NIST Special Publication 800-60 Volume I Revision 1

Guide for Mapping Types of Information and Information Systems to Security Categories

Authors: Kevin Stine, Rich Kissel, William C. Barker, Jim Fahlsing, Jessica Gulick

• Institution: National Institute of Standards and Technology (NIST)
• Date: August 2008
• Published by: U.S. Department of Commerce

Introduction

Purpose and Applicability

• Develop guidelines for mapping security impact levels to information types and systems.
• Ensure security levels are consistent across Federal agencies, excluding national security systems.

Target Audience

• Information system and security professionals within Federal agencies.

Relationship to Other Documents

• Part of the NIST family of security-related publications.

Organization

• Volume I: Basic guidelines.
• Volume II: Appendices with detailed examples and rationale.

Security Categorization Process

Overview

• Purpose: Integrate security into agency business and IT functions, ensure cost-effective security measures.
• NIST Risk Management Framework: Foundation for security control selection.

Security Categories and Objectives

• Confidentiality: Prevent unauthorized information disclosure.
• Integrity: Prevent unauthorized information modification.
• Availability: Ensure reliable access to information.

Impact Levels

• Low, Moderate, High: Levels based on potential adverse effects.

Assignment of Impact Levels and Security Categorization

Steps for Categorization

1. Identify Information Types
   • Use Federal Enterprise Architecture (FEA) business model to categorize.
2. Select Provisional Impact Level
   • Assign initial impact levels for confidentiality, integrity, and availability.
3. Review and Finalize Impact Levels
   • Adjust based on organizational context and requirements.
4. Assign System Security Category
   • Determine system category based on highest individual information type impacts.

Examples

• Provided to illustrate FIPS 199-based impact level selections.

Uses of Categorization Information

• Support activities such as Business Impact Analysis, Capital Planning, and System Design.
• Facilitate disaster recovery planning and interagency agreements.

Appendices Overview

Appendix A: Glossary of Terms

• Definitions of relevant terms and concepts.

Appendix B: References

• Comprehensive list of laws, standards, and publications referenced.

DDI Data Security Categorization: Moderate to High

DDI data including user IP addresses, operating systems, device types, and MAC addresses presents a significant security risk. The categorization is likely Moderate to High, depending on mitigating factors.

Factors Influencing High Impact Level:

• PII (Personally Identifiable Information): MAC addresses can be linked to individuals, increasing the risk of targeted attacks and identity theft. This data combined with other device information creates a detailed user profile.

• Internal Network Exposure: A breach could reveal internal network structure and vulnerabilities, potentially leading to wider compromises.

• Misuse Potential: The data could be misused for tracking, surveillance, or other malicious activities.

Factors Influencing Moderate Impact Level:

• Strong Security Controls: Robust access controls, encryption (at rest and in transit), regular security assessments (vulnerability scans, penetration testing), and network segmentation can mitigate risk.

Questions to Determine Precise Impact:

• Data Retention: How long is data stored? (Longer retention increases risk)
• Access Controls: Who has access? (Restrict to authorized personnel only)
• Encryption: Is data encrypted? (Essential for mitigating risk)
• Network Segmentation: Is the DDI system isolated from other sensitive systems? (Isolation reduces impact of a breach)
• Security Assessments: How frequently are security assessments performed? (Regular assessments are crucial)

Determining Overall Impact:

The overall impact level (Low, Moderate, or High) is determined by the highest impact level among Confidentiality, Integrity, and Availability objectives. A High impact in any one of these areas typically results in a High overall impact level.