Identify the types of information to be processed, stored, and transmitted by the system. Potential Inputs: System design documentation; assets to be protected; mission/business process information; system design documentation.
Expected Outputs: A list of information types for the system.
Primary Responsibility: System Owner; Information Owner or Steward.
Supporting Role: Mission or Business Owner; System Security Officer; System Privacy Officer.66
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: Identifying the types of information needed to support organizational missions, business functions, and mission/business processes is an important step in developing security and privacy plans for the system and a precondition for determining the security categorization. [NARA CUI] defines the information types that require protection as part of its Controlled Unclassified Information (CUI) program, in accordance with laws, regulations, or governmentwide policies. Organizations may define additional information types needed to support organizational missions, business functions, and mission/business processes that are not defined in the CUI Registry or in [SP 800-60 v2]. Identified information types are confirmed by the information owners or stewards and documented in the system security and privacy plans.
References: [OMB A-130]; [NARA CUI]; [SP 800-39] (System Level); [SP 800-60 v1]; [SP 800-60 v2]; [NIST CSF] (Core [Identify Function]).
66 System Privacy Officer is only a primary role when the information system processes PII.