@Gwen - When categorizing the Information System (IS) the focus is on identifying what levels Confidentiality, Integrity and Availability (CIA) are at. An IS can be any combination Low, Moderate or High and is often written with only list the first initial. For example a system with CIA levels of Moderate, Moderate, Moderate would be written as MMM. Another system with Low, Moderate, Low would be written LML. This same method applies to all DoD and Federal Information Systems under RMF. However each DoD and Federal organization can have their own set of "overlays" that apply additional measures for determining the CIA level. For example, there are overlays for PHI, PII, security classification, space and others. Ref. NIST 800-53 Rev 4.
Thank you for posting! It is really appreciated!!! Does your course prepare me to sit for the CAP certification? How well does your course prepare me for success in a field of CAP? Thanks in advance!
Bruce, thank you for the video. In your case of multiple information types, would it really matter going through the process of figuring out each one if one of your info types was let's say, "high" for integrity? If the concept of High Water Mark is used, wouldn't the system come out as High regardless of how the other ones turned out? Also, are you going to put out a video for how to categorize national security systems? Since the DoD is transitioning to RMF, there’s a lot of confusion out there. Thank you!
Check out the course:
www.nist80037rmf.com/rmf-isso-foundations
This is a fantastic summary of RMF and security categorization. Plainly spoken without losing meaningful concepts. Well done Bruce!
Good stuff. You explained in 10mins what I have been trying to wrap my head around for the last year
@Gwen - When categorizing the Information System (IS) the focus is on identifying what levels Confidentiality, Integrity and Availability (CIA) are at. An IS can be any combination Low, Moderate or High and is often written with only list the first initial. For example a system with CIA levels of Moderate, Moderate, Moderate would be written as MMM. Another system with Low, Moderate, Low would be written LML. This same method applies to all DoD and Federal Information Systems under RMF. However each DoD and Federal organization can have their own set of "overlays" that apply additional measures for determining the CIA level. For example, there are overlays for PHI, PII, security classification, space and others. Ref. NIST 800-53 Rev 4.
Thank you for making this so easy to comprehend👏
Nice Presentation of this material!!
Thank you for posting! It is really appreciated!!! Does your course prepare me to sit for the CAP certification? How well does your course prepare me for success in a field of CAP? Thanks in advance!
Great
Great lecture. Thank you and keep up the good work.
Bruce, thank you for the video. In your case of multiple information types, would it really matter going through the process of figuring out each one if one of your info types was let's say, "high" for
integrity? If the concept of High Water Mark is used, wouldn't the system come out as High regardless of how the other ones turned out? Also, are you going to put out a video for how to categorize national security systems? Since the DoD is transitioning to RMF, there’s a lot of confusion out there. Thank you!
Thanks for the video. Very helpful. Do you have more videos of RMF?
Missing the privacy component which become a necessary part of every assessment nowadays.
Very lucid explanation. Nice.
You're a great teacher. I'll pay for some skype call to ask some questions. I'm interviewing and need more knowledge
Can you kindly teach on shared Assessment?
Opposition