Prometheus Blogs

A Tale Of Two Classification Systems


NIST has two documents (FIPS 199 and SP 800-60) that specify how to classify information systems. Classification is important because it determines which security control baseline to use. You might not regard these as alternatives, because FIPS 199 is required by law, and 800-60 provides guidance on implementation of FIPS 199. In practice, you may have a choice because agencies have considerable latitude, and may not require 800-60.

NIST FIPS 199 “Standards for Security Categorization of Federal Information and Information Systems” is relatively painless. It’s concise, self contained, just thirteen pages long, and pretty straightforward to use.

NIST SP 800-60 “Guide for Mapping Types of Information and Information Systems to Security Categories” is rococo in comparison. Volume 1 is 53 pages. Volume 2 runs to 304 pages. To apply these, you need to understand the 434 page Federal Enterprise Architecture Framework and the 90 page FEA Consolidated Reference Model Document. To actually put SP 800-60 into effect you also need to consult the 52 page Business Reference Model Taxonomy with Definitions, and the 24 page Business Reference Model Service Codes and Definitions. This adds up to 957 pages. I can see that SP 800-60 could, if carefully applied, result in greater consistency than FIPS 199 alone. It’s far less obvious how much (if at all) SP 800-60 actually increases security, or if that hypothetical increase is worth the effort.

Diagram showing classification of triangles

Classification of a triangle1 is once-and-done. In contrast, the classification of a security system is only a baseline-determining starting point: the security controls are still tailored, and reviewed periodically. If it’s going to be tailored anyway, does the initial classification really need to be perfect?

So what’s being used in practice? The FedRAMP categorization template and the NIH template all nod to 800-60 in their titles, information labels, or instructions… but you could easily fill them out without paying attention to 800-60. The Patent and Trademark Office template is clearly informed by 800-60, and makes 800-60 easier to apply in the context of the PTO.

Which one “works best”? I’ve not seen any actual measurements. If I had to bet, I’d bet on FIPS 199. The book Simple Rules: How to Thrive in a Complex World, by Donald Sull and Kathleen M. Eisenhardt, describes many examples where simple procedures and rules work better than complicated ones. Complicated systems often develop in an attempt to prevent every possible failure mode. Sometimes corner cases are piled up well beyond the point of diminishing returns.

  1. This triangle diagram was published in First Steps in Geometry by G. A. Wentworth and G. A. Hill (Ginn, 1901), according to H. R. Jacobs, Geometry, 3rd edition, W. H. Freeman and Company, 2003

Reader Comments
  1. Horus said... around over 1 year ago
    Thank you. You have helped me a lot with your references. Very much appreciated. I hope my upcoming contributions will be as useful as this.
  2. Bill Schmidt said... around over 1 year ago
    I was hoping that RMF would be a huge improvement over DIACAP, and it still could be at some point. For now, using 800-60, it seems like it is just a lot more paperwork, and yet more Cyber staff to dedicate to process the paperwork.
Leave a Comment