NIST releases Guidelines for Mapping Types of Information and Information Systems to Security Categories

NIST has completed the first draft of Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The purpose of the draft guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199, which I talked about back in September.

The document comes in two volumes:

1. Volume 1: provides guidelines for identifying impact levels by type and suggests impact levels for administrative and support information common to multiple agencies.
   
2. Volume 2: includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific mission related information.
   

A goal of this document is to independently define the impact level, that is, determine the impact level without considering countermeasures or controls. If you wish to comment on the draft, NIST requests that you do so by February 20, 2004. You can send them an email at 800-60_comments@nist.gov

Happy reading!