Have - GeoPlatform
OS/OCIO/IBC FIPS 199 / NIST SP 800-60 Impact Determination Process – PART I
Overview/Instructions
BACKGROUND. Two critical tasks in managing the security needs and requirements for an information technology (IT) system are those of: 1) determining the assessment and authorization (A&A) boundaries for a system and 2) determining the FIPS 199 security category of the system. These tasks must be performed in sequence. In other words, in order to determine the FIPS 199 security category for a system, it is necessary that you first determine the system boundaries.
The process of uniquely assigning IT resources to a general support system or a major application, such as personnel, equipment and information to an information system defines the security boundary for that system. Generally speaking, this would mean IT resources, which fall under the same direct management control, (e.g., budgetary/operational authority) would define the boundaries for a general support system or a major application. Organizations have flexibility in determining what constitutes an information system (i.e., general support system or major application).
It is not only possible but quite common for information systems (general support systems and major applications) to contain multiple subsystems, in addition to minor applications. In the general support system or major application environment, a subsystem might comprise a major subdivision or component of the general support system or major application, consisting of information, software, and personnel that perform one or more specific functions having a relationship to the major application. Subsystems typically fall under the same management authority as the general support system or major application and are included within the general support system or major application System Security Plan (SSP). An example for a general support system might be one that includes a number of subsystems such as one or more local area networks (LANs), remotely located offices, and any number of minor applications hosted on the hardware. All of these components together would form the A&A boundaries for the general support system. An example for a major application might be one that includes a number of sub-components that provide a supportive or supplemental function for the major application. All of these sub-components, when combined together would form the A&A boundaries for the major application. A graphical depiction of this concept is offered in Part IV to OS/OCIO/IBC FIPS 199/NIST SP 800-60 Impact Determination Process.
THE PROCESS. Based on these examples and the other background information provided above, each OS/OCIO/IBC system owner must define the A&A boundaries for their general support system or major application, by identifying and documenting every subsystem (e.g., minor application) that falls within the operational and functional boundaries for their general support system or major application.
Once the A&A boundaries for the general support system or major application has been determined and documented, it is then necessary to determine the overall FIPS 199 security category for the system. This is accomplished by determining the major information types that are processed or stored by the general support system or major application and all of its subsystems. NIST Special Publication (SP) 800-60 contains a large index of most of the information types found in federal computer systems, and assigns to each information type a “recommended” security category for Confidentiality, Integrity, and Availability or CIA (not to be confused with the agency using that acronym.) By determining the CIA security category for each of the information types that are processed or stored within the overall general support system or major application (including its subsystems or sub-components), a determination may be made regarding the overall FIPS 199 security category for the entire general support system or major application.
FIPS 199 uses the premise that any system has a security category that is determined by the highest information type CIA security categories for an overall general support system or major application. The FIPS 199 security category determines what security controls must be employed for any particular IT system. This will become clearer as you proceed through the process.
The remainder of this document consists of a convenient tool that can be used to document all of the NIST SP 800-60 information types and their related CIA security categories. Once completed, the tool will also serve as documentary evidence for auditors that you have completed the NIST 800-60/FIPS 199 process for each of your general support systems or major applications. The end result of completing the following information type and CIA security categories will be the FIPS 199 system security category for the general support system or major application, on which all subsequent security controls and processes will be based.
If, after you have read this background and guidance, you still have questions regarding the NIST 800-60/FIPS 199 security category determination process, please contact the OCIO IT Security Program Office staff for assistance.
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.