Risk Management Framework Step 1 Categorization
editCategorization is the first step of RMF. This role is Administrative and requires intimate knowledge of the organization[1]. A system boundary needs to be determined, what internal and external connections exist, which environment the system runs and Key roles as well as personnel to fulfill those roles. In this step the vested parties are identified.[2]Key roles that are predefined are assigned to specific individuals that meet the requirements and have the knowledge to fulfill these roles:
Determine Boundary
editTo determine the system boundary a hardware and software list needs to be created. All the hardware that pertain to the system and is required by the system belong inside the system boundary. If any Software interfaces with hardware, software, or any entity outside the system boundary a it needs to be clearly defined and marked.
Roles
edit- Risk Executive
- Provide oversight to the categorization process to ensure organizational risk to mission and business success is considered in decision making
- Provide an organization-wide forum to consider all sources of risk, including aggregated risk from individual information systems
- Promote collaboration and cooperation among organizational entities
- Facilitate the sharing of security risk-related information among authorizing officials
- Chief Information Officer (CIO)
- Ensure an effective categorization process is established and implemented for the organization
- Establish expectations/requirements for the organization’s categorization process
- Provide resources to support information and information system categorization
- Establish organizational relationships and connections
- Ensure the information system’s categorization is approved prior to selecting and implementing the security controls
- Senior Agency Information Security Officer
- Establish and implement the organization-wide categorization guidance
- Coordinate with the enterprise architecture group to integrate organizational information types into the enterprise architecture
- Define organization-specific information types (additional to NIST SP 800-60) and distribute them to information owners/information system owners
- Lead the organization-wide categorization process to ensure consistent impact levels for the organization’s information systems
- Acquire or develop categorization tools or templates
- Provide security categorization training
- Common Control Provider
- Determine the most appropriate and cost-effective security category and impact level for the common controls to best accommodate the information systems using the controls
- Document the categorization decision in a system security plan or equivalent document
- Gain approval for the categorization decision
- Maintain the categorization decision
- Authorizing Official
- Review and approve the security category and impact level assigned to the information types and information system
- Information System Owner
- Categorize the information system based on FIPS 199, NIST SP 800-60, and organizational guidance
- Document the categorization decision
- Gain approval for the categorization decision
- Maintain the categorization decision
- Information System Security Officer (ISSO)
- Support the information owner/information system owner to complete security responsibilities
- Information System Security Engineer (ISSE)
- Provide advice in establishing or validating the system boundary
- Provide advice in describing the information system, its functions, and information types
- User
- Identify mission, business, and operational security requirements
- Identify data elements and information types contained in the information system
- Identify how the information types are used to support the mission/business requirements
- Security Control Assessor
- Verifies Security controls are properly applied to information system
Categorizing the System
editOnce the vested party is identified and properly documented in the categorization form, by the combined efforts of the Information System Owner, the ISSO and ISSE assist the Information System Owner to properly identify the system. This is done by using the list of information systems provided by the Authorizing Entity or SP 800-60[3]. NIST SP 800-60 is a published standards created so that all Federal Agencies maintain the same standards, as well as guidelines for using those standards[4]. The list contains different functions of information systems and what Confidentiality, Integrity, Availability (CIA) impact for each function, the impact is divided into three categories, High, Medium or Low. The impact levels can be adjusted with adequate justification for the adjustment[5]. Once the system functions are properly identified and documented you take the highest benchmark for each of the CIA Impact levels. That will give you the System Categorization. The Categorization form is then submitted to the Common Control Provider who will get final approval from the Authorizing Official.
See Also
editReferences
edit- ^ December 11, Steven Tipton on; 2018 (2018-12-11). "How to Apply the Risk Management Framework (RMF)". Security Boulevard. Retrieved 2019-02-25.
{{cite web}}:|last2=has numeric name (help)CS1 maint: numeric names: authors list (link) - ^ "NIST CSRC" (PDF). NIST. Retrieved 02/20/2019.
{{cite web}}: Check date values in:|access-date=(help) - ^ "RMF's System Categorization: Step by Step". 2015-11-19. Retrieved 2019-02-25.
- ^ "NIST Special Publication 800-60 Volume II Revision 1" (PDF). NIST SRC. 2019-02-21. Retrieved 2019-02-21.
- ^ "CNSSI-1253 SECURITY CATEGORIZATION AND CONTROL SELECTION FOR NATIONAL SECURITY SYSTEMS" (PDF). Steptoe. October 2009. Retrieved 2019-02-21.