DON Information Type Baselines for Risk Management Framework Categorization of Information Technology

DON CIO Memo - Publish Date: 02/10/16


download PDF

In order to promote consistency in DON Risk Management Framework (RMF) implementation, the DON Chief Information Officer (CIO) collaborated with Navy and Marine Corps cybersecurity stakeholders to develop DON Information Type Baselines. The DON baseline includes the information types and impact levels from reference (c) and adds DON­-unique impact levels for certain information types. The DON Information Type Baselines are starting points. ISO/PM must select impact levels appropriate for national security and the criticality of their missions when using baseline information types and adjust them as necessary. ISO/PM must document any adjustments or tailoring of the DON baseline impact levels in the Security Authorization Package as the Authorizing Official directs. The DON Information Types Baseline can be found on the Services' Assessment and Authorization portals.

Subj: DEPARTMENT OF THE NA VY INFORMATION TYPE BASELINES FOR RISK MANAGEMENT FRAMEWORK CATEGORIZATION OF INFORMATION TECHNOLOGY

Ref: (a) DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD Information Technology," March 12, 2014
(b) Committee on National Security Systems Instruction 1253, "Security Categorization and Control Selection for National Security Systems," March 27, 2014
(c) National Institute of Standards and Technology Special Publication 800-60, Revision 1, (Volumes 1&2) "Guide for Mapping Types oflnformation and Information Systems to Security Categories," August 2008

Reference (a) requires that all information technology (IT), including National Security Systems (NSS), be categorized in accordance with reference (b). Categorization requires Information System Owners (ISO)/Program Managers (PM) to identify the information types processed, stored, transmitted, or protected by their IT. However, the information types and impact levels provided in reference (c) are insufficient for the wide range of IT in the Department of the Navy (DON).

In order to promote consistency in DON Risk Management Framework (RMF) implementation, the DON Chief Information Officer (CIO) collaborated with Navy and Marine Corps cybersecurity stakeholders to develop DON Information Type Baselines. The DON baseline includes the information types and impact levels from reference (c) and adds DON­unique impact levels for certain information types. The DON Information Type Baselines are starting points. ISO/PM must select impact levels appropriate for national security and the criticality of their missions when using baseline information types and adjust them as necessary. ISO/PM must document any adjustments or tailoring of the DON baseline impact levels in the Security Authorization Package as the Authorizing Official directs. The DON Information Types Baseline can be found on the Services' Assessment and Authorization portals.

The DON CIO point of contact for this matter is Darcee Branham, (757) 203-3741, darcee.branham@navy.mil.

Signed by:
Robert W. Foster

TAGS: Cybersecurity

Related Policy
Related News
Related Resources