3 Information Security Objectives / Impact Levels Question/Comment
Cloud security information impact levels are defined by the combination of: 1) the level of information to be stored and processed in the CSP environment; and 2) the potential impact of an event that results in the loss of confidentiality, integrity or availability of DoD data, systems or networks. DoD Mission Owners categorize mission information systems in accordance with DoDI 8510.01 and CNSSI 1253 to select the impact level that most closely aligns with defined baselines.
3.1 Security Objectives (Confidentiality, Integrity, Availability) Question/Comment
Information Impact Levels consider the potential impact should the confidentiality or the integrity of the information be compromised.
According to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, confidentiality is "preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information..." [44 U.S.C., Sec. 3542]. A loss of confidentiality is the unauthorized disclosure of information.
FIPS Publication 199 defines integrity as "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity..." [44 U.S.C., Sec. 3542]. A loss of integrity is the unauthorized modification or destruction of information. It is important to note that the unauthorized destruction of information will result in the loss of availability of that information.
FIPS-199 defined three levels to designate the impact of a loss of confidentiality or a loss of integrity (refer to Table 1). The security control baseline for all Impact Levels is based on moderate confidentiality and moderate integrity. If a Mission Owner has high potential impacts, specific requirements must be included in the contract/SLA to address/mitigate this risk or deploy to DoD facilities assessed using CNSSI 1253 high baselines through the DoD RMF. In the future DISA will consider incorporating a FedRAMP High Baseline into this SRG after one becomes available.
Table 1 - Potential Impact Definitions for Security Objectives
||The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
||The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
||The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
||The unauthorized modification or destruction of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
||The unauthorized modification or destruction of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
||The unauthorized modification or destruction of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
The baseline objectives do not address the impact of availability; it is expected that the Mission Owner will assess the CSP's stated availability rating(s) during CSP selection. Any specific or additional availability requirements must be included in the contract or a service level agreement with the CSP. Mission Owners must ensure the language is specific and inclusive for their required availability. For example, if the requirement is "CSP maintenance affecting system availability must be coordinated 4 weeks in advance and only conducted between 02:00 and 04:00 EST on Sunday morning," then the contract / SLA should detail the requirement. Recommended contract / SLA availability controls are provided under the FedRAMP+ Controls/Enhancements in Section 5.1.5, Controls/Enhancements to be Addressed in the Contract/SLA .
CSPs will be evaluated or queried as part of the assessment process to determine the level of availability they offer to be listed in the DoD Cloud Service Catalog. This evaluation does not prevent a CSP from receiving a PA or being included in the DoD Cloud Service Catalog; it is only used to facilitate the matching of a DoD Mission Owner to one or more appropriate cloud services meeting their needs.
The previously published Cloud Security Model defined 6 information Impact Levels. In order to simplify the selection process, the number of levels was reduced from 6 to 4. This was accomplished by integrating levels 1 (public information) and 3 (low impact Controlled Unclassified Information (CUI)) into levels 2 and 4, respectively. The numeric designators for the Impact Levels have not changed to remain consistent with previous versions of the Cloud Security Model, leaving Impact Levels 2, 4, 5, and 6. Note that a higher level can process data from a lower level.
Additionally, the security control baseline for all levels has been changed to moderate confidentiality and moderate integrity as defined by CNSSI 1253 and the FedRAMP Moderate Baseline. This modification from high confidentiality and high integrity is intended to better align with the categorization of most DoD customer systems that will be deployed to commercial CSP facilities. Mission owners with systems categorized at high confidentiality or integrity impact levels must deploy to DoD facilities assessed using CNSSI 1253 high baselines through the DoD RMF or contract for the added security. DISA will consider incorporating a FedRAMP High Baseline into this SRG after one becomes available.
The following subsections describe the impact levels, to include those used previously, and the type of information to be stored or hosted in CSOs.
3.2.1 Level 1: Unclassified Information approved for Public release Question/Comment
Level 1 is no longer used and has been merged with Level 2.
3.2.2 Level 2: Non-Controlled Unclassified Information Question/Comment
Level 2 includes all data cleared for public release, as well as some DoD private unclassified information not designated as CUI or critical mission data, but the information requires some minimal level of access control.
3.2.3 Level 3: Controlled Unclassified Information Question/Comment
Level 3 is no longer used and has been merged with Level 4.
3.2.4 Level 4: Controlled Unclassified Information Question/Comment
Level 4 accommodates CUI which is the categorical designation that refers to unclassified information that under law or policy requires protection from unauthorized disclosure as established by Executive Order 13556 (November 2010) or other mission critical data. Designating information as CUI or critical mission data to be protected at Level 4 is the responsibility of the owning organization. Determination of the appropriate impact level for a specific mission with CUI and mission data will be the responsibility of the mission AO.
CUI contains a number of categories, including, but not limited to the following:
- Export Control--Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. This includes dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.
- Privacy Information--Refers to personal information or, in some cases, personally identifiable information (PII) as defined in Office of Management and Budget (OMB) M-07-16 or means of identification as defined in 18 USC 1028(d)(7).
- Protected Health Information (PHI) as defined in the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
- Other information requiring explicit CUI designation (i.e., For Official Use Only, Official Use Only, Law Enforcement Sensitive, Critical Infrastructure Information, and Sensitive Security Information).
3.2.5 Level 5: Controlled Unclassified Information Question/Comment
Level 5 accommodates CUI that requires a higher level of protection as deemed necessary by the information owner, public law, or other government regulations. Level 5 also supports unclassified National Security Systems (NSSs) due to the inclusion of NSS specific requirements in the FedRAMP+ controls/control enhancements (C/CEs). As such, NSS must be implemented at Level 5.
3.2.6 Level 6: Classified Information up to SECRET Question/Comment
Level 6 accommodates information that has been determined: (i) pursuant to Executive Order 12958 as amended by Executive Order 13292, or any predecessor Order, to be classified national security information; or (ii) pursuant to the Atomic Energy Act of 1954, as amended, to be Restricted Data (RD). At this time, only information classified as SECRET, in accordance with the applicable executive orders, is applicable to this level. Services running at higher classification levels, to include compartmented information, are governed by other policies and are beyond the scope of this document. Impact Level 6 requires a similar set of tailored controls as Level 5 and includes the CNSSI 1253 Appendix F, Attachment 5 Classified Information Overlay C/CEs.
3 CUI Categories: http://www.archives.gov/cui/registry/category-list.html
4 NIST SP800-22, Protecting PII: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
5 OMB M-07-16: http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf
6 PHI: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
< Previous | Next >