By Lon J. Berman, CISSP, RDRP
By federal law, an information system will be designated as a National Security System (NSS) in accordance with the following definition:
The term “national security system” means any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency, the function or use of which:
- involves intelligence activities
- involves intelligence activities- or –
- involves cryptologic activities related to national security- or –
- involves command and control of military forces- or –
- involves equipment that is an integral part of a weapon or weapons system- or –
- is critical to the direct fulfillment of military or intelligence missions(with the exception of routine administrative of business systems)- or –
- stores, processes or communicates classified information
If a system meets one or more of the above criteria, it should be designated as NSS. Systems that meet none of the above criteria are considered non-NSS. Additional information about NSS is provided in NIST Special Publication (SP) 800-59. This publication also includes the above NSS designation criteria in the form of a checklist.
Each agency is responsible for identifying all NSS under its ownership or control. The agency head is responsible for designating an agency information security official to determine which, if any, agency systems are NSS.
For non-NSS, the Secretary of Commerce is responsible for prescribing security standards and guidelines, based on publications of the National Institute for Standards and Technology (NIST). For NSS, the Committee on National Security Systems (CNSS) is responsible for providing security standards and guidelines.
At this point you might be thinking, “Whoa … wait a minute! With two different organizations responsible for providing security standards, what’s to stop things from ending up with totally different security controls and life cycle processes for NSS and non-NSS?” The reason we need not be fearful of things going in that direction can be summed up in three letters: R-M-F. Departments and agencies across the government landscape … including DoD, federal “civil” agencies, and the intelligence community … have all made a commitment to use the Risk Management Framework (RMF) as the basis of their information system security authorization and life cycle management processes.
Both NSS and non-NSS draw their security control baselines from the same “catalog” (i.e., NIST SP 800-53). The only difference lies in the process used to build the baseline. For non-NSS, systems are categorized as High, Moderate or Low, in accordance with FIPS 199, and the appropriate security control baseline is then selected from NIST SP 800-53. For NSS, categorization is done in accordance with CNSSI 1253 (rather than FIPS 199). NSS are categorized separately for each of the three security objectives
(Confidentiality, Integrity and Availability), resulting in a categorization such as “Low, Low, Low”, “Moderate, Moderate, Low”, “Moderate, Moderate, High”, etc. CNSSI 1253 further provides the appropriate baseline of security controls for each of the 27 possible system categorizations. The controls themselves still come from NIST SP 800-53.
Once the security control baseline has been established, the remainder of the RMF life cycle (i.e., security control implementation, security control assessment, system authorization, and continuous monitoring) is identical for both NSS and non-NSS.
That’s the end of the story for systems owned by (or operated on behalf of) departments or agencies outside of DoD. For systems owned by (or operated on behalf of) DoD, things are a bit different – but simpler!
In its adoption of RMF, DoD has mandated that system categorization and security control selection be performed in accordance with CNSSI 1253 for all systems, regardless of whether they are NSS or non-NSS. Another way to put this is that DoD has mandated that, for RMF purposes, all information systems be treated as if they were NSS. DoD system owners using eMASS will be asked to indicate whether their system is NSS or non-NSS, but the answer provided will have no material effect on the RMF process itself.
It’s important to understand that DoD has not declared all of its information systems to be NSS. Neither DoD, nor any other federal department or agency, has the statutory authority to do such a thing, and the criteria for designating a system as NSS are clearly stated in FISMA.