RA-2—Security Categorization
>Control Description
Categorize the system and information it processes, stores, and transmits;
Document the security categorization results, including supporting rationale, in the security plan for the system; and
Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals.
CNSSI 1253 provides additional guidance on categorization for national security systems. Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.
Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.
>Programmatic Queries
Related Services
CLI Commands
aws resourcegroupstaggingapi get-resources --tag-filters Key=SecurityCategory,Values=Highaws resourcegroupstaggingapi get-resources --tag-filters Key=FIPS199Impact,Values=Moderateaws macie2 list-classification-jobsaws macie2 list-findings --finding-criteria '{"criterion":{"category":{"eq":["CLASSIFICATION"]}}}'>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What is your organization's documented risk assessment policy and how does it address the requirements of RA-2?
- •Who has been designated as responsible for conducting and maintaining risk assessments?
- •How frequently are risk assessments conducted and what triggers an update to the risk assessment?
Technical Implementation:
- •What methodology or framework do you use to conduct risk assessments?
- •How do you identify and categorize threats and vulnerabilities during the risk assessment process?
- •What tools or systems support your risk assessment activities?
- •How do you determine the security categorization of systems and information?
Evidence & Documentation:
- •Can you provide the most recent risk assessment report?
- •What evidence demonstrates that risk assessment findings are communicated to appropriate stakeholders?
- •Where are risk assessment results documented and how long are they retained?
- •Can you show the security categorization documentation for each system in scope?
Ask AI
Configure your API key to use AI features.