ABSTRACT

The security categorization is the most important step in the RMF; it affects information security decisions for both the organization and individual information systems and influences all remaining steps in the RMF-from the selection of security controls to the level of effort needed to assess and maintain the controls. The step of the RMF process we will discuss in this chapter uses a combination of the resources available in Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems (NIST, 2004) and NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories (Stine et al., 2008) in order for the organization to adequately understand the extent to which criticality and sensitivity of the information and information system can be assessed as a way of determining the underlying security impact level of the ICT system. It should be noted that the organization should have in place the appropriate processes for ongoing review of the security categorization as a means of ensuring that the resulting impact assessments clearly reflect the organization’s established priorities and operational environments.