, integrity, and availability impact level based on two factors. The first is based on performance data pulled from a device (presumably performance data covering a measurable period), and the second is based on management information. The resulting (final) security category seems to be heavily impacted by the potential loss of the device’s ability to perform as defined by the three security objectives. Therefore, it is likely any security device, information, data, procedure, etc., deemed vital in maintaining or contributing to the protection of the federal government’s critical infrastructure would be evaluated and assessed in the same manner.
Works Cited: FIPS 199: Standards for Security Categorization of Federal Information and Information Systems, NIST, February 2004
Neel Patel says
If I were applying FIPS 199 security categorizations (including three impact levels: low, moderate, and high) to determine the need for risk mitigations, I would evaluate based on the impact on the three core assets of confidentiality, integrity, and availability (CIA). I would then identify the types of information processed by the system and how they align with the FIPS 199 security categorizations. Then, based on the placement, I would decide whether the safeguards are necessary.
In the case I am handling highly classified government data, using FIPS 199 I could categorize the impact of confidentiality as high since unauthorized access can lead to extreme consequences like breaching of national services and disruption of essential services. The safeguards of modifying data or restricting access would be helpful as they would control and limit access. They help to protect sensitive information if the data is compromised, and this aligns with the high-impact categorization for confidentiality and justifying the use of the safeguards.
Aisha Ings says
In order to apply FIPS 199 categorizations in deciding whether each of the information security risk mitigations described in the FGDC guidelines is needed, I would begin the assessment by defining the specific type of data or information being evaluated, outlining its characteristics and purpose. Next, evaluate the sensitivity of the information based on its importance to the organization and the potential damage that could result from a breach, categorizing the impact levels as low, medium, or high. Identify potential security concerns related to the data, such as risks to its confidentiality, integrity, or availability. Then, detail the findings according to the FGDC guidelines to determine the appropriate security mitigations needed based on the identified sensitivity and security concerns. Finally, document the actions taken to address these concerns, including any procedures or safeguards implemented to mitigate the risks.
Tache Johnson says
To apply FIPS 199 security categorizations to the FGDC guidelines, first assess the data or information based on its potential impact on confidentiality, integrity, and availability. FIPS 199 assigns low, moderate, or high impact levels to these three security objectives, depending on the potential consequences of a breach. Once determine the impact level for each category, you can decide which FGDC safeguards are necessary. For instance, more stringent safeguards like encryption or access control are required if data has a high confidentiality impact.
Dawn Foreman says
FIPS 199 security categorization includes looking at the three security objectives: confidentiality, integrity, and availability (CIA). A security professionals categorizes the three areas of CIA in three impact levels: low, moderate, and high. Security professionals look at the information security risk mitigations described in the FGDC guidelines and identify the types of information and data processed by the system and how they align with FIPS 199 security objectives. As outlined in FGDC guidelines, “Safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination”.