Categorization Phase 1 Q3

Categorization Phase 1 Q3 Categorization Phase 1 Q3

Federal information systems are categorized base on the information the systems process, store, or transmit.

Information processed, stored and transmitted by a system is classified based on the impact level (Low, Moderate or High) assigned to the security objectives-Confidentiality, Integrity and Availability (CIA)

The highest impact level (Low, Moderate and High) of the CIA becomes the overall classification of the system-High water mark

Systems are categorized based on information type
Two NIST publications are used to guide in this process

NIST SP 800-60
FIPS 199

FIPS 199

The categorization process starts with a kick off meeting involving the following people:

System Owner (SO)
Security Control Assessor/ C&A Analyst
Information System Security Officer (ISSO)
Information Owner/Data owner
Authorizing Official
System Developers
System Admin

Sample Kick off meeting email/Agenda

First deliverable/Artifact -FIPS 199/System categorization
Links:

h t t p ://cs r c.nist.gov/p u b licati o ns/n i st p ubs/80 0 –6 0 – r ev1/SP80 0 –60_V o l 2 – R ev1 .pdf
h t t p ://cs r c.nist.gov/p ubl i cat i ons/fips/fip s199/FIP S –PU B –19 9 –fi n al.p df

Quizzes

Basic IT Concept Quiz Q3

Certified Authorization Professional Exam Q3