System Categorization-Take the Time to Get it Right

By Lon J. Berman, CISSP

The story is told of an intern who is asked by his boss to pick up some items from the supply room in the basement. The young man is not sure how to get down there, but, seeing an open door, assumes it is the stairway and steps through. Unfortunately the door turns out to be an elevator shaft and he crashes to the floor below. Luckily he seems unhurt, and just dusts himself off and proceeds to find the supplies for his boss. Before leaving, he asks the supply clerk if there is “another way” to get back upstairs. Puzzled, the clerk asks him if there’s something wrong with the way he came down. “It’s OK, I suppose”, he says, “but if you plan to use it, you’d better watch out for that first step – it’s a real doozie!”

The young intern goes about his day’s work feeling none the worse for his “adventure”. Next morning, though, he is in pain and barely able to get himself out of bed.

At some level, RMF is a little like that! The first step, System Categorization, can be a “real doozie” … and the pain may not come until later.

Allow me to explain. The intent of System Categorization is to ensure an appropriate level of security is provided to an information system (and the information it stores or processes), based on the potential adverse effect of a loss of confidentiality, integrity or availability. System Categorization is one of the principal factors that drives the selection of security controls to be applied to the system – the higher the categorization, the more stringent the set of controls. If our system is categorized too low, we will apply a set of security controls that is not strong enough to provide adequate protection. The pain may come later  down the road in the form of a preventable security breach. On the other hand, if we categorize our system too high, we will end up committing resources (and money!) to implement an unnecessarily high level of security – and a different kind of pain will hit us come budget time.

DoD Information Systems (IS) are categorized as High, Moderate or Low for each of the three fundamental security objectives – Confidentiality, Integrity and Availability. A rating of Low indicates a “limited adverse effect” on organizational operations, organizational assets or individuals, Moderate indicates a “serious adverse effect” and High indicates a “severe or catastrophic adverse effect”. For example, the most critical system processing the most sensitive information (e.g., a real-time battlefield information system) might potentially be categorized as Confidentiality-High, Integrity-High and Availability-High (“High-High-High” for short), while the least critical system processing the least sensitive information (e.g., a public website) might be categorized as “Low-Low-Low”. Most DoD IS will be categorized somewhere between these extremes. If you “do the math”, you’ll see there are 27 possible categorization levels for DoD IS.

Outside of DoD, this categorization scheme applies only to systems designated as National Security Systems (NSS). In most agencies, NSS represent only a small minority of the IS in place. For all other IS, a much simpler categorization scheme is used. Non-NSS outside of DoD are categorized simply as “High”, “Moderate” or “Low”, so there are only three possible  categorization levels rather than 27.

The System Categorization process for DoD IS (and NSS outside DoD) is documented in the Committee on National Security Systems Instruction (CNSSI) 1253. The System Categorization process for non-NSS outside of DoD is documented in Federal Information Processing Standard (FIPS) Publication 199.

Both of these methodologies are based on an analysis of the types of information stored or processed by the IS. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60 includes a substantial “catalog’ of information types commonly found within federal IS. For each information type, NIST provides “provisional” categorization levels for confidentiality, integrity and availability, along with a discussion of “special factors” that may lead a system owner to adjust the provisional levels.


IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.