What’s important to note about the CATEGORIZE step within the NIST RMF for DoD Contractors?

Arlington Security Portal - Show on: Side Bar

Per NIST, Security categorization provides a structured way to determine the criticality of the information being processed, stored, and transmitted by a system. The purpose of the CATEGORIZE step is to inform organizational risk management processes and tasks by determining the adverse impact of the loss of confidentiality, integrity, and availability of organizational systems and information to the organization.

Technically speaking, the information owner/system owner or an individual designated by the owner is responsible for categorizing a system. Yet even with that said, regulatory compliance mandates from outside your organization will often determine the IMPACT LEVEL (HIGH, MODERATE, LOW) to comply with for purposes of FedRAMP, FISMA, etc.

To learn more about impact levels and control baselines for NIST RMF, please access Control Baselines for Information Systems and Organizations (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf). This publication establishes security and privacy control baselines for federal information systems and organizations and provides tailoring guidance for those baselines. The control baselines can be implemented by any organization that processes, stores, or transmits information (e.g., federal, state, local, and tribal governments, as well as private sector organizations).

As for NISP eMASS, per the National Industrial Security Program Enterprise Mission Assurance Support Service (eMASS) Industry Operation Guide, "eMASS will automatically populate the recommended C-I-A levels for some of the Information Type as established by NIST SP 800-60 Vol. 2...", which "MODERATE" being the recommended CIA IMPACT LEVEL.

Trusted Providers of NIST RMF Services & Solutions

Arlington offers the following NIST RMF services & solutions to DoD and other federal contractors:

Compliance Reporting for FedRAMP, FISMA, eMASS, CMMC, 800-171, ITAR/EAR, and more.
Scoping & Gap Assessments
Policies & Procedures Development
Program Documentation Development
System Security Plans (SSP)
Security Assessment Reports (SAR)
Remediation Assistance
ATO Assistance

Arlington Security Portal

Get Access to 100 + NIST RMF security and privacy policies & procedures, programs, and plan templates.

Learn More

DoD Strategy & Advisory

FedRAMP for DOD Contractors

TPRM & Supply Chain

NISP eMASS DCSA

Cybersecurity

Config. Mgmt.

NIST 800-171

Data Privacy

DoD Cloud Security

CMMC

vCO & vCISO

Awareness / Threat Training

Risk Assessments

FISMA

CP & IR

Non-DoD NIST RMF

About Arlington

Expertise

Focus

Values

DoD Briefs

Case Studies

FAQ's

What’s important to note about the CATEGORIZE step within the NIST RMF for DoD Contractors?

Arlington Security Portal

SERVICES

RESOURCES

ABOUT