Title III of the E-Government Act (Public Law 107-347), titled the Federal Information Security Management Act (FISMA), tasked the National Institute of Standards and Technology (NIST) to develop:
•
Standards to be used by all Federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
•
Guidelines recommending the types of information and information systems to be included in each such category; and
•
Minimum information security requirements (i.e., management, operational, and technical security controls), for information and information systems in each such category.
In response to the second of these tasks, this guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline’s objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. This guideline assumes that the user is familiar with Standards for Security Categorization of Federal Information and Information Systems (Federal Information Processing Standard [FIPS] 199). The guideline and its appendices:
•
Review the security categorization terms and definitions established by FIPS 199;
•
Recommend a security categorization process;
•
Describe a methodology for identifying types of Federal information and information systems;
•
Suggest provisional1 security impact levels for common information types;
•
Discuss information attributes that may result in variances from the provisional impact level assignment; and
•
Describe how to establish a system security categorization based on the system’s use, connectivity, and aggregate information content.
This document is intended as a reference resource rather than as a tutorial and not all of the material will be relevant to all agencies. This document includes two volumes, a basic guideline and a volume of appendices. Users should review the guidelines provided in Volume I, then refer to only that specific material from the appendices that applies to their own systems and applications. The provisional impact assignments are provided in Volume II, Appendix C and D.
