Link Search Menu Expand Document
NIST SP 800-37

IMPACT-LEVEL PRIORITIZATION (Optional)61

TASK P-6

Prioritize organizational systems with the same impact level. Potential Inputs: Security categorization information for organizational systems; system descriptions; organization- and system-level risk assessment results; mission or business objectives; Cybersecurity Framework Profiles.
Expected Outputs: Organizational systems prioritized into low-, moderate-, and high-impact sub- categories.
Primary Responsibility: Senior Accountable Official for Risk Management or Risk Executive (Function).
Supporting Roles: Senior Agency Information Security Officer; Senior Agency Official for Privacy; Mission or Business Owner; System Owner; Chief Information Officer; Authorizing Official or Authorizing Official Designated Representative.
Discussion: This task is carried out only after organizational systems have been categorized (see Task C1). This task requires organizations to first apply the high-water mark concept to each of their information systems categorized in accordance with [FIPS 199] and [FIPS 200].62 The application of the high-water mark concept results in systems designated as low impact, moderate impact, or high impact. Organizations desiring additional granularity in their impact designations for risk-based decision making can use this task to prioritize their systems within each impact level.63 For example, an organization may decide to prioritize its moderate-impact systems by assigning each moderate system to one of three new subcategories: low-moderate systems, moderate-moderate systems, and high-moderate systems. The high-moderate systems assume a higher priority than the moderate-moderate systems and low-moderate systems assume a lower priority than the moderate-moderate systems. The prioritization of its moderate systems gives organizations an opportunity to make more informed decisions regarding control selection and the tailoring of control baselines when responding to identified risks.

Impact-level prioritization can also be used to determine those systems that are critical or essential to organizational missions and business operations and therefore, organizations can focus on the factors of complexity, aggregation, and system interconnections. Such systems can be identified, for example, by prioritizing high-impact systems into low-high systems, moderate-high systems, and high-high systems. Impact-level prioritizations can be conducted at any level of the organization and are based on security categorization data reported by individual system owners. Impact-level prioritization may necessitate the development of organizationally-tailored baselines to designate the appropriate set of controls for the additional, more granular impact levels.

Cybersecurity Framework Profiles can be used by organizations to support the impact-level prioritization task. The mission and business objectives and prioritized outcomes defined in applicable Cybersecurity Framework Profiles can help distinguish relative priority between systems with the same impact level. Cybersecurity Framework Profiles can be organized around the priority of mission/business objectives of an organization, and those objectives are assigned a relative priority among them. For example, human and environmental safety objectives may be the two most important objectives relevant to a Profile’s context. In this example, when performing Task P-6, a system that relates to a human safety objective may be prioritized higher than a system that has the same impact levels but does not relate to the human safety objective.

References: [FIPS 199]; [FIPS 200]; [SP 800-30]; [SP 800-39] (Organization and System Levels); [SP 800- 59]; [SP 800-60 v1]; [SP 800-60 v2]; [SP 800-160 v1] (System Requirements Definition Process); [IR 8179] (Criticality Analysis Process B); [CNSSI 1253]; [NIST CSF] (Core [Identify Function]; Profiles).

61 Organizations can use this task in conjunction with the optional RMF Prepare-Organization Level step, Task P4, to develop organizationally-tailored baselines for the more granular impact designations, for example, organizationally-tailored baselines for low-moderate systems and high-moderate systems.

62 Organizations operating National Security Systems follow the categorization guidance in [CNSSI 1253] which does not apply the high-water mark concept.

63 Organizations can also elect to use an alternative, organization-defined categorization approach to add additional granularity to the impact levels defined in [FIPS 199].