top of page
Search

RMF Step 1: Categorize System

Step 1 in the Risk Management Framework (R.M.F.) process includes system categorization for DoD systems, which parallels the system life cycle. System categorization for DoD systems, as depicted in the figure, corresponds to the R.M.F. process step of system categorization. 1253 Committee on National Security Systems, "Security Categorization and Control Selection for National Security Systems." While R.M.F. team members perform system categorization, they document the results in the security plan.

PM/SM, ISO, I.O., mission owners, ISSM, and A.O. or their designated representatives work together to categorize systems. I.O. determines the extent to which loss of confidentiality, integrity, and availability would be critical (low, moderate, or high) due to a security breach. This requirement will be documented in the Initial Capabilities Document, the Capability Development Document, the Capability Production Document, and the cybersecurity strategy of the P.P.P. as part of the R.M.F.'s efforts to document this capability.

When assessing the potential impact of a system's processing, storage, or transmission of information, and the system's operating environment, categorize the information types processed, stored, transmitted, or protected by the system in two steps. Then identify overlays that are relevant to the system and its operating environment. After identifying these overlays, other factors (besides the impact) can be considered in selecting specific security controls.


Potential Impact Definitions from CNSSI 1253, Section 3.1:

  • Low: You will run into High impacts if the loss of confidentiality, integrity, or availability can be expected to have a limited adverse effect on organizational operations, assets, or individuals.

  • Moderate: You will run into High impacts if the loss of confidentiality, integrity, or availability can be expected to have a serious and adverse effect on organizational assets, operations, or individuals and exceeds mission expectations.

  • High: You will run into High impacts if the loss of confidentiality, integrity, or availability can be expected to have a severe or catastrophic adverse effect on the organizational operations, organizational assets, or individuals and exceeds the mission expectations.

Categorization Definitions from 44 United States Code (U.S.C.), Section 3542:

  • Confidentiality: 

  • Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

  • Integrity: 

  • Guarding against improper information modification or destruction includes ensuring information nonrepudiation and authenticity.

  • Availability: 

  • It ensures timely and reliable access to and use of information.


 Potential Impact Definitions for Security Objectives 

(referencing 44 U.S.C., S.E.C. 3542 and NISTS "Guide for Mapping Types of Information and Information Systems to Security Categories" https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf)


Confidentiality

Preserving authorized restrictions on information access and disclosure, including means for safeguarding personal privacy and proprietary information. ​

  • Low: The unauthorized disclosure of information could have a limited adverse effect on organizational operations, organizational assets, or individuals.

  • Moderate: The unauthorized disclosure of information could affect organizational operations, assets, or individuals seriously and ​​exceed mission expectations.

  • High: The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations.


Integrity

Guarding against inappropriate information modification or destruction includes ensuring information nonrepudiation and authenticity.

  • Low: The unauthorized modification or destruction of information could have a limited adverse effect on organizational operations, organizational assets, or individuals.

  • Moderate: The unauthorized modification or destruction of information could affect organizational operations, assets, or individuals seriously and exceed mission expectations.

  • High: The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals and exceeds mission expectations.


Availability

Ensuring timely and reliable access to and use of information.

  • Low: The disruption of access to or use of information or an information system could have a limited adverse effect on organizational operations, assets, or individuals.

  • Moderate: The disruption of access to or use of information or an information system could seriously adversely affect organizational operations, organizational assets, or individuals and exceed mission expectations.

  • High: The disruption of access to or use of information or an information system could be expected to have a severe or catastrophic adverse effect​ on organizational operations, assets, or individuals and exceed mission expectations.

 
 
 

Comments

bottom of page