RMF Categorize

NIST Risk Management Framework

RMF Categorize

This is the series of articles to use as a study guide for the (ISC)2 CGRC exam. In this article, we will discuss the Categorize steps in the Risk Management Framework.

Categorize Tasks

FIPS 199

CMSS 1253

• C-1 – System Description
• C-2 – Security Categorization
• C-3 – Security Review and Approval-

Categorize Task Details

• C-1 – System Description
  • Input – system design, system elements, authorization boundary
  • Output – Documented system description
  • Primary role – System Owner (SO)
  • Related tasks – P-8, P-9, P-10, P-11 (all system related prepare tasks)
  • SDLC - initiation
• C-2 – Security Categorization
  • Input – risk management strategy, org risk tolerance
  • Output – impact levels for information type and security objectives, categorization based on high water mark
  • Primary role – System Owner (SO) and Information Owner/Steward (IO)
  • Related tasks – C-1, P-2, P-3, P-14, P-6, P-11, P-12, P-13
  • SDLC – initiation (concept/requirements)
  • FIPS 200 – HWM
  • CNSSI 1253 – high, moderate, low impact to CIA
  • FIPS 199 – Security categorization based on
  • 800-59 – function, operation, and use of the system

800-60 Impact Definitions

Low

• Limited adverse affects to CIA Cause a degradation with organization able to continue to perform primary functions Result in minor damage, minor financial loss, or minor harm to individuals

Moderate

• Serious adverse affects to CIA Significant degradation and effectiveness/function is reduced Significant damage to assets, financial loss, or harm to individuals

High

• Severe or catastrophic effects to CIA Severe degradation or loss of mission capability Major damage to assess, financial loss, or harm to individuals

FIPS 199 Impact Definitions

• Confidentiality
  • Low
  • Moderate
  • High
• Integrity
  • Low
  • Moderate
  • High
• Availability
  • Low
  • Moderate
  • High
• C-3 – Security Review and Approval
  • Input – impact levels for information type and CIA, HWM categorization, high value asset list.
  • Output – Approval of security categorization
  • Primary role – AO, AO DR, Senior Agency Official for Privacy (if PII is involved)
  • Related tasks – P-10, P-12, P-13, C-2
  • SDLC – initiation (concept/requirements)

After identifying the systems and categorizing information, you move to the Select process for controls.

Twitter  facebook  Email