Air Force (AF) Information Technology (IT)Type and Categorization Checklist Instructions

SCCH001Categorization and Selection Checklist13 September 2017

Air Force (AF) Information Technology (IT)Type and Categorization Checklist Instructions

Once filled out, delete this page and save document as a PDF.

Ensure the appropriate signature block is added for theProgram Manager (PM) to sign the document.

Ensure a separate signature block is added for the Authorizing Official (AO)/AODesignated Representative (AODR)to sign the document.

Ensure the Risk Management Framework (RMF) Action is selected.

All highlighted items need to be completed by the PM/AO staff prior to submitting to the Security Control Assessor (SCA)for quality and completeness determination before AO/AODR approval.

Please use the following syntax to name the new file:

• Information Technology (IT) Name, Categorization, ddmmyy.
• Mickey Mouse, M:M:H, 230716

Upload the signed .pdf document to Information Technology Investment Portfolio System (ITIPS) NOTE: Coordinate and ensure approval by the technical RMF team members before converting to .pdf for AO and PM signature to prevent rework

Air Force (AF) Information Technology (IT) Type

and Categorization Checklist

1. Information Technology (IT) General Information

AF IT: [Insert the official IT name or mission design series designation for the AF IT, acronym, version number, and the common name (if any); e, g, F-15E Strike Eagle.]ITIPS#: DITPR # (as applicable):

1. IT Purpose/Mission/Data Processed/Stored

The mission of the XXX AF IT is to….operates on (SIPR/NIPR)…. processes HIPAA/PII etc… supports…

1. Authorizing Official (Check One) & Authorization Boundary

AETC RT&E
AF Enterprise
AFMC DTE
AFOTEC
Aircraft
Civil Engineering / Civil Engineering(ICS)
Command and Control
DC3
Enterprise
Finance
Industrial Depot Maint. / Logistics
Nuclear
Nuclear (non – NC3)
OTI/LVC
Rapid Cyber Acquisition
Science & Technology / SFS/LE
Space
USAFA
Weapons
Other (see references)
[A listing of AOs and a link to the AO boundary descriptions can be found at the below url.

1. Classification Information

Highest Data Classification: (Example: Top Secret/Secret/Confidential/Unclassified)
Releasability (Example: NOFORN/NATO/FVEY)
Security Classification Guide(SCG) Reference:

1. User Information

Any Foreign National Users? / Yes No

1. CNSS Overlay Questions

Does the ITcontain PII or PHI?
Identify if your IT contains PII or PHI by using Section 2.3.1 or 2.3.2 of CNSSI 1253F, attachment 6. If the answer is no then Privacy Overlays do not apply; if yes then a Privacy Overlay and Privacy Impact Assessment (DD 2930) are required. / Yes
Low
Moderate
High
No
Cross Domain Solution Overlay: Will you implement, manage, or maintain a Cross Domain Solution? (Refer to CNSSI 1253F Attachment 3) / Yes (CDS Overlay is required)
No
Intelligence Overlay: Does the ITprocess, store, or transmit ISR? (Refer to CNSSI 1253F Attachment 4) / Yes(Intelligence Overlay is required)
No
Classified Information Overlay: Does the ITstore, process, or transmit classified information?
(Refer to CNSSI 1253F Attachment 5) / Yes (Classified Information Overlay is required)
No
Nuclear Command and Control (NC3) Overlay: Does the ITstore, process, or transmit NC3 data? / Yes (NC3Overlay is required)
No
*NOTE: Utilization of the NC3 Overlay also requires the implementation of the Intel and Classified Overlays
Is the IT (or subsystem) a space platform as defined in CNSSP No. 1253 and unmanned? (Refer to CNSSI 1253F Attachment 2) / Yes. (Space Platform Overlay is required)
No
Mission/Function Specific Overlay: Is your IT required to execute a mission or function-special overlay? (e.g. Financial, Acquisition etc.) / Yes. (Specify Overlay and OPR)
No

NOTES: In the table above, be sure to add main information type category above the specific information types. For any deviation from the provisional recommended Security Categorization for each information type, per NIST 800-60, add comments in the Justification column. Final row belowshould represent the overall categorization based on a High Water Mark.

1. Categorization Information

Categorize the CIA for APPLICABLE Information Types (i.e. Low, Moderate, or High).
Information Types / Confidentiality / Integrity / Availability / Justification
L / M / H / L / M / H / L / M / H
<Insert Information Type> (see NIST 800-60)
<Insert Information Type> (see NIST 800-60)
<Insert Information Type> (see NIST 800-60)
<Insert Information Type> (see NIST 800-60)
<Insert Information Type> (see NIST 800-60)
FINAL ITCATEGORIZATION

1. Proposed Information Technology (Check One)

Information Systems / Platform IT / IT Services(Assess Only) / IT Products(Assess Only)
Major Application
Enclave / PIT Systems
PIT Subsystem(s) (Assess Only)
PIT Component(s) (Assess Only) / Internal
External / Software
Hardware
Applications

9. Describe the IT Authorization Boundary

Provide a detailed boundary drawing (DoDAF OV-1 and SV-1) that clearly shows the cybersecurity authorization boundary. Identify any external interfaces to the IT in this section. An external interface is any interface that crosses the authorization boundary. Indicate all information exchanges such as removable media, media for IT updates, RF, Ethernet WiFi etc... If the IT has no external interfaces, clearly state that in this section.]

The AF IT Categorization and DeterminationChecklist was completed bya team ofpersonnelconsistingof theISSO,ISSM,ISSEs, PM, and the Information System Owner (ISO). The overallImpact Analysis, SecurityControl Baseline selection, and required overlayswere determinedaftera thoroughreview.

1. ITOwner/Mission Owner/Government Representatives

Title / Name / Phone / Organization
Authorizing Official/Mission Owner
PM/ISO:
ISSM:
Security Control Assessor:
Director of Engineering/ISSE:
ISSO:
User Rep:
Requirements Lead:
Primary Point of Contact:

1. Approval

1.The program office/ ISO will integrate cybersecurity and cybersecurity risk management into their overall systems engineering, acquisition, test and evaluation, and risk management processes.
2.The program office/ISO will complete Risk Management Framework (RMF) steps to obtain an Interim Authority to Test, or Authority to Operate, as appropriate, before IT testing or operations commence.
3.For AF IT (see AFI 33-141/17-110) the program office/ISO will ensure the IT is registered in the Information Technology Investment Portfolio System (ITIPS) and/or Enterprise Mission Assurance Support Service (eMASS).

Ihave reviewedand agree with the impactvaluesandrequiredoverlayslistedabove.

Add PM/ ISO Digital Signature block in PDF

Include Name, Rank/Grade, Position and Organization

1st Ind, AO/AODR Office Symbol

MEMORANDUM FOR RECORD

I have reviewed and concur with the ITCategorization for the AF IT.

Select RMF Action from drop down below before converting to PDF (Delete this line)

RMF Action: Choose an item.

Add AO orAODR Digital Signature block in PDF

Include Name, Rank/Grade, Position and Organization

References

If the program’s primary mission is not represented on the Authorizing Official & Authorization Boundary list, then “other” is checked. Submit this completed form to the Air Force Risk Management Council (AFRMC) for disposition by sending the form to SAF/CIO A6ZC Cybersecurity @ . SAF/CIO A6ZC retains the IT categorized as “other” until the new AO boundary is created and an AO is appointed. If an existing boundary is determined this form is provided to the receiving PM/ISO to negotiate the transfer between AOs (see AFI 10-1701, Chapter 6 for instructions to transfer IT between AOs).

For more information on preparing or processing an “Assess Only”package refer to the HQ AFSPC Authorizing Official SharePoint page:

For guidance on IT that support a Research, Development, Test and Evaluation (RDT&E) missions, reference the AF Enterprise RDTE Guide:

The AF IT Categorization and DeterminationChecklist was completed bya team ofpersonnel consistingof theISSM,ISSO,ISSEs, PM, and the Information System Owner (ISO). The overallImpact Analysis, SecurityControl Baseline selection, and required overlayswere determinedaftera thoroughreview of the followingreferences: (only keep applicable references below)

• DoDI 8500.01, 14 March 2014, Cybersecurity
• DoDI 8510.01, 12 March 2014, Risk Management Framework (RMF) for DoD Information Technology
• NISTSP 800-37 Rev 1, February 2010, Guidefor ApplyingtheRisk ManagementFramework toFederalInformationSystems: ASecurityLife Cycle Approach
• NIST SP 800-39, March 2011, Managing Information Security Risk: Organization, Mission, andInformationSystem View
• NISTSP 800-53 Rev 4, April 2013, Securityand PrivacyControls for FederalInformationSystems

AndOrganizations

• NISTSP 800-53A Rev 4, December 2014, AssessingSecurity and Privacy Controls in FederalInformationSystemsandOrganizations,BuildingEffective SecurityAssessmentPlans
• NIST SP 800-60 Vol I Rev 1, August 2008, Guide for Mapping Types of Information and Information Systems to Security Categories
• NIST SP 800-60 Vol II Rev 1, August 2008, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
• FIPSPUB199, February 2004, Standardsfor SecurityCategorization of FederalInformationandInformationSystems
• CNSSI1253, 27 March 2014, SecurityCategorizationandControlSelectionfor National SecuritySystems
• CNSSI1253FAttachment1, SecurityOverlayTemplate
• CNSSI 1253F Attachment 2, Space Platform Overlay
• CNSSI1253FAttachment3, CrossDomainSolution Overlay
• CNSSI1253FAttachment4,Intelligence Overlay
• CNSSI1253FAttachment5, ClassifiedInformation Overlay

1