| Compliance |
The following 7 compliance controls are associated with this Policy definition 'Ensure security categorization is approved' (6c79c3e5-5f7b-a48a-5c7b-8c158bc01115)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
RA-2 |
FedRAMP_High_R4_RA-2 |
FedRAMP High RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
Control Enhancements: None.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. |
link |
4 |
| FedRAMP_Moderate_R4 |
RA-2 |
FedRAMP_Moderate_R4_RA-2 |
FedRAMP Moderate RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
Control Enhancements: None.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. |
link |
4 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| hipaa |
19143.06c1Organizational.9-06.c |
hipaa-19143.06c1Organizational.9-06.c |
19143.06c1Organizational.9-06.c |
19 Data Protection & Privacy |
19143.06c1Organizational.9-06.c 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Designated senior management within the organization reviews and approves the security categorizations and associated guidelines. |
|
6 |
| ISO27001-2013 |
A.8.2.1 |
ISO27001-2013_A.8.2.1 |
ISO 27001:2013 A.8.2.1 |
Asset Management |
Classification of information |
Shared |
n/a |
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. |
link |
5 |
| NIST_SP_800-53_R4 |
RA-2 |
NIST_SP_800-53_R4_RA-2 |
NIST SP 800-53 Rev. 4 RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.
Supplemental Guidance: Clearly defined authorization boundaries are a prerequisite for effective security categorization decisions. Security categories describe the potential adverse impacts to organizational operations, organizational assets, and individuals if organizational information and information systems are comprised through a loss of confidentiality, integrity, or availability. Organizations conduct the security categorization process as an organization-wide activity with the involvement of chief information officers, senior information security officers, information system owners, mission/business owners, and information owners/stewards. Organizations also consider the potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts. Security categorization processes carried out by organizations facilitate the development of inventories of information assets, and along with CM-8, mappings to specific information system components where information is processed, stored, or transmitted. Related controls: CM-8, MP-4, RA-3, SC-7.
Control Enhancements: None.
References: FIPS Publication 199; NIST Special Publications 800-30, 800-39, 800-60. |
link |
4 |
| NIST_SP_800-53_R5 |
RA-2 |
NIST_SP_800-53_R5_RA-2 |
NIST SP 800-53 Rev. 5 RA-2 |
Risk Assessment |
Security Categorization |
Shared |
n/a |
a. Categorize the system and information it processes, stores, and transmits;
b. Document the security categorization results, including supporting rationale, in the security plan for the system; and
c. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision. |
link |
4 |
|