LC FIPS 199 Security Categorization

<Service/Infrastructure Unit>

<System or Group>

LC FIPS 199 Security Categorization

<Version x.x>

<Month DD, YYYY>

Security Category: Moderate

FIPS 199 SECURITY CATEGORIZATION – <SERVICE/INFRASTRUCTURE UNIT> <SYSTEM OR GROUP<Month DD, YYYY>

Note: delete the template revision data, add your revision history and delete this note before submitting the final document.

Revision History

Revision / Date / Revised By / Notes
N/A / June 15, 2006 / Steve Elky / Initial document
N/A / July 10, 2006 / Steve Elky / Addressed comments from internal review
N/A / July 11, 2006 / Steve Elky / Move instructions and guidance to appendix
N/A / August 3, 2006 / Steve Elky / Added Mission information types, a placeholder for LC specific information types and indicated relevant information types.
N/A / August 28, 2006 / Steve Elky / Combine signature information with information types and system
N/A / October 18, 2006 / Steve Elky / Add NIST SP 800-60 section headings to information types in Tables
N/A / January 11, 2007 / Steve Elky / System to information mappings added.Instructions revised. Sample Categorization added.
N/A / December 10, 2007 / Steve Elky / Revised Privacy Act section to reflect assessing PII
N/A / January 2, 2008 / Steve Elky / Addressed comments from internal review
N/A / October 22, 2008 / Steve Elky / Incorporate Sensitive PII
N/A / November 6, 2008 / Dan Curtiss / Incorporate feedback from Copyright
N/A / November 25, 2008 / Dan Curtiss / Updated Figures 6 & 7 to reflect Information Types in the August 2008 version of NIST SP 800-60 Vol. II
N/A / December 3, 2008 / Dan Curtiss / Updated links to the NIST 800-60 Vol. 1 & 2 documents
N/A / December 12, 2008 / Dan Curtiss / Added last 4 digits of SSN to PII table. Added NIST descriptions and provisional impacts for most information types.

Table of Contents

1Introduction

1.1Purpose

1.2Scope

1.3Instructions

2Security Categorization for <System or Group>

3Appendix A – Guidance On Performing FIPS 199 Security Categorization

3.1Impact Levels

3.2Information Types

4Performing Categorization

4.1Step 1 – Identify Scope

4.2Step 2 – Identify Information Types

4.3Step 3 – Select Provisional Impact Levels

4.4Step 4 – Review and Adjust Provisional Impact Levels

4.5Step 5 – Assign System Security Category (Systems and Groups with Systems Only)

4.6Step 6 – Identifying Sensitive Personally Identifiable Information

4.7Step 7 – Performing the Privacy Impact Assessment

4.8Step 8 – Determining Whether a Information or a System is Subject to the Privacy Act (Copyright Systems and Copyright Groups with Systems Only)

4.9Step 9 – Assertion of Validity of Security Categorization

5Appendix B – Sample Categorization

Table of Figures

Figure 1 – Inventory of Information Types for <System or Group>

Figure 2 – Security Categorization for <System or Group> Information Types

Figure 3 – Sensitive Personally Identifiable Information (PII) for <System or Group>

Figure 4 – Security Categorization for <System or Group> Systems (Systems and Groups with Systems Only)

Figure 5 – Library-Specific Information Types Not Covered by NIST SP 800-60

Figure 6 – Management and Support Lines of Business and Information Types

Figure 7 – Mission Based Lines of Business and Information Types5

Figure 8 – Examples of Effect

Figure 9 – Sensitive PII

Figure 10 – Inventory of Information Types for Cheesemaking Division

Figure 11 – Security Categorization for Cheesemaking Division Information Types

Figure 12 – Sensitive Personally Identifiable Information for Cheesemaking Division

Figure 13 – Security Categorization for Cheesemaking Division Systems (Systems and Groups with Systems Only)

1Security Category: Moderate

FIPS 199 SECURITY CATEGORIZATION – <SERVICE/INFRASTRUCTURE UNIT> <SYSTEM OR GROUP<Month DD, YYYY>

1Introduction

The incidence of information theft and identity theft has increased dramatically over the last few years. In order to protect the Library from the risks that the loss of sensitive information may pose, the IT Security Group has developed the following guidance in accordance with the Library’s IT Security Policy and Directives and guidance issued by the National Institute of Standards and Technology (NIST).

All data and information used to accomplish the Library’s business functions and fulfill the Library’s mission must be categorized according to guidance promulgated by NIST. Information (data) is categorized according to the impact that the loss of the data would have on the mission of the organization. This can be a loss of confidentiality (individuals gaining access to information that they are not authorized to access, e.g., social security numbers), a loss of integrity (data changed, especially without the Library knowing that it was changed, e.g., a competitor changing the award amount of a contract immediately before it is signed) or a loss of availability of the data (e.g., deletion of files from the archive of record.)

1.1Purpose

The purpose of categorization is to ensure that the individual within the Library with the greatest understanding of the impact due to the compromise of a specific type of information or an information system determines the value of that information or information system. This is typically a manager and never the IT support personnel. The Security Category will then be used as a basis for IT security measures, ensuring that spending on IT security is commensurate with the value of the information or IT system.

1.2Scope

This categorization can either be applied to:

• All the information associated with a system
• All the information associated with a division, office, group, etc

This categorization is associated with the information associated with <System or Group>.

1.3Instructions

Detailed instructions can be found in Section 3.Instructions in PowerPoint format can be found:

NOTE: Remove the guidance appendices and this Note before submitting the final document.

2Security Categorization for <System or Group>

Figure 1 – Inventory of Information Types for <System or Group>

ID[1] / Information Type / System Containing Information / NIST SP 800-60 Description / Library Description
C.2.1 / Controls and Oversight / Controls and Oversight information is used to ensure that the operations and programs of the Federal government and its external business partners comply with applicable laws and regulations and prevent waste, fraud, and abuse. / <Describe the information type and the LC business functions it supports>
C.2.1.1 / Corrective Action / Corrective Action involves the enforcement functions necessary to remedy programs that have been found non-compliant with a given law, regulation, or policy.
C.2.1.2 / Program Evaluation / Program Evaluation involves the analysis of internal and external program effectiveness and the determination of corrective actions as appropriate. The impact levels should be commensurate with the impact levels of the program that is being evaluated. For example, if the program contains very sensitive financial data with moderate impact levels for confidentiality and integrity, the program evaluation impact levels for confidentiality and integrity should also be moderate.
C.2.1.3 / Program Monitoring / Program Monitoring involves the data-gathering activities required to determine the effectiveness of internal and external programs and the extent to which they comply with related laws, regulations, and policies. The impact levels should be commensurate with the impact levels of the programs that are being monitored. For example, if a program contains very sensitive financial data with moderate impact levels for confidentiality and integrity, the program monitoring impact levels for confidentiality and integrity should also be moderate.
C.2.2 / Regulatory Development / Regulatory Development involves activities associated with providing input to the lawmaking process in developing regulations, policies, and guidance to implement laws.
C.2.2.1 / Policy and Guidance Development / Policy and Guidance Development involves the creation and dissemination of guidelines to assist in the interpretation and implementation of regulations. In most cases, the effect on public welfare of a loss of policy and guidance development mission capability can be expected to be delayed rather than immediate. As a result, the potential for consequent loss of human life or of major national assets is relatively low, since these most catastrophic consequences of impairment to mission capability can, in most cases, be corrected before they are fully realized.
C.2.2.2 / Public Comment Tracking / Public Comment Tracking involves the activities of soliciting, maintaining, and responding to public comments regarding proposed regulations.
C.2.2.3 / Regulatory Creation / Regulatory Creation involves the activities of researching and drafting proposed and final regulations.
C.2.2.4 / Rule Publication / Rule Publication includes all activities associated with the publication of a proposed or final rule in the Federal Register and Code of Federal Regulations.
C.2.3 / Planning and Budgeting / Planning and Budgeting involves the activities of determining strategic direction, identifying and establishing programs and processes to enable change, and allocating resources (capital and labor) among those programs and processes.
C.2.3.1 / Budget Formulation / Budget Formulation involves all activities undertaken to determine priorities for future spending and to develop an itemized forecast of future funding and expenditures during a targeted period of time. This includes the collection and use of performance information to assess the effectiveness of programs and develop budget priorities.
C.2.3.2 / Capital Planning / Capital Planning involves the processes for ensuring that appropriate investments are selected for capital expenditures.
C.2.3.3 / Enterprise Architecture / Enterprise Architecture is an established process for describing the current state and defining the target state and transition strategy for an organization’s people, processes, and technology.
C.2.3.4 / Strategic Planning / Strategic Planning entails the determination of long-term goals and the identification of the best approach for achieving those goals.
C.2.3.5 / Budget Execution / Budget Execution involves day-to-day requisitions and obligations for agency expenditures, invoices, billing dispute resolution, reconciliation, service level agreements, and distributions of shared expenses.
C.2.3.6 / Workforce Planning / Workforce Planning involves the processes for identifying the workforce competencies required to meet the agency’s strategic goals and for developing the strategies to meet these requirements.
C.2.3.7 / Management Improvement / Management Improvement includes all efforts to gauge the ongoing efficiency of business processes and identify opportunities for reengineering or restructuring.
C.2.3.8 / Budget and Performance Integration / Budget and Performance Integration involves activities that align Federal resources allocated through budget formulation, execution, and management actions with examinations of program objectives, performance, and demonstrated results such as Program Performance Assessments, Government Performance Results Act (GPRA) plans and reports, performance-based agency budget submissions, and Financial Management Cost Accounting and Performance Measurement data.
C.2.3.9 / Tax and Fiscal Policy / Tax and Fiscal Policy encompasses analysis of the implications for economic growth and stability in the United States and the world of Federal tax and spending policies. This includes assessing the sustainability of current programs and policies, the best means for raising revenues, the distribution of tax liabilities, and the appropriate limits on debt.
C.2.4 / Internal Risk Management and Mitigation / Internal risk management and mitigation involves all activities relating to the processes of analyzing exposure to risk and determining appropriate counter-measures. Note that risks to information and information systems associated with internal risk management and mitigation activities may inherently affect the resistance to compromise/damage and recovery from damage with respect to a broad range of critical infrastructures and key national assets.
C.2.4.1 / Contingency Planning / Contingency planning involves the actions required to plan for, respond to, and mitigate damaging events.
C.2.4.2 / Continuity of Operations / Continuity of operations involves the activities associated with the identification of critical systems and processes, and the planning and preparation required to ensure that these systems and processes will be available in the event of a catastrophic event.
C.2.4.3 / Service Recovery / Service recovery involves the internal actions necessary to develop a plan for resuming operations after a catastrophe occurs, such as a fire or earthquake.
C.2.5 / Revenue Collection / Revenue Collection includes the collection of Government income from all sources. Note: Tax collection is accounted for under the Taxation Management information type in the General Government mission area.
C.2.5.1 / Debt Collection / Debt Collection supports activities associated with the collection of money owed to the United States government from both foreign and domestic sources.
C.2.5.2 / User Fee Collection / User fee Collection involves the collection of fees assessed on individuals or organizations for the provision of Government services and for the use of Government goods or resources (i.e. National Parks).
C.2.5.3 / Federal Asset Sales / Federal Asset Sales encompasses the activities associated with the acquisition, oversight, tracking, and sale of non-internal assets managed by the Federal Government with a commercial value and sold to the private sector.
C.2.6 / Public Affairs / Public Affairs activities involve the exchange of information and communication between the Federal Government, citizens and stakeholders in direct support of citizen services, public policy, and/or national interest.
C.2.6.1 / Customer Services / Customer Service supports activities associated with providing and managing the delivery of information and support to the government’s customers.
C.2.6.2 / Official Information Dissemination / Official Information Dissemination includes all efforts to provide official government information to external stakeholders through the use of various types of media, such as video, paper, web, etc.
C.2.6.3 / Product Outreach / Product Outreach relates to the marketing of government services products, and programs to the general public in an attempt to promote awareness and increase the number of customers/beneficiaries of those services and programs.
C.2.6.4 / Public Relations / Public Relations activities involve the efforts to promote an organizations image through the effective handling of citizen concerns.
C.2.7 / Legislative Relations / Legislative Relations involves activities aimed at the development, tracking, and amendment of public laws through the legislative branch of the Federal Government.
C.2.7.1 / Legislation Tracking / Legislation Tracking involves following legislation from conception to adoption.
C.2.7.2 / Legislation Testimony / Legislation Testimony involves activities associated with providing testimony/evidence in support or, or opposition to, legislation from conception to adoption.
C.2.7.3 / Proposal Development / Proposal Development involves drafting proposed legislation that creates or amends laws subject to Congressional legislative action.
C.2.7.4 / Congressional Liaison Operations / Congressional Liaison Operations involves all activities associated with supporting the formal relationship between a Federal Agency and the U.S. Congress.
C.2.8 / General Government / General Government involves the overhead costs of the Federal Government, including legislative and executive activities; provision of central fiscal, personnel, and property activities; and the provision of services that cannot reasonably be classified in any other service support area. As a normal rule, all activities reasonably or closely associated with other service support areas or information types shall be included in those service support areas or information types rather than listed as a part of general government. This service support area is reserved for central government management operations; most service delivery (mission-based) management activities would not be included here. Unlike the other service support functions, some general government information types are associated with specific organizations (e.g., Department of the Treasury, Executive Office of the President, Internal Revenue Service).
C.2.8.1 / Central Fiscal Operations / Central Fiscal Operations includes the fiscal operations that the Department of Treasury performs on behalf of the Government.14 [Note: Tax-related functions are associated with the Taxation Management information type.] Impacts to some information and information systems associated with central fiscal operations may affect the security of the critical banking and finance infrastructure. In most cases, the effect on public welfare of a loss of central fiscal operations functionality can be expected to be delayed rather than immediate. The potential for consequent loss of human life or of major national assets is low.
C.2.8.2 / Legislative Functions / Legislative functions include the service support activities associated with costs of the Legislative Branch other than the Tax Court, the Library of Congress, and the Government Printing Office revolving fund.
C.2.8.3 / Executive Functions / No description
C.2.8.4 / Central Property Management / Central Property Management involves most of the operations of the General Services Administration.
C.2.8.5 / Central Personnel Management / Central Personnel Management involves most of the operating activities of the Office of Personnel Management and related agencies.
C.2.8.6 / Taxation Management / Taxation Management includes activities associated with the implementation of the Internal Revenue Code and the collection of taxes in the United States and abroad.
C.2.8.7 / Central Records and Statistics Management / Central Records and Statistics Management involves the operations surrounding the management of official documents, statistics, and records for the entire Federal Government. This information type is intended to include information and information systems associated with the management of records and statistics for the Federal government as a whole, such as the records management performed by NARA or the statistics and data collection performed by the Bureau of the Census. Note: Many agencies perform records and statistics management for a particular business function and as such should be mapped to the service support, management, or mission area associated with that business function. The central records and statistics management information type is intended for functions performed on behalf of the entire Federal government.
C.2.8.8 / Income Information / Income information includes all the wages, self-employment earnings, savings data and other financial resources information that is needed to help determine the amount of Retirement, Survivor, or Disability benefits that individuals may be entitled to receive or not receive from the Supplementary Security Income or RSDI Title II Programs. In most cases, the impact levels are based on the effects of unauthorized disclosure, modification, or loss of availability of income information on the ability of the Federal government to identify citizen entitlements and obligations and to protect individuals against identity theft and the Federal government against fraud.
C.2.8.9 / Personal Identity and Authentication Information / Personal identity and authentication information includes that information necessary to ensure that all persons who are potentially entitled to receive any federal benefit are enumerated and identified so that Federal agencies can have reasonable assurance that they are paying or communicating with the right individuals. This information include individual citizen’s Social Security Numbers, names, dates of birth, places of birth, parents’ names, etc.