This is an introduction to Step 1, Categorization of the NIST SP 800-37, Risk Management Framework process. Categorization consists of three primary steps:
1) Determining the Security Categorization of the information system. This is done by breaking down the primary information types on the system. You can get great guidance on this from FIPS 199 and NIST SP 800-60 (Volume I-II).
2) Create a System Description. This is really the first step to creating a System Security Plan and it leads to registering the systems.
3) Register the system. This means that you need to advertise the the system to all the stakeholders of the system in the organization. Organizations usually have a method of doing this with a database that can be seen by upper-level management.




Tags : categorizationfips 199nist sp 800-60risk management frameworkrmf
Bruce Brown

The author Bruce Brown

I have done a lot of work with Risk Management Framework for DoD IT (formerly DIACAP,DITSCAP). I noticed there was not a lot of information for security engineers on the nuts and bolts of it, so i started writing it down.

security is just a hobby. my real job is to help humanity out of poverty (information & financial poverty).

I am sure we can do it together

maybe rmf will help humanity. ;p
the internet maybe our greatest hope, we should keep it safe.

Leave a Response