NIST SP 800-18r1 Footnotes
OMB Circular A-130, Appendix III, defines major application as an application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.
OMB Circular A-130, Appendix III, defines general support system as an interconnected set of information resources under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, and people.
NIST Special Publication 800-37 defines a minor application as an application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.
Caution should be exercised when one individual fills multiple roles in the security planning process to ensure that the individual retains an appropriate level of independence and remains free from conflicts of interest.
When an agency has not designated a formal CIO position, FISMA requires the associated responsibilities to be handled by a comparable agency official.
The role of the information system owner can be interpreted in a variety of ways depending on the particular agency and the system development life cycle phase of the information system. Some agencies may refer to information system owners as program managers or business/asset/mission owners.
The information owner retains that responsibility even when the data/information are shared with other organizations.
In some agencies, the senior official and the Chief Information Officer may be co-authorizing officials. In this situation, the senior official approves the operation of the information system prior to the Chief Information Officer.
Information resources consist of information and related resources, such as personnel, equipment, funds, and information technology.
Direct management control typically involves budgetary, programmatic, or operational authority and associated responsibility. For new information systems, management control can be interpreted as having budgetary/programmatic authority and responsibility for the development and deployment of the information systems. For information systems currently in the federal inventory, management control can be interpreted as having budgetary/operational authority for the day-to-day operations and maintenance of the information systems.
The example provided is a small sampling of general support systems; it is not a definitive list.
For example, while the baseline security controls require identification and authentication of organizational personnel who maintain and support information systems that provide public access services, the same controls might not be required for users accessing those systems through public interfaces to obtain publicly available information. On the other hand, identification and authentication must be required for users accessing information systems through public interfaces to access their private/personal information.
For example, a contingency plan for a large and complex organization with a moderate-impact or high-impact information system may be quite lengthy and contain a significant amount of implementation detail. In contrast, a contingency plan for a smaller organization with a low-impact information system may be considerably shorter and contain much less implementation detail.
When employing the “high watermark” concept, some of the security objectives (i.e., confidentiality, integrity, or availability) may have been increased to a higher impact level. As such, the security controls that uniquely support these security objectives will have been upgraded as well. Consequently, organizations must consider appropriate and allowable downgrading actions to ensure cost-effective, risk-based application of security controls.
Information that is security-relevant at the system level (e.g., password files, network routing tables, cryptographic key management information) must be distinguished from user-level information within an information system. Certain security controls within an information system are used to support the security objectives of confidentiality and integrity for both user-level and system-level information. Organizations must exercise caution in downgrading confidentiality or integrity-related security controls to ensure that the downgrading action does not affect the security-relevant information within the information system.
For a detailed explanation of system environments, see NIST Special Publication 800-70, Security Configuration Checklists Program for IT Products -- Guidance for Checklists Users and Developers.
The Office of Management and Budget (OMB) Circular A-130, Appendix III, defines adequate security as security commensurate with the risk and the magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information.
Security control families in NIST SP 800-53 are associated with one of three security control classes (i.e., management, operational, technical). Families are assigned to their respective classes based on the dominant characteristics of the controls in that family. Many security controls, however, can be logically associated with more than one class. For example, CP-1, the policy and procedures control from the Contingency Planning family, is listed as an operational control but also has characteristics that are consistent with security management as well.