VIDIZMO Compliance with NIST FIPS 199 and SP 800-60 for Security Categorization

Introduction 

FIPS (Federal Information Processing Standards) are a series of standards developed by NIST (National Institutes of Standards and Technology) to fulfill security objectives for information regarding the national and economic interests of the United States. These security objectives targeting information and information security are defined by the FISMA (Federal Information Security Management Act), which is a federal law enacted in 2002.  

The FISMA act tasked NIST with developing FIPS as a framework that contains guidelines and standards for federal agencies that maintain and process information. The NIST FIPS 199 publication provides guidelines for evaluating an organization's information and information systems based on the severity of their impact. 

VIDIZMO emphasizes data security and confidentiality as a service provider. This article aims to show how VIDIZMO applications are compliant with the guidelines defined by FIPS 199.  

Understanding FIPS 199

FIPS 199 provides a way framework or guidelines to categorize information and information systems according to the level of impact caused by a security breach. 

Areas Affected by Impact 

FIPS defines three aspects to determine the severity of an impact of an information or information system within an organization or federal agency; these are:  

Security Objectives Defined by FIPS 199 

FIPS 199 emphasizes the CIA triad (Confidentiality, Integrity, and Availability) as a security objective for information and information systems. A compromise in the integrity, confidentiality, and availability of an information and information system determines the provisional impact level. FIPS 199 describes a breach in the three components as:  

Provisional Impact Levels in FIPS 199 

When assigning a security category for an information system in FIPS 199, a provisional impact level is set for each security objective (which are confidentiality, integrity, and availability). Impact levels determine the extent to which an agency's operations, assets, or personnel may be affected by a compromise in security objectives. The impact levels defined in FIPS 199 are:.   

The impact is classified as low if the loss of confidentiality, integrity, or availability causes a limited degradation in the mission capability of the organization. The impact result is minor damage to assets or little to no harm to individuals.  

• Moderate  

The impact is classified as moderate if the loss of confidentiality, integrity, or availability causes severe degradation in the organization's mission capability. The impact also resulted in significant damage to assets, significant financial loss, or harm to individuals, except no loss of life or life-threatening injuries.  

• High  

The impact is classified as high if the loss of confidentiality, integrity, or availability causes significant or catastrophic degradation in the organization's mission capability. The organization is not able to conduct its function or operations. The impact also results in major damage to assets, major financial loss, or harm to individuals with potential loss of life and life-threatening injuries. 

Information Types and Information Systems 

An information type can be defined by what makes up the information, what it contains, or which category it belongs to. For instance, an information type could be categorized as related to "Medical" if it includes data regarding the number of patients.

In addition to Information Types, FIPS 199 also aims to apply a security category for the information system that processes or maintains the information type. System processes or programs running in an information system are essential for an organization to carry out its operation.

VIDIZMO's applications make use of information and information systems that handle data for customers, users, and its internal functions. Complying with the guidelines in FIPS 199, VIDIZMO performs routine evaluation and assignment of security categories after identifying the types and information systems for its applications. 

Identifying Information and Information Types According to NIST SP 800-60    

FIPS 199 defines how security categories are made for an organization's information types and systems. SP 800-60 is a publication from NIST that aids in identifying information or information systems to assign them the correct appropriate security category.  

There are two volumes in SP 800-60. The first one contains standards for agencies to categorize information and information systems. The second one guides assigning security categories to identified information or information types. 

For VIDIZMO's case, we will be mapping or identifying the information types and information systems according to section "C.3.5 Information and Technology Management" and its subsections.   

Assigning Security Categories to Information Types 

• C.3.5.1 System Development Information Type   

System Development Information Type pertains to the security categorization of information and information systems used in in-house software design and development. In VIDIZMO, system development consists of the development, upgrade, and tuning of features that enhance the capabilities of the three VIDIZMO products: Digital Evidence Management System (DEMS), Enterprise Video Content Management (EVCM), and Redactor. 

Impact Levels 

Confidentiality: Low 

Integrity:  High 

Availability:  High 

• C.3.5.2 Lifecycle/Change Management Information Type

Lifecycle or Change Management Information Type covers all activities that help an organization make a secure transition, change, or evolution of its resources, methodologies, or policies. VIDIZMO applications use dynamic processes and work with a myriad of data to provide services to their users. Before making changes to these processes or the data being processed, VIDIZMO employs lifecycle or change management strategies to reduce potential impact and preserve the integrity of data. 

Impact Levels 

Confidentiality:  Low 

Integrity:  Moderate 

Availability: Low 

•  C.3.5.3 System Maintenance Information Type

System Maintenance Information type involves all activities and information associated with maintaining in-house software applications. To ensure optimal performance across all its applications, VIDIZMO performs routine testing of all features at set time intervals. Before a new feature is released, it is rigorously tested on multiple stages or environments to ensure it performs optimally and that it does not have a significant negative impact. In addition to testing, VIDIZMO also oversees the maintenance of features that are exclusive to VIDIZMO applications.   

Impact Levels 

Confidentiality: Moderate 

Integrity:  Moderate 

Availability: Moderate 

• C.3.5.4 IT Infrastructure Maintenance Information Type

IT Infrastructure Maintenance Type covers all aspects that involve the planning, design, implementation, and maintenance of IT infrastructure for security and automation needs for. IT Infrastructure Maintenance in VIDIZMO is done via policies and management software. VIDIZMO personnel must adhere to guidelines, such as password changes or having Microsoft Authenticator set up as an added security measure for access control. 

VIDIZMO applications also provide a way for the Parent Portal or Account owners to configure Applications that increase security on their Portal. Other components involved in IT infrastructure maintenance include overseeing a Project Management software to control permissions for various teams in VIDIZMO and ensuring that personnel are supplied with functional equipment. 

Impact Levels 

Confidentiality:  High 

Integrity: Moderate 

Availability: Moderate  

• C.3.5.5 Information Security Information Type

Information Security Information Type addresses the security categorization of policies that an organization follows or implements to secure federal data and systems. To comply with FIPS 200 and FIPS 140-2, VIDIZMO has employed access controls, cryptographic algorithms, and more security measures. VIDIZMO utilizes policies to ensure that these security measures are implemented and maintained correctly. The guidelines outline specifications, steps, and measures for securing the required data. 

Impact Levels 

Confidentiality: Moderate 

Integrity: Moderate 

Availability: Low   

• C.3.5.6 Record Retention Information Type

Record Retention Information type defines an organization's ability to create, maintain, and preserve records or documents relevant to its operations. VIDIZMO has a comprehensive record retention system in place with proper documentation procedures. Documentation is categorized into different levels based on the features. VIDIZMO personnel determine where to store information related to a specific feature. Information meant for public consumption is maintained on the VIDIZMO Help site, whereas internal documentation containing technical details about software is kept in our internal repository. 

Impact Levels 

Confidentiality: Low 

Integrity: Moderate 

Availability: Moderate 

• C.3.5.7 Information Management Information Type

Information Management refers to an organization's ability to effectively coordinate and maintain its information assets. This includes creating guidelines, policies, and standards for the storage and preservation of all types of information within the organization. For VIDIZMO applications, information management is mainly carried out using databases for user information and internal system data. 

Impact Levels 

Confidentiality: Low 

Integrity: Moderate 

Availability: Low

• C.3.5.8 System and Network Monitoring Information Type

System and Network Monitoring Concerned with the evaluation of the system network to see if everything is working as intended. Or whether it's performing optimally. To ensure that System and Network Monitoring Information Types are assigned the correct impact levels, VIDIZMO considers all activities or processes that affect the performance, health, and security of its applications.  

Impact Levels 

Confidentiality: Moderate 

Integrity:  High 

Availability: Moderate 

Importance of FIPS 199 

• Developing Effective and Adequate Security Controls

FIPS is put in place to ensure that organizations, namely federal agencies, can carry out their duties even in case of a data breach. FIPS provides a framework for agencies to effectively gauge the vulnerabilities and impact of specific types of data when it is compromised. Assessment with FIPS 199 allows organizations to develop appropriate control mechanisms and security measures for their data.

• Being Informed of New Potential Threats

As information and information systems become more complex, federal agencies must be informed of the ways data can be compromised. FIPS 199 helps with the identification of areas where potential attacks can occur and how they can affect an organization's assets, individuals, reputation, or functionality.

• Efficient Division of Security Resources

Assigning data to the appropriate security categories based on its criticality helps agencies implement security controls and mechanisms effectively. This approach allows agencies to allocate their security resources cost-effectively. Conducting a proper information system impact analysis is crucial to avoid overprotecting or underprotecting the information system. Overprotection can result in a waste of valuable security resources, while underprotection can put critical operations and assets at risk.

Conclusion

FIPS 199 establishes security categories based on the expected magnitude of harm resulting from compromises. Compliance with FIPS 199 prioritizes the information and information systems of an agency. 

VIDIZMO follows FIPS 199 to ensure data integrity is maintained and that it is correctly assessed according to the criticality and sensitivity of the information and information systems. The assessment also helps in implementing the proper security measures to protect the information and information systems. 

VIDIZMO also complies with the minimum security requirements defined in FIPS 200 to safeguard its information and information system. Visit VIDIZMO Compliance with Minimum Security Requirements in FIPS 200 for more details.