Date: Thu, 28 Mar 2024 12:09:43 -0400 (EDT)
Message-ID: <589163676.639.1711642183890@ip-10-208-26-37.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_638_1463861712.1711642183877"
------=_Part_638_1463861712.1711642183877
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
Completing th=
e Federal Information Processing Standard (FIPS)-199: Standards for Securit=
y Categorization of Federal Information and Information Systems
The FIPS-199 should be filled out with assistance from the NCI Informati=
on Systems Security Officer (ISSO) to ensure that the best information cate=
gory or categories are selected and the final ratings are well supported. F=
or help, contact the NCI ISSO
.
A FIPS-199 must be completed for all federal information systems an=
d applications in order to establish a system's security-impact r=
ating based on the sensitivity of the information collected, stored, or pro=
cessed by the system. The system's final rating is critical to identif=
ying its required minimum security controls and helps determine all su=
bsequent security testing that may be done on the system, following the Nat=
ional Institute of Standards and Technology (NIST) risk management framewor=
k (RMF).
NIST SP 800-60 Volume 2, Special =
Publication Guide for Mapping Types of Information an=
d Information Systems to Security Categories provide=
s an extensive list of information types commonly used by government organi=
zations.
Step 1/Page 1: Complete the System=
Information Summary
On page 1 of the FIPS, fill in the:
- System Name (if you are unsure of the official system name, please cont=
act the NCI ISSO for verification at NCIIRM@nih.=
gov)
- Fill in NCI under the IC box
- Choose the correct System Type.=20
- The majority of systems will be Tier 2/3/4. Only select Major or GSS sy=
stem type if you have verified with the NCI ISSO that yours is one of these=
two types.
- Fill in the date the FIPS was completed
- Choose the appropriate overall system security rating by choosing the h=
ighest watermark of all final adjusted confidentiality, integrity, and avai=
lability ratings given on the subsequent pages of the FIPS-199 fo=
rm (e.g., Choose Moderate if your highest individual rating is Moderate, ev=
en if all other ratings are Low)
- Fill in the current SDLC status form the dropdown box options
- Enter the highest watermark rating for each of the categories by using =
the dropdown lists. You will enter the highest adjusted Confidentiality, In=
tegrity, and Availability (C-I-A) ratings noted on page 3. For example, if =
you have more than one information type, then choose the highest value for =
each category (C-I-A) and enter it on Page 1 in the appropriate dropdown bo=
x.
Step 2/Page 2: Fill in the System De=
scription and POCs
- On page 2, Provide the official system description. The description sho=
uld include enough detail to explain the general purpose of the system and =
should note whether the system is publicly accessible, if it includes any s=
ensitive or restricted access information, and the approximate number of us=
ers if known.
- List the designated POCs. The only name that should change from system =
to system is the System Owner name. The system owner name should be the fed=
eral business owner/sponsor. The other names are Jeff Shilling (CIO), Bruce=
Woodcock (ISSO), and Suzanne Milliard (Privacy Coordinator).
- Once the form has been completely filled in, all three of the provided =
signature blocks must be completed by their designated representatives.&nbs=
p; The form supports electronic signatures in MS Word or you can print and =
apply traditional "wet" signatures if you choose. If you are unable to appl=
y more than one digital signature, then please print the form and have each=
person apply a wet signature by pen.
Step 3/=
Page 3: Provide applicable Information Categories and Adjusted Impact Ratin=
gs
- Refer to NIST 800-60 Volume 2 for a catalog of common federal informati=
on categories. If you are unsure what categories to use, please contact the=
NCI ISSO for help be emailing NCIIRM@nih.gov, or by calling 240-276-5159.
- Choose the appropriate category(ies) from 800-60 V2 that capture t=
he primary function and mission of your system by entering them in one of t=
he Category boxes on page 2
- Enter the provisional impact ratings (provisional ratings are given in =
800-60 V2 for each selected information type, but you may need to adju=
st ratings based on additional considerations. If you do need to adjust the=
ratings, enter an adjusted rating in the Adjusted Impact Levels area for e=
ach information category used.=20
- If you adjust any of the provisional impact ratings, then you MUST=
provide a rationale for the adjustment(s) in the Rationale box. The ration=
ale box only needs to be completed if you have adjusted one or more provisi=
onal ratings. For example, if are provisional impact rating for confidentia=
lity is Low, but you wish to adjust the rating to Moderate, then you need t=
o address why you have raised the confidentiality rating in the rationale b=
ox.
- If you need to use more than one information category, repeat steps 2 a=
nd 3 until you have entered all of the appropriate information categories=
li>
NOTE: Most systems can be described by using just 1 or 2 information cat=
egories from NIST 800-60 Volume 2. In rare cases, a system owner might need=
to use more than that, but be careful not to choose categories that are a =
"stretch" or that are not part of the mission/function of the system. =
Usually, a careful review of the description in 800-60 Volume 2 will help a=
void un-necessary inclusion of additional categories.
FIPS-199 resources
------=_Part_638_1463861712.1711642183877--