CNSSI No. 1253
5
CHAPTER THREE
THE CATEGORIZE AND SELECT PROCESSES
This chapter describes the processes of categorization and security control selection. Except
where the guidance in this document differs from that in NIST SP 800-37, the national security
community will implement the RMF Categorize and Select Steps consistent with NIST SP 800-
37.
3.1 RMF STEP 1: CATEGORIZE INFORMATION SYSTEM
For NSS, the Security Categorization Task (RMF Step 1, Task 1-1) is a two-step process:
1. Determine impact values: (i) for the information type(s)
4
processed, stored, transmitted,
or protected
5
by the information system; and (ii) for the information system.
2. Identify overlays that apply to the information system and its operating environment to
account for additional factors (beyond impact) that influence the selection of security
controls.
Within the national security community, it is understood that certain losses are to be expected
when performing particular missions. Therefore, for NSS interpret the FIPS 199 amplification
for the moderate and high potential impact values, as if the phrase “…exceeding mission
expectations.” is appended to the end of the sentence in FIPS 199, Section 3.
3.1.1 Determine Impact Values for Information Types and the Information System
In preparation for selecting and specifying the appropriate security controls for organizational
information systems and their respective environments of operation, organizations categorize
their information and information system. To categorize the information and information
system, complete the following activities:
1. Identify all the types of information processed, stored, or transmitted by an information
system, determine their provisional security impact values, and adjust the information
types’ provisional security impact values (see FIPS 199, NIST SP 800-60, Volume I,
Section 4, and NIST SP 800-60, Volume II)
6
. If the information type is not identified in
NIST SP 800-60 Volume II, document the information type consistent with the guidance
in NIST SP 800-60, Volume I.
7
2. Determine the security category for the information system (see FIPS 199) and make any
necessary adjustments (see NIST SP 800-60, Volume I, Section 4.4.2). The security
category of a system should not be changed or modified to reflect management decisions
4
An information type is a specific category of information (e.g., privacy, medical, proprietary, financial, investigative,
contractor-sensitive, security management), defined by an organization or, in some instances, by a public law, executive order,
directive, policy, or regulation.
5
Controlled interfaces protect information that is processed, stored, or transmitted on interconnected systems. That information
should be considered when categorizing the controlled interface.
6
For the confidentiality impact value, each organization should ensure that it categorizes specific information based on its
potential worst case impact to i) its organization and ii) any and all other U.S. organizations with that specific information.
7
As appropriate, supplement NIST SP 800-60 with organization-defined guidance.