The NIST 800-60 was developed to assist Federal government agencies to categorize information and information systems. The security categorization emphasizes the importance of selecting security controls to achieve your security objectives and to successfully protect the CIA triad of your information assets. The document discusses FISMA requirements to help categorize the level of a potential security impact. Having these threats categorized by impact level ensures proper security measures are defined, therefore giving your information adequate security.
Good point, categorizing information and information systems is an important job, and the best way to ensure adequate security is implemented for each type of information is to ensure that organizations categorize information categories into the most appropriate ones. By determining the classification of different categories, organizations can more efficiently and accurately know what they want or what is more important.
I believe categorization is an important part of the process. We need to know what information we would like to apply the minimum security requirements. Categorization helps us determine the risk level and then after this step we should be able to implement the appropriate controls or procedures to minimize the risk.
Sorry I am having issue with my internet. I liked your comment and wanted to add that this guide is to facilitate application of appropriate levels of information security according to a
range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system per the article. All of these are focusing on the main objective to protect information systems against malicious attacks (confidentiality, integrity, availability). Great comment!
NIST 800 60 V1R1 addresses the importance of classifying information and information system types, and provides accurate system classification of information systems according to the low, medium, and high impact levels identified in FIPS 199. System classification is the most important step in ensuring that information assets have minimum requirements and necessary controls to protect confidentiality, integrity, and availability from threats. The method for assigning security impact levels by information types can be divided into four parts: 1. Identifying information types 2. Selecting temporary impact levels 3. Reviewing and adjusting impact levels 4. Assigning system security categories. Classification of information affects other steps in selecting security controls, implementing security controls, evaluating security controls, authorizing information systems, and monitoring security status. Therefore, documenting the safety classification process is essential. Documenting research, key decisions and approvals, and the supporting rationale that drives security classification is important and should be included in the security plan for information systems.
In NIST SP800-60V1R1 section 4.1.1 Identification of Mission-based Information Types (page 14) the publication discusses the process for identifying mission based information types and specifies the impact of unauthorized disclosure, modification, or unavailability of this information. This process begins by establishing mission-based information types at an agency level and documenting the agency’s business and mission areas. The publication provides an example of how law enforcement would have sub-functions like criminal investigation and surveillance, criminal apprehension, etc.
NIST SP800-60V1R1 helps both government and non-government agencies identify information types. A non-government agency would not have the same classifications outlined in OMB’s Business Reference model; however, it can serve as a reference for the organization’s own discovery as they embark in similar processes. Providing these examples can help organizations to identify and classify their information by seeing how government agencies complete this. For example, Business Analytics at a large corporation may have sub-functions like Competitive Intelligence, etc.
You can also tie in non-federal organizations that do deal with federal information types with the 800-171 as well. Although this would require the organization have to be dealing with federal information in some shape or form so it wouldn’t apply to organizations attempting to classify their data outside of the federal sphere. I just thought it was a good input since you were mentioning non-government agencies.
NIST SP800-60V1R1 is a guide for categorizing types of Information and Information systems to security categories.
A section that stands out as important is 4.1.4 Identifying Information Types Not Listed in this Guideline.
Which lets us know The FEA BRM Information Types are provided only as a taxonomy guideline.
Not all information processed by an information system may be identified from Tables 4 through 6.
Therefore, an agency may identify unique information types not listed in this guideline or may
choose not to select provisional impact levels from Volume II, Appendix C (for management and
support information types) or Volume II, Appendix D (for mission-based information types).
Sections 4.2.1 through 4.2.3 of this guideline provide assistance to agencies in assigning
provisional security categories to agency-identified information types and information systems.
Additionally, SP 800-60 provides a management and support sub function, General Information
Type, which can be used by agencies as a means to identify and categorize information not contained in the FEA BRM. A complete description of the General Information Type
information should be captured in the agency’s collection and documentation process.
This is important to keep in mind when reading NIST SP800-60V1R1 as it lets us know that it should be viewed as a taxonomy guideline.
NIST SP 800 – 60V1R1 categorizes the sensitivity of the system’s data, followed by enumeration of risks that might compromise the confidentiality, integrity, and availability of both the data and the information system. Additionally, the NIST SP 800-60V1R1 provides a management and support sub function for the general information types, which can be used by agencies as a means to identify and categorize information not contained in the FEA BRM. Its states further that a ccomplete description of the General information Type should be captured in the agency’s collection and documentation process. Step 2 of this publication emphasizes organization should establish the provisional impact lelvels based on the identified information types in Step 1 with regards to the CIA-Traid Objectives of information type from Volume II before any adjustment are made. 4.2.1 Makes strong emphasis on FIPS 199 Security categorization criteria.
NIST 800-60 V1R1 is a guide for mapping types of information and systems to security categories. Security categorization is a key and first step in the Risk Management Framework because it sets a foundation for other steps. The organizational view has steps including: categorize, select, implement, assess, authorize, monitor. It refers to FIPS 199 to define the security categories, objectives, and impact levels.
Security objectives: confidentiality, integrity, and availability
Potential impact: low, moderate, high
One takeaway from reading the NIST 800-60 V1R1 is the detailed explanation of confidentiality, integrity, and availability factors. And finally, the advice on how agency personnel should be aware of the several factors during aggregation of system information types. Unforeseen concerns might affect one of the security objectives, and factors might include data aggregation, system functionality, extenuating circumstances.
The importance of steps 2 & 3 of the assignment of impact levels and security categorization methodology rally stuck out to me. I found it interesting how step 2 of the process calls for an establishment of initial information and information system provisional impacts in terms of confidentiality, integrity, and availability. Then, in step 3, these provisional impacts, or security baselines, are reassessed and updated if necessary. I think this is a really good way to reconfirm the validity of impact levels during the initial implementation phase. The impact levels should continue to be reassessed on a periodic basis after initial implementation to ensure they reflect the appropriate impact level(s) of the information or information system asset under review.
One key point that I took away from NIST SP 800-60 was table 7: Categorization of federal information and information systems. Confidentiality, integrity, and availability. Each going over asking questions and giving a rating for them for the evaluation process. Being able to categorize this information can help protect against potential impact on confidentiality, integrity, and availability.
I agree that categorizing will help protect against impacts on the CIA triad. Security categorization emphasizes the importance of selecting security controls to achieve your security objectives. Having these threats categorized by impact level ensures proper security measures are defined.
I believe categorization is an important part of the process. We need to know what information we would like to apply the minimum security requirements. Categorization helps us determine the risk level and then after this step we should be able to implement the appropriate controls or procedures to minimize the risk.
As the article says, NIST 800-60 has been developed to assist Federal
government agencies to categorize information and information systems. This in accordance with FIPS 199 is again to categorize all information based on their criticality and sensitivity impact levels to provide appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system (confidentiality, integrity, availability)
The key point is that this mapping guideline is not a tutorial but rather it’s a document intended to assist or serve as a reference resource. The users should only review information that applies to their own systems and applications.
Thanks for sharing Ornella. It’s definitely important for individuals who look to apply the mapping guideline to elements within their organizations environment that it should be used to help facilitate the process. IT Environments can be very different and complex so it’s up to the individual to gain a sound understanding of it’s inner workings to ensure the mapping can be applied appropriately.
NIST 800-60 V1R1 tasked federal entities to conduct FIPS 199 security categorizations of their information systems as a way to ensure that information assets have minimum requirements and necessary controls to protect confidentiality, integrity, and availability from threats. The value of information security categorization enables agencies to support their mission in a cost-effective manner. Since federal agencies are heavily dependent on information and information systems to successfully conduct critical missions, it is imperative that they correctly classify their information. Otherwise, they run the risk of over protecting the information system, thus wasting valuable security resources, or under protecting the information system; in turn, placing important operations and assets at unnecessary risk.
A key take away from NIST 800-60 V1R1 was the process roadmap shown on page 13. It gives a very detail guideline on the assignment of impact levels and security categorization. There are 4 steps. It begins once the input of identification of information systems is completed. Step 1 identifies the information type with the roles of mission owners, and information owners for documentation purposes of mission. The next step is to select provisional impact levels from the FIPS 199 criteria table in section 4.2.1. Step 3 involves the review for provisional impact levels and the adjustment/finalization of information impact levels. A good way of reviewing this is using the CIA triad and reviewing documentation for rationale. Lastly, step 4 assigns the system security category according to the documentation from step 3 along with following the agency’s oversight. The output is the security categorization which involves the CIO, ISSO, authorizing officials, and developers.
I found the SP 800-60 Process Roadmap to be insightful while reading through this document. The table on pg.13 that takes a step-by-step approach for identifying information types, set security impact levels, and then assign the categorization for those information types expands on the activities required in each step and the roles of the individuals involved. The following section of the document (section 4.x) goes into detail on each of these steps. The chart in and of itself is not enough information to adequately accomplish each of the steps in the process. However, I appreciated the succinctness of the chart and believe it is something that would be useful to reference when assigning security impact levels and categorizations of information types and systems.
NIST SP 800-60 V1R1 is a member of the NIST family and a guide for categorizing types of IS to security categories that starts with the identification of what information supports which government lines of business. There are several roles of this publication. For me, the most importance of security categorization is role in NIST Risk Management Framework because it is the first step of 6 steps in Risk Management Framework and will effect on all other steps in the framework from selection of security controls to level of effort in assessing security control effectiveness.
The NIST 800-60 provides information necessary to categorize the system. Pg 27 in particular talks to the aggregation of information in how some information which may not display relevance in small amounts but may display patterns in a system which would result in sensitivity of data being aggregated as higher. Whether the confidentiality of the data becomes compromised as more information types exploding into the system might reveal snip pieces of information used to identify an individual, or perhaps the information has increased in quantity which could affect the availability of the system. Because of this, the information yielded may increase the security impact of the system then described for individual information types. Vast multitudes of information changes how we measure the security level.
The NIST documents talks about responsibilities under the federal information security management Act( FISMA 2002, PL 107-347) and also the selection of security controls that ensure the confidentiality, integrity and availability. It shows how to implement minimum requirements process for providing adequate information security. National Institute of standards technology documents describes th experimental procedure and concept adequately. NIST documents are developed as a standard to be used by all federal agencies to categorize all information and recommended a security categorization process. These guidelines help agencies consistently map security impact levels. For example, privacy, medical proprietary, financial, contractor sensitive, trade secret, and investigations these are key objectives of NIST documents.
1. Organization of this special publication.
2. Public Overview
3. Security Categorization of information and Information systems.
4. Assignments of impact level of security categorization.
In this reading, there is a section in bold that is titled: Catastrophic Loss of System Availability.
Availability is the need and MUST for systems and networks to be up and running. The idea of availability means that your information is always accessible to you. An example of this could be a report saved on the server that should always be there, or a video you need to watch that should be instantly available.
The opposite of the above is outlined in the paragraph that I referenced. This can consist of either physical or logical destruction of major assets which will result in a lot of money being lost in the effort to restore the assets and/ or long periods of time for recovery. Permanent loss/unavailability will not only result in a detrimental effect to the agency’s operations, but it will also have “a severe adverse effect on public confidence in Federal agencies”.
NIST SP 800-60 is used by federal government agencies in the categorization of information and information systems. Security categorization is the first step in the NIST Risk Management Framework. It is a vital step in the success of an organization’s security management. Underprotection for sensitive or confidential information could result in breaches and losses. Overprotecting information can easily result in wasted funds. Additionally, if information or information systems are not mapped properly, users who should have authorization may not have access to them. It is also important to revisit security categorizations and impact levels as they often change over time.
Hi Amelia, I agree on the point you made out where it is important to categorize the security appropriately according to NIST because under protection of sensitive/confidential information can result in breaches and over protecting less sensitive/confidential information can result in wasted funds.
A key takeaway from NIST 800 60 V1R1 for me is under section 4.5 “Documenting the Security Categorization Process”, more specifically looking at Figure 3: “Security Categorization Information Collection”, which details the information that should be collected. Documenting the research, key decisions/approvals, & supporting rationale is essential to an information system’s security plan. Looking at figure 3, SCADA (supervisory control and data acquisition) is the system being looked at, and the documentation has several steps. SCADA information types are listed initially being “Energy Supply” & “General Information”. Next, the information types are looked at in respect to their impact on the CIA Triad. For example, In regards to impact on Integrity Energy Supply is listed as high because “Severe impacts or consequences may occur if adversarial modification of
information results in incorrect power system regulation or control actions”. Along with other factors, the overall system impact is graded as high, but I thought it was interesting to see the documentation of the system laid out in this way.
NIST 800-60 addresses the FISMA direction to create rules prescribing the sorts of data and data frameworks to be included in each category of potential security affect. The FIPS 199 characterizes the security categories, security targets, and affect levels to which NIST 800-60 maps data sorts. FIPS 199 builds up security categories based on the greatness of hurt anticipated to result from compromises instead of on the comes about of an appraisal. The security categories in address are Privacy, Judgment, and Accessibility. FIPS 199 at that point sets up three potential levels of affect that might impact these categories. The levels of affect are labeled either moo, direct, or tall. The security categories laid out by FIPS 199 can be related with both client data and framework data in both electronic and non-electronic types..
Michael Galdo says
The NIST 800-60 was developed to assist Federal government agencies to categorize information and information systems. The security categorization emphasizes the importance of selecting security controls to achieve your security objectives and to successfully protect the CIA triad of your information assets. The document discusses FISMA requirements to help categorize the level of a potential security impact. Having these threats categorized by impact level ensures proper security measures are defined, therefore giving your information adequate security.
Yangyuan Lin says
Hi Michael,
Good point, categorizing information and information systems is an important job, and the best way to ensure adequate security is implemented for each type of information is to ensure that organizations categorize information categories into the most appropriate ones. By determining the classification of different categories, organizations can more efficiently and accurately know what they want or what is more important.
Ornella Rhyne says
Hi Corey,
I believe categorization is an important part of the process. We need to know what information we would like to apply the minimum security requirements. Categorization helps us determine the risk level and then after this step we should be able to implement the appropriate controls or procedures to minimize the risk.
Ornella Rhyne says
Hi Michael,
Sorry I am having issue with my internet. I liked your comment and wanted to add that this guide is to facilitate application of appropriate levels of information security according to a
range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system per the article. All of these are focusing on the main objective to protect information systems against malicious attacks (confidentiality, integrity, availability). Great comment!
Yangyuan Lin says
NIST 800 60 V1R1 addresses the importance of classifying information and information system types, and provides accurate system classification of information systems according to the low, medium, and high impact levels identified in FIPS 199. System classification is the most important step in ensuring that information assets have minimum requirements and necessary controls to protect confidentiality, integrity, and availability from threats. The method for assigning security impact levels by information types can be divided into four parts: 1. Identifying information types 2. Selecting temporary impact levels 3. Reviewing and adjusting impact levels 4. Assigning system security categories. Classification of information affects other steps in selecting security controls, implementing security controls, evaluating security controls, authorizing information systems, and monitoring security status. Therefore, documenting the safety classification process is essential. Documenting research, key decisions and approvals, and the supporting rationale that drives security classification is important and should be included in the security plan for information systems.
Matthew Bryan says
In NIST SP800-60V1R1 section 4.1.1 Identification of Mission-based Information Types (page 14) the publication discusses the process for identifying mission based information types and specifies the impact of unauthorized disclosure, modification, or unavailability of this information. This process begins by establishing mission-based information types at an agency level and documenting the agency’s business and mission areas. The publication provides an example of how law enforcement would have sub-functions like criminal investigation and surveillance, criminal apprehension, etc.
NIST SP800-60V1R1 helps both government and non-government agencies identify information types. A non-government agency would not have the same classifications outlined in OMB’s Business Reference model; however, it can serve as a reference for the organization’s own discovery as they embark in similar processes. Providing these examples can help organizations to identify and classify their information by seeing how government agencies complete this. For example, Business Analytics at a large corporation may have sub-functions like Competitive Intelligence, etc.
Michael Duffy says
Hey Matthew,
You can also tie in non-federal organizations that do deal with federal information types with the 800-171 as well. Although this would require the organization have to be dealing with federal information in some shape or form so it wouldn’t apply to organizations attempting to classify their data outside of the federal sphere. I just thought it was a good input since you were mentioning non-government agencies.
Jason Burwell says
NIST SP800-60V1R1 is a guide for categorizing types of Information and Information systems to security categories.
A section that stands out as important is 4.1.4 Identifying Information Types Not Listed in this Guideline.
Which lets us know The FEA BRM Information Types are provided only as a taxonomy guideline.
Not all information processed by an information system may be identified from Tables 4 through 6.
Therefore, an agency may identify unique information types not listed in this guideline or may
choose not to select provisional impact levels from Volume II, Appendix C (for management and
support information types) or Volume II, Appendix D (for mission-based information types).
Sections 4.2.1 through 4.2.3 of this guideline provide assistance to agencies in assigning
provisional security categories to agency-identified information types and information systems.
Additionally, SP 800-60 provides a management and support sub function, General Information
Type, which can be used by agencies as a means to identify and categorize information not contained in the FEA BRM. A complete description of the General Information Type
information should be captured in the agency’s collection and documentation process.
This is important to keep in mind when reading NIST SP800-60V1R1 as it lets us know that it should be viewed as a taxonomy guideline.
Oluwaseun Soyomokun says
NIST SP 800 – 60V1R1 categorizes the sensitivity of the system’s data, followed by enumeration of risks that might compromise the confidentiality, integrity, and availability of both the data and the information system. Additionally, the NIST SP 800-60V1R1 provides a management and support sub function for the general information types, which can be used by agencies as a means to identify and categorize information not contained in the FEA BRM. Its states further that a ccomplete description of the General information Type should be captured in the agency’s collection and documentation process. Step 2 of this publication emphasizes organization should establish the provisional impact lelvels based on the identified information types in Step 1 with regards to the CIA-Traid Objectives of information type from Volume II before any adjustment are made. 4.2.1 Makes strong emphasis on FIPS 199 Security categorization criteria.
Miray Bolukbasi says
NIST 800-60 V1R1 is a guide for mapping types of information and systems to security categories. Security categorization is a key and first step in the Risk Management Framework because it sets a foundation for other steps. The organizational view has steps including: categorize, select, implement, assess, authorize, monitor. It refers to FIPS 199 to define the security categories, objectives, and impact levels.
Security objectives: confidentiality, integrity, and availability
Potential impact: low, moderate, high
One takeaway from reading the NIST 800-60 V1R1 is the detailed explanation of confidentiality, integrity, and availability factors. And finally, the advice on how agency personnel should be aware of the several factors during aggregation of system information types. Unforeseen concerns might affect one of the security objectives, and factors might include data aggregation, system functionality, extenuating circumstances.
Bryan Garrahan says
The importance of steps 2 & 3 of the assignment of impact levels and security categorization methodology rally stuck out to me. I found it interesting how step 2 of the process calls for an establishment of initial information and information system provisional impacts in terms of confidentiality, integrity, and availability. Then, in step 3, these provisional impacts, or security baselines, are reassessed and updated if necessary. I think this is a really good way to reconfirm the validity of impact levels during the initial implementation phase. The impact levels should continue to be reassessed on a periodic basis after initial implementation to ensure they reflect the appropriate impact level(s) of the information or information system asset under review.
Corey Arana says
One key point that I took away from NIST SP 800-60 was table 7: Categorization of federal information and information systems. Confidentiality, integrity, and availability. Each going over asking questions and giving a rating for them for the evaluation process. Being able to categorize this information can help protect against potential impact on confidentiality, integrity, and availability.
Michael Galdo says
Hello Corey,
I agree that categorizing will help protect against impacts on the CIA triad. Security categorization emphasizes the importance of selecting security controls to achieve your security objectives. Having these threats categorized by impact level ensures proper security measures are defined.
Ornella Rhyne says
Hi Corey,
I believe categorization is an important part of the process. We need to know what information we would like to apply the minimum security requirements. Categorization helps us determine the risk level and then after this step we should be able to implement the appropriate controls or procedures to minimize the risk.
Ornella Rhyne says
As the article says, NIST 800-60 has been developed to assist Federal
government agencies to categorize information and information systems. This in accordance with FIPS 199 is again to categorize all information based on their criticality and sensitivity impact levels to provide appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system (confidentiality, integrity, availability)
The key point is that this mapping guideline is not a tutorial but rather it’s a document intended to assist or serve as a reference resource. The users should only review information that applies to their own systems and applications.
Bryan Garrahan says
Thanks for sharing Ornella. It’s definitely important for individuals who look to apply the mapping guideline to elements within their organizations environment that it should be used to help facilitate the process. IT Environments can be very different and complex so it’s up to the individual to gain a sound understanding of it’s inner workings to ensure the mapping can be applied appropriately.
Elizabeth Gutierrez says
NIST 800-60 V1R1 tasked federal entities to conduct FIPS 199 security categorizations of their information systems as a way to ensure that information assets have minimum requirements and necessary controls to protect confidentiality, integrity, and availability from threats. The value of information security categorization enables agencies to support their mission in a cost-effective manner. Since federal agencies are heavily dependent on information and information systems to successfully conduct critical missions, it is imperative that they correctly classify their information. Otherwise, they run the risk of over protecting the information system, thus wasting valuable security resources, or under protecting the information system; in turn, placing important operations and assets at unnecessary risk.
Wilmer Monsalve says
A key take away from NIST 800-60 V1R1 was the process roadmap shown on page 13. It gives a very detail guideline on the assignment of impact levels and security categorization. There are 4 steps. It begins once the input of identification of information systems is completed. Step 1 identifies the information type with the roles of mission owners, and information owners for documentation purposes of mission. The next step is to select provisional impact levels from the FIPS 199 criteria table in section 4.2.1. Step 3 involves the review for provisional impact levels and the adjustment/finalization of information impact levels. A good way of reviewing this is using the CIA triad and reviewing documentation for rationale. Lastly, step 4 assigns the system security category according to the documentation from step 3 along with following the agency’s oversight. The output is the security categorization which involves the CIO, ISSO, authorizing officials, and developers.
Ryan Trapp says
I found the SP 800-60 Process Roadmap to be insightful while reading through this document. The table on pg.13 that takes a step-by-step approach for identifying information types, set security impact levels, and then assign the categorization for those information types expands on the activities required in each step and the roles of the individuals involved. The following section of the document (section 4.x) goes into detail on each of these steps. The chart in and of itself is not enough information to adequately accomplish each of the steps in the process. However, I appreciated the succinctness of the chart and believe it is something that would be useful to reference when assigning security impact levels and categorizations of information types and systems.
Hang Nu Song Nguyen says
NIST SP 800-60 V1R1 is a member of the NIST family and a guide for categorizing types of IS to security categories that starts with the identification of what information supports which government lines of business. There are several roles of this publication. For me, the most importance of security categorization is role in NIST Risk Management Framework because it is the first step of 6 steps in Risk Management Framework and will effect on all other steps in the framework from selection of security controls to level of effort in assessing security control effectiveness.
Michael Duffy says
The NIST 800-60 provides information necessary to categorize the system. Pg 27 in particular talks to the aggregation of information in how some information which may not display relevance in small amounts but may display patterns in a system which would result in sensitivity of data being aggregated as higher. Whether the confidentiality of the data becomes compromised as more information types exploding into the system might reveal snip pieces of information used to identify an individual, or perhaps the information has increased in quantity which could affect the availability of the system. Because of this, the information yielded may increase the security impact of the system then described for individual information types. Vast multitudes of information changes how we measure the security level.
Mohammed Syed says
The NIST documents talks about responsibilities under the federal information security management Act( FISMA 2002, PL 107-347) and also the selection of security controls that ensure the confidentiality, integrity and availability. It shows how to implement minimum requirements process for providing adequate information security. National Institute of standards technology documents describes th experimental procedure and concept adequately. NIST documents are developed as a standard to be used by all federal agencies to categorize all information and recommended a security categorization process. These guidelines help agencies consistently map security impact levels. For example, privacy, medical proprietary, financial, contractor sensitive, trade secret, and investigations these are key objectives of NIST documents.
1. Organization of this special publication.
2. Public Overview
3. Security Categorization of information and Information systems.
4. Assignments of impact level of security categorization.
Joshua Moses says
In this reading, there is a section in bold that is titled: Catastrophic Loss of System Availability.
Availability is the need and MUST for systems and networks to be up and running. The idea of availability means that your information is always accessible to you. An example of this could be a report saved on the server that should always be there, or a video you need to watch that should be instantly available.
The opposite of the above is outlined in the paragraph that I referenced. This can consist of either physical or logical destruction of major assets which will result in a lot of money being lost in the effort to restore the assets and/ or long periods of time for recovery. Permanent loss/unavailability will not only result in a detrimental effect to the agency’s operations, but it will also have “a severe adverse effect on public confidence in Federal agencies”.
Amelia Safirstein says
NIST SP 800-60 is used by federal government agencies in the categorization of information and information systems. Security categorization is the first step in the NIST Risk Management Framework. It is a vital step in the success of an organization’s security management. Underprotection for sensitive or confidential information could result in breaches and losses. Overprotecting information can easily result in wasted funds. Additionally, if information or information systems are not mapped properly, users who should have authorization may not have access to them. It is also important to revisit security categorizations and impact levels as they often change over time.
Wilmer Monsalve says
Hi Amelia, I agree on the point you made out where it is important to categorize the security appropriately according to NIST because under protection of sensitive/confidential information can result in breaches and over protecting less sensitive/confidential information can result in wasted funds.
Alexander William Knoll says
A key takeaway from NIST 800 60 V1R1 for me is under section 4.5 “Documenting the Security Categorization Process”, more specifically looking at Figure 3: “Security Categorization Information Collection”, which details the information that should be collected. Documenting the research, key decisions/approvals, & supporting rationale is essential to an information system’s security plan. Looking at figure 3, SCADA (supervisory control and data acquisition) is the system being looked at, and the documentation has several steps. SCADA information types are listed initially being “Energy Supply” & “General Information”. Next, the information types are looked at in respect to their impact on the CIA Triad. For example, In regards to impact on Integrity Energy Supply is listed as high because “Severe impacts or consequences may occur if adversarial modification of
information results in incorrect power system regulation or control actions”. Along with other factors, the overall system impact is graded as high, but I thought it was interesting to see the documentation of the system laid out in this way.
Shubham Patil says
NIST 800-60 addresses the FISMA direction to create rules prescribing the sorts of data and data frameworks to be included in each category of potential security affect. The FIPS 199 characterizes the security categories, security targets, and affect levels to which NIST 800-60 maps data sorts. FIPS 199 builds up security categories based on the greatness of hurt anticipated to result from compromises instead of on the comes about of an appraisal. The security categories in address are Privacy, Judgment, and Accessibility. FIPS 199 at that point sets up three potential levels of affect that might impact these categories. The levels of affect are labeled either moo, direct, or tall. The security categories laid out by FIPS 199 can be related with both client data and framework data in both electronic and non-electronic types..