RMF Step 1: Cateogrize

Question 1

Task 1-1

Answer 1

Categorize the information and information system

Question 2

Task 1-2

Answer 2

Describe the information system (including the system boundary)

Question 3

Task 1-3

Answer 3

Register - let organizational authority know what the system is used for, why it exists

Question 4

Sensitivity

Answer 4

how important the information is denotes the need for protection

information may have more sensitivity when combined,

Question 5

Criticality

Answer 5

measure of the degree to which an organization needs the system for success of mission or business function

information may be more critical at a point in time

Question 6

Data Classification

Answer 6

Inventory and classification approach, what needs to be

• public
• internal use
• restricted

Question 7

Security Objective

Answer 7

CIA -

Confidentiality
Integrity
Availability

Question 8

The docs used are

Answer 8

FIPs 199 and NIST 800-60

Question 9

NIST 800-60 Volume 1 and 2 (both rev 1)

Answer 9

Volume 1, rev 1 - guide for mapping types of information and information systems to security categories

Volume 2, rev 1 - appendices to the guide for mapping types of information and information systems to security categories
*Recommended levels for each security objective (CIA)

Question 10

Categorization Process

Answer 10

1) Identify the Information System
2) Identify the Information Type
3) Select Provisional Impact Levels
4) Review Provisional Impact Levels
5) Adjust/Finalize Impact Levels
6) Assign System Security Cateogry
7) Security Categorization (FIPs 199)
8) FIPs 200 (control selection)

Question 11

Three types of information types

Answer 11

1) Mission-Based Information Types
2) Services Delivery Support Information Types
3) Government Resource Mgmt Information Types