Volume I: guide for mapping types of information and ...

1 NIST Special Publication 800-60 Volume I. Revision 1 Volume I: guide for mapping types of information and information Systems to Security Categories Kevin Stine Rich Kissel William C. Barker Jim Fahlsing Jessica Gulick information SECURITY. Computer Security Division information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930. August 2008. DEPARTMENT OF COMMERCE. Carlos M. Gutierrez, Secretary NATIONAL INSTITUTE OF STANDARDS AND. TECHNOLOGY. James M. Turner, Deputy Director Reports on Computer Systems Technology The information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof-of-concept implementations, and technical analyses to advance the development and productive use of information technology.

2 ITL's responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. This Special Publication 800-series reports on ITL's research, guidelines, and outreach efforts in information system security and its collaborative activities with industry, government, and academic organizations. ii Authority This document has been developed by the National Institute of Standards and Technology (NIST) to further its statutory responsibilities under the Federal information Security Management Act (FISMA) of 2002, 107-347. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets but such standards and guidelines shall not apply to national security systems.

3 This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III. This guideline has been prepared for use by federal agencies. It may also be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by NIST.). Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official.

4 NIST Special Publication 800-60 Volume I, Revision 1, 53 pages (Date) CODEN: NSPUE2. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist).

5 Remain operative. For planning and transition purposes, agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST. All NIST documents mentioned in this publication, other than the ones noted above, are available at COMMENTS MAY BE SUBMITTED TO THE COMPUTER SECURITY DIVISION, information TECHNOLOGY. LABORATORY, NIST VIA ELECTRONIC MAIL AT OR VIA REGULAR MAIL AT. 100 BUREAU DRIVE (MAIL STOP 8930), GAITHERSBURG, MD 20899-8930. iii Acknowledgements The authors, Kevin Stine, Rich Kissel, and William C. Barker, wish to thank their colleagues, Jim Fahlsing and Jessica Gulick from Science Applications International Corporation (SAIC), who helped update this document, prepare drafts, and review materials.

6 In addition, special thanks are due to our reviewers, Arnold Johnson (NIST), Karen Quigg (Mitre Corporation), and Ruth Bandler (Food and Drug Administration), who greatly contributed to the document's development. A special note of thanks goes to Elizabeth Lennon for her superb technical editing and administrative support. NIST also gratefully acknowledges and appreciates the many contributions from individuals in the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of this publication. iv Volume I: guide for mapping types of information and information Systems to Security Categories Table of Contents EXECUTIVE SUMMARY .. VII. Purpose and Applicability ..1. Target Audience ..1. Relationship to Other Documents ..1. Organization of this Special PUBLICATION Agencies Support the Security Categorization Process.

7 4. Value to Agency Missions, Security Programs and IT Management ..4. Role in the System Development Role in the Certification and Accreditation Process ..5. Role in the NIST Risk Management SECURITY CATEGORIZATION OF information AND information . SYSTEMS ..9. Security Categories and Security Categories ..9. Security Objectives and types of Potential Losses ..9. Impact Assessment ..10. ASSIGNMENT OF IMPACT LEVELS AND SECURITY Step 1: Identify information types ..14. Identification of Mission-based information types ..14. Identification of Management and Support information ..16. Legislative and Executive information Mandates ..18. Identifying information types Not Listed in this Guideline ..18. Step 2: Select Provisional Impact Level ..19. FIPS 199 Security Categorization Criteria ..19. Common Factors for Selection of Impact Levels.

8 20. Examples of FIPS 199-Based Selection of Impact Levels ..22. v Step 3: Review Provisional Impact Levels and Adjust/Finalize information Type Impact Step 4: Assign System Security FIPS 199 Process for System Security Categorization ..25. Guidelines for System Categorization ..26. Overall information System Documenting the Security Categorization Process ..31. Uses of Categorization information ..33. APPENDIX A: GLOSSARY OF TERMS ..1. APPENDIX B: vi EXECUTIVE SUMMARY. Title III of the E-Government Act (Public Law 107-347), titled the Federal information Security Management Act (FISMA), tasked the National Institute of Standards and Technology (NIST) to develop: Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels.

9 Guidelines recommending the types of information and information systems to be included in each such category; and Minimum information security requirements ( , management, operational , and technical security controls), for information and information systems in each such category. In response to the second of these tasks, this guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline's objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. This guideline assumes that the user is familiar with Standards for Security Categorization of Federal information and information Systems (Federal information Processing Standard [FIPS] 199).

10 The guideline and its appendices: Review the security categorization terms and definitions established by FIPS 199;. Recommend a security categorization process;. Describe a methodology for identifying types of Federal information and information systems;. Suggest provisional 1 security impact levels for common information types ;. Discuss information attributes that may result in variances from the provisional impact level assignment; and Describe how to establish a system security categorization based on the system's use, connectivity, and aggregate information content. This document is intended as a reference resource rather than as a tutorial and not all of the material will be relevant to all agencies. This document includes two volumes, a basic guideline and a Volume of appendices. Users should review the guidelines provided in Volume I, then refer to only that specific material from the appendices that applies to their own systems and applications.