Department of Navy Chief Information Officer - Policy: DON Information Type Baselines for Risk Management Framework Categorization of Information Technology

POLICY & GUIDANCE

Audit Readiness of IT Systems (0)	DIACAP (12)	Information Sharing (48)	Open Source (3)
Awards (35)	DON Enterprise Architecture (49)	IT Asset Management (20)	Performance Measurement (2)
Business Case Analysis (11)	Enterprise Licensing Agreements (12)	IT Efficiencies (119)	Personal Electronic Device (18)
CIO Authorities (57)	Enterprise Services (35)	IT Expenditure Approval Authority (12)	Printing and Imaging (Copiers/MFDs) (17)
Civil Liberties (21)	Enterprise Software Initiative (32)	IT Governance (48)	Privacy (261)
Clinger-Cohen Act Compliance (25)	FISMA (11)	IT Infrastructure (17)	Public Key Infrastructure (19)
Cloud Computing (21)	Forms/Reports (14)	IT Investment Management (77)	Records Management (38)
Common Access Card (9)	Freedom of Information Act (26)	IT Portfolio Management (1)	Section 508 (10)
Cybersecurity (243)	Functional Area Manager (9)	Knowledge Management (34)	Social Media (33)
Cyberspace/IT Workforce (35)	GIG Standards (20)	Naval Enterprise Networks (38)	Spectrum (57)
DADMS/DITPR-DON (42)	Green IT (10)	Naval Networking Environment (12)	Statutory & Regulatory Compliance (11)
Data at Rest (10)	Identity Management (113)	NGEN (18)	Telecommunications (63)
Data Center Consolidation (37)	IM/IT Strategy (44)	NMCI (27)	Wireless (66)
Data Strategy (12)	Information Assurance (63)

DON Information Type Baselines for Risk Management Framework Categorization of Information Technology

DON CIO Memo - Publish Date: 02/10/16

download PDF

In order to promote consistency in DON Risk Management Framework (RMF) implementation, the DON Chief Information Officer (CIO) collaborated with Navy and Marine Corps cybersecurity stakeholders to develop DON Information Type Baselines. The DON baseline includes the information types and impact levels from reference (c) and adds DON-unique impact levels for certain information types. The DON Information Type Baselines are starting points. ISO/PM must select impact levels appropriate for national security and the criticality of their missions when using baseline information types and adjust them as necessary. ISO/PM must document any adjustments or tailoring of the DON baseline impact levels in the Security Authorization Package as the Authorizing Official directs. The DON Information Types Baseline can be found on the Services' Assessment and Authorization portals.

Subj: DEPARTMENT OF THE NA VY INFORMATION TYPE BASELINES FOR RISK MANAGEMENT FRAMEWORK CATEGORIZATION OF INFORMATION TECHNOLOGY

Ref: (a) DoD Instruction 8510.01, "Risk Management Framework (RMF) for DoD Information Technology," March 12, 2014
(b) Committee on National Security Systems Instruction 1253, "Security Categorization and Control Selection for National Security Systems," March 27, 2014
(c) National Institute of Standards and Technology Special Publication 800-60, Revision 1, (Volumes 1&2) "Guide for Mapping Types oflnformation and Information Systems to Security Categories," August 2008

Reference (a) requires that all information technology (IT), including National Security Systems (NSS), be categorized in accordance with reference (b). Categorization requires Information System Owners (ISO)/Program Managers (PM) to identify the information types processed, stored, transmitted, or protected by their IT. However, the information types and impact levels provided in reference (c) are insufficient for the wide range of IT in the Department of the Navy (DON).

In order to promote consistency in DON Risk Management Framework (RMF) implementation, the DON Chief Information Officer (CIO) collaborated with Navy and Marine Corps cybersecurity stakeholders to develop DON Information Type Baselines. The DON baseline includes the information types and impact levels from reference (c) and adds DONunique impact levels for certain information types. The DON Information Type Baselines are starting points. ISO/PM must select impact levels appropriate for national security and the criticality of their missions when using baseline information types and adjust them as necessary. ISO/PM must document any adjustments or tailoring of the DON baseline impact levels in the Security Authorization Package as the Authorizing Official directs. The DON Information Types Baseline can be found on the Services' Assessment and Authorization portals.

The DON CIO point of contact for this matter is Darcee Branham, (757) 203-3741, darcee.branham@navy.mil.

Signed by:
Robert W. Foster

TAGS: Cybersecurity

DON Communications Security Material Program Implementation Policy

Federal Acquisition Regulation; Basic Safeguarding of Contractor Information Systems

DON Cybersecurity Policy

Acceptable Use of DON Information Technology

DON CIO Information

Online Services & Community

RSS Feeds

DON CIO FOIA

DON CIO Mobile Website

Website Accessibility

External Links Disclaimer

SECNAV DON CIO • 1000 Navy Pentagon
Washington, DC 20350-1000

This is an official U.S. Navy website (DoD Resource Locator 45376) sponsored by the Department of the Navy Chief Information Officer (DON CIO). The purpose of this website is to facilitate effective information flow about information management/information technology and cybersecurity issues and initiatives occuring within the Department of the Navy.

Please read our Privacy Policy notice.
Please read our Section 508/Accessibility Statement.

Trending

DON Information Type Baselines for Risk Management Framework Categorization of Information Technology

DON CIO Memo - Publish Date: 02/10/16

TAGS: Cybersecurity

DON CIO Information

Online Services & Community