Guide for Mapping Types of Information and Systems to Security Categories

Date Published: January 31, 2024
Comments Due: March 18, 2024 (public comment period is CLOSED)
Email Questions to: sec-cert@nist.gov

Author(s)

Joint Task Force

Announcement

Summary

NIST seeks to update and improve the guidance in Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on the document’s current use, proposed updates in the initial working draft and information types taxonomy, and opportunities for ongoing improvement to SP 800-60. The public is invited to provide input by March 18, 2024.

Details

NIST is proposing updates to the information types categorization methodology to better address privacy considerations during security categorization and align with updates in SP 800-37r2 (Revision 2), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Additionally, NIST intends to update the information types taxonomy and provisional impact levels (Volume 2) to ensure that they are consistent with current federal information types, including the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) registry, and allow for a more user-friendly and useable experience. 

NIST welcomes feedback and input on any aspect of SP 800-60 and additionally proposes a list of non-exhaustive questions and topics for consideration:

• How does your organization use SP 800-60?
• If applicable, how does your organization use SP 800-60 to address PII?
  • Does your organization currently use SP 800-122 to help categorize PII?
• NIST intends to incorporate relevant guidance from SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), into the new draft revision of SP 800-60 and withdraw SP 800-122. What guidance (or topic areas) are critical to include in an SP 800-60 update?
  • What are other privacy considerations during security categorization?
  • Are there other important relationships between privacy and information types that should be covered? If so, what should be highlighted?
• What currently works well in SP 800-60?
• What are opportunities for improvement?
• Any other feedback on:
  • Updates to the security categorization methodology
  • Preliminary analysis and taxonomy for the information types catalog
  • Proposed next steps

Following the feedback received on this pre-call for comments, NIST plans to issue an initial public draft update to SP 800-60. The methodology will be issued as a document for comment, and the information types and provisional impact levels will be issued in a spreadsheet format for comment and then via the Cybersecurity and Privacy Reference Tool when finalized. 

The public comment period is open through March 18, 2024. Please submit comments to sec-cert@nist.gov with “Comments on SP 800-60” in the subject field. We encourage you to use the comment template available under “Supplemental Materials.”

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Control Families

None selected