Link Search Menu Expand Document
NIST SP 800-37

INFORMATION LIFE CYCLE

TASK P-13

Identify and understand all stages of the information life cycle for each information type processed, stored, or transmitted by the system.
Potential Inputs: Missions, business functions, and mission/business processes the system will support; system stakeholder information; authorization boundary information; information about other systems that interact with the system (e.g., information exchange/connection agreements); system design documentation; system element information; list of system information types.
Expected Outputs: Documentation of the stages through which information passes in the system, such as a data map or model illustrating how information is structured or is processed by the system throughout its life cycle. Such documentation includes, for example, data flow diagrams, entity relationship diagrams, database schemas, and data dictionaries.
Primary Responsibility: Senior Agency Official for Privacy; System Owner; Information Owner or Steward.
Supporting Roles: Chief Information Officer; Mission or Business Owner; Security Architect; Privacy Architect; Enterprise Architect; Systems Security Engineer; Privacy Engineer.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: The information life cycle describes the stages through which information passes, typically characterized as creation or collection, processing, dissemination, use, storage, and disposition, to include destruction and deletion [OMB A-130]. Identifying and understanding how each information type is processed during all stages of the life cycle helps organizations identify considerations for protecting the information, informs the organization’s security and privacy risk assessments, and informs the selection and implementation of controls. Identification and understanding of the information life cycle facilitates the employment of practices to help ensure, for example, that organizations have the authority to collect or create information, develop rules related to the processing of information in accordance with its impact level, create agreements for information sharing, and follow retention schedules for the storage and disposition of information.

Using tools such as a data map enables organizations to understand how information is being processed so that organizations can better assess where security and privacy risks could arise and where controls could be applied most effectively. It is important for organizations to consider the appropriate delineation of the authorization boundary and the information system’s interaction with other systems because the way information enters and leaves the system can affect the security and privacy risk assessments. The elements of the system are identified with sufficient granularity to support such risk assessments.

Identifying and understanding the information life cycle is particularly relevant for the assessment of security and privacy risks since information may be processed by a system in any of the SDLC phases. For example, in the testing and integration phase of the SDLC, processing actual (i.e., live) data would likely raise security and privacy risks, but using substitute (i.e., synthetic) data may allow an equivalent benefit in terms of system testing while reducing risk.

References: [OMB A-130]; [OMB M-13-13]; [NARA RECM]; [NIST CSF] (Core [Identify Function]); [IR 8062].