home || catalog: SP800-53rev3 / class: Management / family: (RA) Risk Assessment ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP
PE
PL
PM
PS
RA

RA-01
RA-02 *
RA-03
RA-04
RA-05

SA
SC
SI
MMMMM

  RA-02: Security Categorization  

base control objective:
The organization:
a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and
c. Ensures the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative.

supplemental objective information:
Security categorization describes the potential adverse impacts to organizational operations, organizational assets, and individuals should the information and information system be comprised through a loss of confidentiality, integrity, or availability. The organization conducts the security categorization process as an organization-wide activity with the involvement of the chief information officer, senior information security officer, information system owner, mission owners, and information owners/stewards. The organization also considers potential adverse impacts to other organizations and, in accordance with the USA PATRIOT Act of 2001 and Homeland Security Presidential Directives, potential national-level adverse impacts in categorizing the information system. The security categorization process facilitates the creation of an inventory of information assets, and in conjunction with CM-8, a mapping to the information system components where the information is processed, stored, and transmitted.

enhancements to the base objective:

(1) None.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base  

related (regimented) controls:

CM-08   Information System Component Inventory
MP-04   Media Storage
SC-07   Boundary Protection

documents referenced in SP800-53rev3 for RA-02:

Document Date Status Title
FIPS 199 February, 2004 current   Standards for Security Categorization of Federal Information and Information Systems
NIST SP800-30 July 2002 groan...   Risk Management Guide for Information Technology Systems
NIST SP800-37 Feb, 2010 current   Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP800-39 December, 2010 DRAFT   Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-59 August, 2003 current   Guideline for Identifying an Information System as a National Security System
NIST SP800-60v1 August, 2008 current   Volume 1, Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP800-60v2 August, 2008 current   Volume 2,Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Search SP800-53rev3 catalog: