The categorization of the information system is the first step in the NIST RMF (Step 1), and one of the most essential activities25 required for the selection of a baseline set of security controls (and privacy controls, where applicable). As dis-cussed earlier in the chapter, FISMA tasked NIST with the responsibility to develop standards and guidelines. The standards included procedures for categorizing infor-mation and inforinfor-mation systems, and the guidelines for categorizing the different types26 of federal information that will be processed, stored, or transmitted within the information system. The first step in the NIST RMF (Step 1), as shown in Table 5.1, includes three major tasks. In this section, the discussion will primar-ily focus on the first task (1-1).
The security categorization process is driven by the need for federal agencies (or others operating on behalf of federal agencies) to identify the types of information27 that will be processed, stored, or transmitted in the information system, a critical requirement for understanding the security objectives (confidentiality,28 integrity,29 and availability30). In addition, the security categorization process also ensures the
25From Evans, D., Bond, P., Bement, A. Federal Information Processing Standard (FIPS) PUB 199, Standards for Security Categorization of Federal Information and Information Systems. Maryland:
National Institute of Standards and Technology; 2004. “Security categories are to be used in conjunc-tion with vulnerability and threat informaconjunc-tion in assessing the risk to an organizaconjunc-tion.”
26From Evans, D., Bond, P., Bement, A. Federal Information Processing Standard (FIPS) PUB 199, Standards for Security Categorization of Federal Information and Information Systems. Maryland:
National Institute of Standards and Technology; 2004. “Information type is a specific category of information (e.g. privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization or, in some instances, by a specific law, Executive order, or directive, policy, or regulation.”
27From Evans, D., Bond, P., Bement, A. Federal Information Processing Standard (FIPS) PUB 199, Standards for Security Categorization of Federal Information and Information Systems. Maryland:
National Institute of Standards and Technology; 2004. FIPS 199 applies to all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status and all federal information systems other than those information systems desig-nated as national security systems.
28From E-Government Act of 2002 [Internet]. Washington: US Government Printing Office [cited 2011 Dec 9]. Available from: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm.
“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”
29From E-Government Act of 2002 [Internet]. Washington: US Government Printing Office [cited 2011 Dec 9]. Available from: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347. htm.
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”
30From E-Government Act of 2002 [Internet]. Washington: US Government Printing Office; [cited 2011 Dec 9]. Available from: http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107 publ347.htm. “Ensuring timely and reliable access to and use of information.”
116 CHAPTER 5 Applying the NIST Risk Management Framework
selected security controls implemented provide the adequate security31 to meet the organization’s security objectives. As will be discussed in detail in this chapter, the application of a standardized approach to categorizing information systems enables a common framework to be used across the federal government for the management and oversight of information systems and in reports relating to agency-specific infor-mation security to OMB and government-wide inforinfor-mation security to Congress.
The application of the security categorization process becomes complex when external information system services32 are used by federal agencies in processing, transmitting, or storing information collected or maintained on behalf of the federal government. In these instances, a federal agency’s reliance upon an external service does not limit its overall responsibility for ensuring the security categorization of the external service being used is consistent with the different types of information that will be used within the service to support its mission or business needs. Without an understanding of the security categorization of the information being used in the exter-nal service, the federal agency will not be able to determine the necessary requirements
31From Office of Management and Budget (OMB.) Security of Federal Automated Information Resources [Internet]. Washington: Executive Office of the President, Office of Management and Budget [cited 2011 Dec 9]. Available from: http://www.whitehouse.gov/omb/circulars_a130_a130appendix_iii.
Adequate security is “security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.”
32From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “A service for which the organization typically no direct control over the applica-tion of required security controls or the assessment of security control effectiveness.”
Table 5.1 NIST RMF Step 1 Activities [3]
Task Name Activities References
1-1 Security categorization
• Categorize the information system
• Document the results of the security categorization in the security plan
• CNSS Instruction 1253 1-2 Information
system description
• Describe the information system (including the system boundary)
• Document the description in the security plan
1-3 Information system registration
• Register the information system with appropriate organizational program/management offices
117 NIST RMF Process
that must be used by the service provider to ensure the service operates at a security level consistent with the federal agency’s minimum assurance requirements.
Relationship Between the NIST RMF and the Federal Enterprise Architecture
The enterprise architecture is a management practice employed to maximize the effec-tiveness of mission/business process and information resources [5]. As illustrated in Figure 5.4, the enterprise assets identified within the enterprise architecture are mapped to the individual federal agency’s mission and business processes through the reference models provided in the Federal Enterprise Architecture (FEA)33 and the resulting seg-ment architecture.34 The application of the mapping ensures the information resources are properly aligned with each federal agency’s strategic goals and objectives.
The relationship between the federal agency’s enterprise architecture35 and the application of the NIST RMF begins with the initial security categorization. Security categorization provides a vital step in integrating security into the business and mation technology management functions and establishes the foundation for infor-mation security standardization.36 The security categorization process is largely dependent upon the knowledge of the information supporting the federal govern-ment. By utilizing a framework similar to the one depicted in Figure 5.5, the security categorization process is adopted as an enterprise-level viewpoint for “each type of information as identified from the FEA Performance Reference Model (PRM)37 and Business Reference Model (BRM)38 analysis” [6]. This produces a government-wide
33From Federal Chief Information Officers Council. Federal Enterprise Architecture Security and Pri-vacy Profile (FEA-SPP), version 3.0. Washington: Office of Management and Budget; 2011. “The FEA is a business-based framework for government-wide improvement. The goals of the FEA are to locate and reduce or eliminate duplicative investments, discover areas where investments should be made, and identify where departments and agencies can collaborate to improve government operations or services.”
34From Federal Chief Information Officers Council. Federal Enterprise Architecture Security and Pri-vacy Profile (FEA-SPP), version 3.0. Washington: Office of Management and Budget; 2011. “Segment architecture drives decisions for a business case or group of business cases supporting a core mission area or common or shared service.”
35From Federal Chief Information Officers Council. Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP), version 3.0. Washington: Office of Management and Budget; 2011. “A strategic information asset base which defines the mission, the information necessary to perform the mission and the transitional processes for implementing new technologies in response to the changing mission needs.”
36Federal Chief Information Officers Council. Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP), Version 3.0. Washington: Office of Management and Budget; 2011.
37From Federal Chief Information Officers Council. Federal Enterprise Architecture Security and Pri-vacy Profile (FEA-SPP), version 3.0. Washington: Office of Management and Budget; 2011. Perfor-mance Reference Model (PRM) is information that helps agencies monitor the perforPerfor-mance of an investment and/or program.
38From Federal Chief Information Officers Council. Federal Enterprise Architecture Security and Pri-vacy Profile (FEA-SPP), version 3.0. Washington: Office of Management and Budget; 2011. Business Reference Model (BRM) is information that helps agencies understand what primary business functions are provided to citizens through the definition of business areas, lines of business, and sub-functions.
118 CHAPTER 5 Applying the NIST Risk Management Framework
approach for evaluating the “level of potential impact values assigned to the respec-tive security objecrespec-tives” [7] (i.e., confidentiality, integrity, and availability) that are used for establishing the information security and privacy requirements in the secu-rity control selection step of the NIST RMF (Step 3). The results provide for a strong linkage between the mission, the information, and the information systems with a focus on cost-effective application of information security [8].
FIGURE 5.4 Enterprise Asset Mapping [19]
FIGURE 5.5 Federal Enterprise Architecture—Security and Privacy Profile Framework [6]
119 NIST RMF Process
Shared Responsibility and the Chain of Trust
In general, the application of the NIST RMF requires a shared responsibility and a chain of trust.39 The relationship between federal agencies and service providers requires operating through terms and conditions defined in a contract, which includes detailed security control requirements, or managed through a service level agreement (SLA).40 Service providers handling federal information or operating information systems on behalf of the federal government must meet the same security require-ments as federal agencies [3]. Therefore, the security categorization of the informa-tion can provide a common understanding of the security objectives that drive the selection and compensation of security control requirements that need to be imple-mented. The security categorization process also ensures service providers have some knowledge of the types of information that will be processed and the potential overall impact to the federal government should certain adverse events occur.
Service providers have a responsibility in maintaining an adequate level of secu-rity to protect the information throughout the service life cycle. However, the overall responsibility to ensure that sufficient security exists to meet the information protec-tion requirements falls on the authorizing official.41 For a chain of trust, operating under a shared responsibility model, to exist between the federal government and service providers, confidence needs to be gained through an understanding of the security controls implemented in the service and its environment. This confidence is achieved by verifiable and credible evidence that the security controls are operating effectively. Trust becomes even more important under complex consumer-provider relationships that are introduced such as multi-vendor situations. By establishing a clear definition of the security objectives, an analysis42 can be performed to determine
39From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “A chain of trust requires that the organization establish and retain a level of con-fidence that each participating service provider in the potentially complex consumer-provider relation-ship provides adequate protection for the services rendered to the organization.”
40From Jansen, W., Grance, T. NIST Special Publication (SP) 800-144, Guidelines on Security and Privacy in Public Cloud Computing. Maryland: National Institute of Standards and Technology; 2011.
“An SLA represents the understanding between the cloud subscriber and cloud provider about the expected level of service to be delivered and, in the event that the provider fails to deliver the service at the level specified, the compensation available to the cloud subscriber.”
41From Joint Task Force Transformation Initiative Interagency Working Group. NIST Special Pub-lication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Maryland: National Institute of Standards and Technology; 2010. “The authorizing official is a senior official or executive with the authority to for-mally assume responsibility for operating an information system at an acceptable level of risk to orga-nizational operations and assets, individuals, other organizations, and the Nation.”
42From Badger, L., Bernstein, D., Bohn, R., de Vaulx, F., Hogan, M., Mao, J., et al. NIST Special Publication (SP) 500-293 (Draft), US Government Cloud Computing Technology Roadmap, Release 1.0. Maryland: National Institute of Standards and Technology; 2011. “This analysis needs to include considerations from a service model perspective, where different service models imply different degrees of control between cloud providers and cloud consumers.”
120 CHAPTER 5 Applying the NIST Risk Management Framework
which participant, consumer or provider, would be most appropriate to implement the necessary security controls based on the differing degrees of ownership and con-trol over the information system.
Overview of the Security Categorization Process
The goal of the security categorization process is to understand, identify, and catego-rize both the information and information systems used to process, store, or transmit the information, so that an appropriate level of information security can be applied.
The level of information security is determined, in part, through an assessment of the potential impact43 to the information in the event that there was a compromise (e.g., breach of security) which caused a loss in confidentiality, integrity, or availability.
The results of this process enable federal agencies to understand and communicate their protection requirements as a consequence (e.g., degradation of primary mission functions or capabilities, financial loss, etc.) to an adverse impact to their mission and business processes. In addition, by managing the risk at the enterprise level, the information security needs can be applied more effectively across the federal govern-ment by an aggregation of the sensitivity/criticality of information using a standard-ized and common language. This ensures information systems supporting multiple federal agency mission areas or supporting federal agencies as a shared business service44 operate based on the highest level of impact to the federal government.
The security categorization process requires input from across all stakeholders. For this process to be successful the federal agency needs to ensure coordination and col-laboration exist among all parties involved (e.g., information owners, information secu-rity practitioners, enterprise architects, capital planning, etc.). Since the output of this process will be an input to the remaining steps in the NIST RMF (Steps 2–6), oversight is critical to ensure any errors can be validated to prevent or minimize overprotection or potentially increasing organizational risk by underprotecting the information resources.
Before the categorization process can begin, information to support the categori-zation process needs to be collected, including the specific organicategori-zational-specific policies, procedures, and other relevant documentation relating to risk management that would help the organization understand impacts associated with the loss of con-fidentiality, integrity, and availability. As depicted in Figure 5.6, the categorization process is a multi-step activity that begins with the identification of information types and concludes with the assignment of security categories and impact levels to
43From Stine, K., Kissel, R., Barker, W., Fahlsing, J., Gulick J. NIST Special Publication (SP) 800-60 Revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories. Maryland: National Institute of Standards and Technology; 2008. “An incorrect informa-tion system impact can result in the agency either over protecting the informainforma-tion system thus wasting valuable security resources, or under protecting the information system and placing important opera-tions and assets at risk.”
44From Office of Management and Budget (OMB). Federal Information Technology Shared Services Strategy. Washington: Executive Office of the President, Office of Management and Budget; 2012.
“A function that is provided for consumption by multiple organizations within or between Federal Agencies.”
121 NIST RMF Process
FIGURE 5.6 Security Categorization Process
122 CHAPTER 5 Applying the NIST Risk Management Framework
information and information systems45 that will be used as the basis for establishing the initial baseline set of security controls.
Identify Information Types
In July 2001, OMB issued Citizen-Centered E-Government: Developing the Action Plan,46 which established an E-Government Task Force to “identify priority actions that achieve strategic improvements in government and set in motion a transformation of government around citizen needs” [9]. The task force published the E-Government Strategy47 which focused on achieving improvements across multiple business areas of service within the federal government and reforming the efficiency and effective-ness of the federal government’s interaction with individual citizens, busieffective-nesses, other state and local governments, and even internally within the federal government itself. As part of the assessment48 performed by the task force, a business architecture, shown in Figure 5.7, was created as a framework to “describe how the federal govern-ment interfaces with citizens, what functions and lines of business the governgovern-ment performs, and the key business processes used” [9].
As the foundation for the FEA BRM,49 the FEA Program Management Office (FEAPMO) “leveraged previous Federal architecture efforts, in particular the business architecture designed as a part of the 2001 e-government Task Force’s effort, as starting points for designing the government-wide model” [10]. Since its initial release, the busi-ness architecture has been through multiple revisions. The BRM version 2.0, depicted in Figure 5.8, reflects four business areas (functions): services for citizens, mode of delivery, support delivery of services, and management of government resources. The BRM is a framework that uses a structured tiered hierarchical representation for describ-ing the common business areas within the federal government.
The federal government’s dependence on information technology (IT) to support various mission and business functions requires federal agencies to understand the appropriate security controls that need to be implemented. The security controls are
45From US Code, Title 44, Chapter 35: Coordination of Federal Information Policy [Internet]. Wash-ington: US Government Printing Office [cited 2011 Dec 11]. Available from: http://www.gpo.gov/
fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm. “An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemi-nation, or disposition of information.”
46Office of Management and Budget (OMB) Memorandum 01-28. Available from: http://www.white-house.gov/omb/memoranda_m01-28
47Simplified Delivery of Services to Citizens. Available from: http://www.cio.gov/documents/egovstrat-egy.html.
48From E-Government Task Force. E-Government Strategy. Washington: Executive Office of the President, Office of Management and Budget; 2002. The assessment applied the approach of the Fed-eral Chief Information Officers Council, using the enterprise architecture to establish a “roadmap to achieve an agency’s mission through optimal performance of its core business processes within an efficient IT environment.”
49The Business Reference Model (BRM) version 1.0 was published in July 2002 and version 2.0 was published in June 2003.
123 NIST RMF Process
identified through an assessment of potential impacts should there be a breach of security (i.e., a loss of confidentiality) [7]. Therefore, the first step in the security categorization process requires the identification of information types be processed, transmitted, or stored in the information system. Since the BRM is periodically updated50 to provide a government-wide view of the various business areas and
50FEA BRM Version 3.0. Available from: http://www.whitehouse.gov/sites/default/files/omb/assets/
egov_docs/fea_brmv3_wdefinitions_20120622_final.xlsx FIGURE 5.8 Business Reference Model 2.0 [11]
FIGURE 5.7 Business Architecture [9]
124 CHAPTER 5 Applying the NIST Risk Management Framework
functions across the federal government, NIST used the BRM as the basis for the
functions across the federal government, NIST used the BRM as the basis for the