Determining System Business and Technical Impact Level (Low, Moderate, High)

Determine data classification (using NIST):

• (NIST SP 800-60 vol. I and II*)

• FIPS 200 / NIST SP 800-53

Use FIPS 199** if data type not in NIST SP 800-60 (i.e., C/I/A scoring) – NIST references below:

• NIST SP 800-34 defines the SDLC as “the scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation.”

• NIST SP 800-55, Security Metrics Guide for Information Technology Systems

• NIST SP 800-80, Guide for Developing Performance Metrics for Information Security