HackingTheUniverse

Categorization is the process of selecting an Impact Level according to FIPS 199, which is a public law and must be adhered to. FIPS 199 sets three impact levels of HIGH, MODERATE and LOW. They are selected according to a consideration of the potential impact level on an organization if a security event jeopardizes the information system. The potential impact is evaluated in three categories:

• Confidentiality – A loss of confidentiality is the unauthorized disclosure of information
• Integrity – A loss of integrity is the unauthorized modification or destruction of information
• Availability – A loss of availability is the disruption of access to or use of information or an information system

The potential impact level for disruption must be considered for both the information AND the information system. The overall impact level is set by the highest level found in the three categories.

Once the impact level has been determined, the appropriate baseline of security is automatically selected from NIST 800-53. There are three baseline levels corresponding to the three FIPS impact levels and each baseline selects a subset of 800-53 controls. There are currently 171 total controls in 800-53. Eight of the controls are not considered to be very high priority in most cases and are not selected for any of the three baselines.
[note that these may be used later as "supplementary controls"]

For the HIGH impact level baseline, 163 controls are selected.
For the MODERATE impact level baseline, 152 controls are selected.
For the LOW impact level baseline, 99 controls are selected.

FIPS Publications – [NIST]

FIPS PUB 199 “Standards for Security Categorization of Federal Information and InformationSystems”

1 PURPOSE

The E-Government Act of 2002 (Public Law 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines, including the development of:
• Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
• Guidelines recommending the types of information and information systems to be included in each category; and
• Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category.

FIPS Publication 199 addresses the first task cited—to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.

Key NIST docs:
800-53