Categorization Phase 1 Q2-2022

  • Categorization starts with a kick off meeting (Security Analyst, ISSO, AO, System Owner and Information Owner)
  • System is categorized based on information type (Process, Store or Transmit)
  • FIPS 199-Overall system categorization is based on the high watermark of the CIA-Low, Moderate or High. SP 800-60
  • Initial Risk Assessment Report –Identifies threat, Vulnerability, Impact level and Recommendation. SP 800-30
  • PTA –To determine if system deals with PII. PTA is positive if PII is collected if not PTA is negative. SP 800-122
  • PIA is conducted if PTA is positive-Identify risk for collecting PII and controls in place to protect the PII. PIA applies to system (Federal Facilitated Market Place website) and SORN applies to program (e.g. Obamacare-the Affordable Care Act). Federal Facilitated Market Place website is one of the numerous systems that support the Obamacare. SP 800-122
  • TPWA: OMB Memorandum 10-23 requires that agencies assess third-party Websites and applications to ensure privacy before using them. Example CMS page on Facebook. CMS needs to complete TPWA on Facebook before creating a Facebook page
  • SORN is generally required when a group of records maintained by a federal system contains PII and that PII is retrieved by information unique (name, address, email address, telephone number, social security number, etc.) to the individual whose PII is being retrieved(SORN identifies purpose for collecting PII, ensuring accuracy and how the PII is protected). SORN applies to Programs (e.g. Obamacare) not systems.
  • OMB Number: The Paperwork Reduction Act mandates that all federal government agencies receive approval from OMB—in the form of a “control number”—before promulgating a paper form, website, survey or electronic submission that will impose an information collection burden on the general public. This only applies if the agency is collecting the information directly from the public not from another agency or system.
  • E-authentication is applicable when system is accessible remotely. This identify the appropriate authentication mechanism base on risk- single multifactor etc… SP 800-63.

error: Content is protected !!