RMF’s System Categorization: Step by Step

In this blog post Lon Berman, CISSP talks about the sub-steps of the first RMF step, System Categorization.

Step 1: Identify Information Types

The first and perhaps most important step in the system categorization process is the determination of the “information types” that are stored and processed by the system. So what exactly is an information type? The formal definition, per FIPS 199, is “A specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or in some instances, by a specific law,

Executive Order, directive, policy, or regulation.” In practice, each system owner or organization needs to determine the types of information stored and processed on their own system(s).

NIST Special Publication (SP) 800-60 is a key resource to aid system owners in identifying information types. SP 800-60 is entitled “Guide for Mapping Types of Information and Information Systems to Security Categories”. Volume 1 is concerned mostly with the categorization process itself, while Volume 2 (“Appendices”) is essentially a “catalog” of information types commonly stored or processed by government information systems, along with suggested categorizations for each type.

System owners should carefully review SP 800-60 Volume 2 and identify the relevant information types. A complete “description” is given for each information type to aid in identifying the ones most relevant to any particular information system. In most cases, only a handful of the numerous information types described in Volume 2 will be applicable. If there is information stored or processed by the system that does not readily “fit” into any of these predefined information types, system owners are free to “invent” their own information type(s) as needed.

Steps 2 and 3 then need to be completed for each identified information type.

Step 2: Provisional Categorization

SP 800-60 Vol 2 provides “provisional” categorization for each information type. The provisional categorization is essentially a recommendation for categorization of the particular information type in the absence of any “special factors” (see below).

SP 800-60 Vol 2 provides the provisional categorization for each information type in the following format:

“Security Category = {(confidentiality, X), (integrity, X), (availability, X)}” In each case, “X” can be either High, Moderate or Low.

This is followed by a narrative description that provides justification for each of the three elements of the provisional categorization, i.e., confidentiality, integrity and availability.

If the system owner has identified information categories that are not listed in SP 800-60 Vol 2, it is his/her responsibility to come up with provisional categorization levels for confidentiality, integrity and availability, as well as providing justification for each.

Step 3: Adjust for Special Factors

SP 800-60 Vol 2 describes various “special factors” that may affect the provisional categorization. The system owner needs to review these, determine if any are applicable, and adjust the categorization for that information type accordingly.

Once Step 2 and Step 3 have been completed for each identified information type, it is time to proceed to Step 4.

Step 4: Categorize the Information System as a Whole

To determine the “final” categorization of the information system as a whole, the system owner simply chooses among all the information types for the highest value for Confidentiality, the highest value for Integrity, and the highest value for Availability.

The overall categorization of the information system is expressed as:

Confidentiality-X, Integrity-X, Availability-X (where “X” is either High, Moderate or Low) – for example “Confidentiality-Moderate, Integrity-Moderate, Availability-Low” (“M-M-L” for short).

This is the complete categorization process for DoD systems, as well as for National Security Systems (NSS) located outside DoD. For non-NSS located outside DoD, the system owner takes the additional step of choosing the highest value among the categorization levels for confidentiality, integrity and availability, resulting in a single system-wide categorization level of High, Moderate or Low.

Step 5: Document Results

The system owner should carefully document each of the categorization steps, with appropriate justification, and be prepared to brief the Authorizing Official (AO) if requested.

IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.