Classical FISMA versus the Risk Management Framework System Categorization and Control Selection

System categorization and control selection is a key component of FISMA which can greatly impact the level of effort.   Depending on whether you are using the classic FISMA approach or the Risk Management Framework it is critical you get it right.  The following discusses this process under both scenarios.

System categorization is the process of determining the impact-level of the system across the three security objectives: Confidentiality, Integrity, and Availability.  The Classical FISMA process uses the Federal Information Processing Standards Publication 199 (FIPS Pub 199) for categorization.  Under FIPS Pub 199, the system’s information types are assessed against the three security objectives and rated as either low-, moderate-, or high-impact.  The categorization for the Application is the high-water mark (HWM) of the individual ratings.  For example, the categorization of an application that is {Confidentiality=Low | Integrity=Moderate | Availability=High} would be High.

The RMF categorization and control selection process is more involved. DoDI 8510.10 states in Paragraph 3d:

All DoD … systems must be categorized in accordance with Committee on National Security Systems Instruction (CNSSI) 1253 … implement a corresponding set of security controls from NIST SP 800-53 … and use assessment procedures from NIST SP 800-53A … and DoD-specific assignment values, overlays, implementation guidance, and assessment procedures.

The scope of CNSSI 1253 is stated to be National Security Systems (NSS) which are defined in NIST SP 800-59 to be any information system used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency:

(i) the function, operation, or use of which—

(I) involves intelligence activities;

(II) involves cryptologic activities related to national security;

(III) involves command and control of military forces;

(IV) involves equipment that is an integral part of a weapon or weapons system; or

(V) is critical to the direct fulfillment of military or intelligence missions; or

(ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

Even though an application might not qualify as an NSS, it might still be subject to RMF.  For example, in recognition of the fact that one profile of controls cannot apply to all information types, CNSSI 1253 allows for the concept of an “overlay”.  If the APPLICATION is not NSS, then BSC applies the appropriate Overlay to the Application.

For control selection, CNSSI 1253 does not use the HWM concept.  Instead, each sensitive information type in the application must be evaluated for each of the NIST SP 800-53 controls and control enhancements for each of the three security objectives.

At the higher impact levels, meeting controls and control enhancements can be costly.  Therefore, proper control selection is essential.  Regardless of Classical FISMA or RMF, BSC has the experience to establish (and justify) proper system categorization and control selection.