FIPS 200 Footnotes

1

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information resources include information and related resources, such as personnel, equipment, funds, and information technology.

2

NIST security standards and guidelines referenced in this publication are available at http://csrc.nist.gov.

3

The high water mark concept is employed because there are significant dependencies among the security objectives of confidentiality, integrity, and availability. In most cases, a compromise in one security objective ultimately affects the other security objectives as well.

4

NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides implementation guidance on the assignment of security categories to information and information systems.

5

Organizations must use the most current version of NIST Special Publication 800-53, as amended, for the security control selection process.

6

The Office of Management and Budget (OMB) Circular A-130, Appendix III, defines adequate security as security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.

7

Security categorization must be accomplished as an enterprise-wide activity with the involvement of senior-level organizational officials including, but not limited to, chief information officers, senior agency information security officers, authorizing officials (a.k.a. accreditation authorities), information system owners, and information owners.

8

Tailoring guidance for security control baselines is provided in NIST Special Publication 800-53.