NIST Special Publication 800-60 Volume I. Revision 1. Volume I: Guide for Mapping Types of. Information and Information. Systems to Security Categories.

60 KB – 53 Pages

PAGE – 1 ============
NIST Special Publication 800-60 Volume I Revision 1 Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories Kevin Stine Rich Kissel William C. Barker Jim Fahlsing Jessica Gulick I N F O R M A T I O N S E C U R I T YComputer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 August 2008 U.S. DEPARTMENT OF COMMERCE Carlos M. Gutierrez, Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY James M. Turner, Deputy Director

PAGE – 2 ============
Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation™s measurement and standa rds infrastructure. ITL develops tests, test methods, reference data, proof-of-concept implem entations, and technical analyses to advance the development and productive use of informati on technology. ITL™s responsibilities include the development of management, admi nistrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. This Special P ublication 800-series reports on ITL™s research, guidelines, and outreach efforts in information sy stem security and its collaborative activities with industry, government, and academic organizations. ii

PAGE – 3 ============
iii Authority This document has been developed by the National Institute of Standards and Technology (NIST) to further its statutor y responsibilities under the Federal Information Security Management Act (FISMA) of 2002, P.L. 107-347. NIST is responsible for developing standards and guidelines, including minimu m requirements, for providing adequate information security for all agency operations and assets but such standards and guidelines shall not apply to national security systems. This guideline is consistent wi th the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections . Supplemental information is provided in A-130, Appendix III. This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.) Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelin es be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. NIST Special Publication 800-60 Volume I, Revision 1, 53 pages (Date) CODEN: NSPUE2 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There are references in this publi cation to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requir ements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, ag encies may wish to closely follow the development of these new documents by NIST. Individual s are also encouraged to review the public draft documents and offer their comments to NIST. All NIST documents mentioned in this publication, other than the ones noted above, are available at COMMENTS MAY BE SUBMITTED TO THE COMPUTER SECURITY DIVISION, INFORMATION TECHNOLOGY LABORATORY , NIST VIA ELECTRONIC MAIL AT SEC -CERT@NIST.GOV OR VIA REGULAR MAIL AT 100 BUREAU DRIVE (MAIL STOP 8930), GAITHERSBURG, MD 20899-8930

PAGE – 4 ============
Acknowledgements The authors, Kevin Stine, Rich Kissel, and William C. Barker, wish to thank their colleagues, Jim Fahlsing and Jessica Gulick from Science A pplications International Corporation (SAIC), who helped update this document, prepare drafts , and review materials. In addition, special thanks are due to our reviewers, Arnold Johnson (NIST), Karen Quigg (Mitre Corporation), and Ruth Bandler (Food and Drug Administration), who greatly contributed to the document™s development. A special note of thanks goes to Elizabeth Lennon for her superb technical editing and administrative support. NIST also grat efully acknowledges and appreciates the many contributions from individuals in the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. iv

PAGE – 5 ============
Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories Table of Contents EXECUTIVE SUMMARY VII91.0 INTRODUCTION1 1.1 Purpose and Applicability1 1.2 Target Audience1 1.3 Relationship to Other Documents 1 1.4 Organization of this Special Publication ..2 2.0 PUBLICATION OVERVIEW ..4 2.1 Agencies Support the Security Categorization Process 4 2.2 Value to Agency Missions, Secu rity Programs and IT Management 4 2.3 Role in the System Development Lifecycle 5 2.4 Role in the Certification and Accreditation Process ..5 2.5 Role in the NIST Risk Management Framework .6 3.0 SECURITY CATEGORIZATION OF INFORMATION AND INFORMATION SYSTEMS 3.1 Security Categories and Objectives .9 3.1.1 Security Categories..9 3.1.2 Security Objectives and Types of Potential Losses.9 3.2 Impact Assessment 10 4.0 ASSIGNMENT OF IMPACT LEVELS AND SECURITY CATEGORIZATION 12 4.1 Step 1: Identify Information Types ..14 4.1.1 Identification of Mission-based Information Types.14 4.1.2 Identification of Management and Support Information 16 4.1.3 Legislative and Executive Information Mandates .18 4.1.4 Identifying Information Types Not Listed in this Guideline 18 4.2 Step 2: Select Provisional Impact Level 19 4.2.1 FIPS 199 Security Categorization Criteria19 4.2.2 Common Factors for Selection of Impact Levels ..20 4.2.3 Examples of FIPS 199-Based Selection of Impact Levels 22 v

PAGE – 6 ============
vi 4.3 Step 3: Review Provisional Impact Levels and Adjust/Finalize Information Type Impact Levels23 4.4 Step 4: Assign System Security Category .24 4.4.1 FIPS 199 Process for System Security Categorization 25 4.4.2 Guidelines for System Categorization .26 4.4.3 Overall Information System Impact ..30 4.5 Documenting the Security Categorization Process ..31 4.6 Uses of Categorization Information .33 APPENDIX A: GLOSSARY OF TERMS .1 APPENDIX B: REFERENCES1

PAGE – 9 ============
1.0 INTRODUCTION The identification of information processed on an information system is essential to the proper selection of security controls and ensuring the confidentiality, integrity, and availability of the system and its information. The National Instit ute of Standards and Technology (NIST) Special Publication (SP) 800-60 has been developed to assist Federal government agencies to categorize information and information systems. 1.1 Purpose and Applicability NIST SP 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline is intended to help agenci es consistently map security impact levels to types of: (i) information (e.g., priv acy, medical, proprietary, financia l, contractor sensitive, trade secret, investigation); and (ii) information systems (e .g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information. 2 1.2 Target Audience This publication is intended to serve a diverse federal audience of information system and information security professionals including: (i) individuals with information system and information security management and oversight responsibilities (e.g., chief information officers, senior agency information security officers, auth orizing officials); (ii) organizational officials having a vested interest in the accomplishment of organizational missions (e.g., mission and business area owners, information owners); (iii) individuals with information system development responsibilities (e.g., program a nd project managers, information system developers); and (iv) individuals with information security implementation and operational responsibilities (e.g., informati on system owners, information owners, information system security officers). 1.3 Relationship to Other Documents NIST Special Publication (SP) 800-60 is a member of the NIST family of security-related publications including: FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems; FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems; 2 FISMA defines a national security system as any information system (including telecommunications system) used or operated by an agency or by a contractor on behalf of an agency, or any other organization on behalf of an agency Π(i) the function, operation, or use of which: involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapon system; or is critical to the direct fulfillment of military or intelligence missions (excluding a routine administrative or business system used for applications such as payroll, finance, logistics, and personnel management); or (ii) that processes classified information. [See Public Law 107-347, Section 3542 (b)(2)(A).] 1

PAGE – 10 ============
NIST SP 800-30, Risk Management Guide for Information Technology Systems;3 NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems; NIST Draft SP 800-39, Managing Risk from Information Systems: An Organization Perspective; NIST SP 800-53, Recommended Security Controls for Federal Information Systems; NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems; and NIST SP 800-59, Guideline for Identifying an Information System as a National Security System. This series of nine documents is intended to provide a structured, yet flexible framework for selecting, specifying, employing, evaluating, and monitoring the security controls in Federal information systemsŠand thus, makes a signi ficant contribution toward satisfying the requirements of the Federal Information Securi ty Management Act (FISMA) of 2002. While the publications are mutually reinforcing and have so me dependencies, in most cases, they can be effectively used independently of one another. The SP 800-60 information types and associated secu rity impact levels are based on the Office of Management and Budget (OMB) Federal Enterprise Architecture Program Management Office™s October 2007 FEA Consolidated Reference Model Document, Version 2.3, inputs from participants in previous NIST SP 800-60 workshops, and FIPS 199. Rationale for the example impact-level recommendations provided in th e appendices has been derived from multiple sources and, as such, will require several iterations of review, comment, and subsequent modification to achieve consistency in terminology, structure, and content. 1.4 Organization of this Special Publication This is Volume I of two volumes. It contai ns the basic guidelines for mapping types of information and information systems to security categories. The appendices, including security categorization recommendations for mission-based information types and rationale for security categorization recommendations, are publis hed as a separate Volume II. Volume I provides the following background information and mapping guidelines: Section 2: Provides an overview of the value of the categorization process to agency missions, security programs and overall info rmation technology (IT) management and the publication™s role in the system developmen t lifecycle, the certification and accreditation process, and the NIST Risk Management Framework. Section 3: Provides the security objectives and corresponding security impact levels identified in the Federal Info rmation Processing Standard 199, Standards for Security Categorization of Federal Information and Information Systems [FIPS 199]; 3 This document is currently under revision and will be reissued as Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments . 2

PAGE – 11 ============
3 Section 4: Identifies the process incl uding guidelines for identification of mission-based and management and support information types and the process used to select security impact levels, general considerations relati ng to security impact assignment, guidelines for system security categorization, and cons iderations and guidelines for applying and interrelating system categoriz ation results to the agency™s enterprise, large supporting infrastructures, and interconnecting systems; Appendix A: Glossary; and Appendix B: References. Volume II includes the following appendices: Appendix A: Glossary [Repeated]; Appendix B: References [Repeated]; Appendix C: Provisional security impact level assignments and supporting rationale for management and support information (administrative, management, and service information); Appendix D: Provisional security impact level assignments and supporting rationale for mission-based information (mission information and services delivery mechanisms); and Appendix E: Legislative and executive s ources that specify sensitivity/criticality properties.

60 KB – 53 Pages