Categorization Phase 1

Federal information systems are categorized base on the information the systems processstore, or transmit.

Information processed, stored and transmitted by a system is classified based on the impact level (Low, Moderate or High) assigned to the security objectives-Confidentiality, Integrity and Availability (CIA)

The highest impact level (Low, Moderate and High) of the CIA becomes the overall classification of the system-High water mark

Systems are categorized based on information type
Two NIST publications are used to guide in this process

  • NIST SP 800-60            
  • FIPS 199


The categorization process starts with a kick off meeting involving the following people:

  • System Owner (SO)
  • Security Control Assessor/ C&A Analyst
  • Information System Security Officer (ISSO)
  • Information Owner/Data owner
  • Authorizing Official
  • System Developers
  • System Admin

Sample Kick off meeting email/Agenda

First deliverable/Artifact -FIPS 199/System categorization

error: Content is protected !!