Risk Impact Level Determination

Risk Impact Level Determination: A Comprehensive Guide for CGRC Exam Preparation

Introduction to Risk Impact Level Determination

Risk Impact Level Determination is a critical process within the scope of system authorization that directly influences how security controls are selected, implemented, and assessed. It is a foundational concept in the NIST Risk Management Framework (RMF) and plays a pivotal role in the Certification, Authorization, and Governance of Risk and Compliance (CGRC) domain.

Why Is Risk Impact Level Determination Important?

Risk Impact Level Determination is important for several key reasons:

1. Proportional Security: It ensures that security controls are proportional to the potential harm that could result from a security breach. Without proper impact level determination, organizations may either over-invest in unnecessary controls or under-protect critical systems.

2. Resource Allocation: Organizations have limited budgets and resources. By determining the risk impact level, decision-makers can allocate resources where they are most needed, focusing protection efforts on the highest-impact systems first.

3. Regulatory Compliance: Federal agencies and contractors are required by FISMA (Federal Information Security Modernization Act) to categorize their information systems. Risk impact level determination is a mandatory step in achieving compliance.

4. Authorization Decisions: The Authorizing Official (AO) relies on risk impact levels to make informed decisions about whether to authorize a system to operate. Higher impact levels demand more rigorous assessment and continuous monitoring.

5. Consistent Risk Communication: Standardized impact levels (Low, Moderate, High) provide a common language for communicating risk across the organization, from technical staff to senior leadership.

What Is Risk Impact Level Determination?

Risk Impact Level Determination is the process of evaluating the potential consequences of a security breach on an information system across three fundamental security objectives:

- Confidentiality: The impact of unauthorized disclosure of information.
- Integrity: The impact of unauthorized modification or destruction of information.
- Availability: The impact of disruption of access to or use of information or the information system.

The primary guidance for this process comes from FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) and NIST SP 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories).

The Three Impact Levels:

Low Impact: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. This might include minor financial loss, minor degradation of mission capability, or minor harm to individuals.

Moderate Impact: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. This could include significant financial loss, significant degradation of mission capability, or significant harm to individuals (but not loss of life or serious life-threatening injuries).

High Impact: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. This includes major financial loss, severe degradation or loss of mission capability, or severe harm to individuals including loss of life or serious life-threatening injuries.

How Does Risk Impact Level Determination Work?

The process follows a structured methodology:

Step 1: Identify Information Types
Using NIST SP 800-60, identify all the types of information that the system processes, stores, or transmits. Examples include financial information, personally identifiable information (PII), law enforcement information, and medical records. Each information type has a recommended provisional impact level.

Step 2: Determine Provisional Impact Levels
For each information type, assign a provisional impact level (Low, Moderate, or High) for each of the three security objectives (Confidentiality, Integrity, Availability). NIST SP 800-60 Volume II provides recommended starting points for common information types.

Step 3: Apply the High-Water Mark
This is a crucial concept. When a system processes multiple information types, the overall system categorization uses the high-water mark principle. The system's impact level for each security objective is the highest impact level among all the information types it handles for that objective.

The security categorization expression from FIPS 199 is:

SC (information system) = {(confidentiality, impact), (integrity, impact), (availability, impact)}

For example: SC = {(confidentiality, Moderate), (integrity, Moderate), (availability, Low)}

The overall system impact level is then determined by the highest value among the three objectives. In the example above, the system would be categorized as Moderate.

Step 4: Adjust and Finalize
Organizations may adjust the provisional impact levels based on:
- Mission-specific requirements
- Environmental factors
- Legal or regulatory mandates
- Organizational policies
- Input from the information owner, system owner, and AO

Any adjustments must be documented and justified. Impact levels can generally be adjusted upward more easily than downward. Downward adjustments require strong justification and approval.

Step 5: Document in the System Security Plan (SSP)
The final security categorization is documented in the System Security Plan and serves as the basis for selecting the appropriate set of security controls from NIST SP 800-53.

Key Standards and Publications:

- FIPS 199: Defines the standards for categorization and the three impact levels.
- FIPS 200: Specifies minimum security requirements based on impact levels.
- NIST SP 800-60 (Volumes I and II): Provides detailed guidance on mapping information types to impact levels.
- NIST SP 800-53: Provides security control baselines (Low, Moderate, High) that correspond to the determined impact levels.
- NIST SP 800-37: Describes the RMF process where categorization is the first step.

The Relationship Between Impact Levels and Security Controls:

Impact levels directly determine the security control baseline:
- Low-impact systems receive the Low baseline set of controls.
- Moderate-impact systems receive the Moderate baseline, which includes all Low controls plus additional controls.
- High-impact systems receive the High baseline, which includes the most comprehensive set of controls.

Organizations can then tailor these baselines by adding supplemental controls or applying compensating controls as needed.

Common Pitfalls in Risk Impact Level Determination:

1. Failing to identify all information types: Missing an information type can lead to under-categorization.
2. Ignoring aggregation effects: Individually low-impact data elements can become moderate or high impact when aggregated.
3. Inappropriate downward adjustments: Lowering impact levels without proper justification to reduce compliance burden.
4. Confusing likelihood with impact: Impact levels focus on the consequence of a breach, not the probability of occurrence.
5. Not considering all three security objectives independently: Each objective must be evaluated separately before applying the high-water mark.

Real-World Application Example:

Consider a human resources system that processes:
- Employee PII: Confidentiality = Moderate, Integrity = Moderate, Availability = Low
- Payroll data: Confidentiality = Moderate, Integrity = High, Availability = Moderate
- General administrative data: Confidentiality = Low, Integrity = Low, Availability = Low

Applying the high-water mark:
- Confidentiality: Moderate (highest among Moderate, Moderate, Low)
- Integrity: High (highest among Moderate, High, Low)
- Availability: Moderate (highest among Low, Moderate, Low)

Overall system categorization: High (because the highest individual objective is High for Integrity).

This means the system would require the High baseline of security controls from NIST SP 800-53.

Exam Tips: Answering Questions on Risk Impact Level Determination

1. Know the FIPS 199 definitions cold: Be able to distinguish between Limited (Low), Serious (Moderate), and Severe/Catastrophic (High) adverse effects. Exam questions frequently test whether you can correctly match a scenario to the appropriate impact level.

2. Master the high-water mark concept: This is one of the most tested concepts. Remember that the overall system impact level is determined by the highest impact value across all three security objectives and all information types. If even one information type has a High impact for one objective, the entire system may be categorized as High.

3. Understand the difference between information type categorization and system categorization: Information types are categorized individually, but the system categorization aggregates them using the high-water mark. Questions may try to confuse these two levels.

4. Remember the order of the RMF steps: Categorization (which includes impact level determination) is Step 1 of the RMF. It happens before control selection, implementation, assessment, authorization, and monitoring.

5. Focus on impact, not likelihood: FIPS 199 categorization is about the potential impact of a loss, not the probability of it occurring. If a question mixes in likelihood factors, recognize that the impact level determination process under FIPS 199 focuses strictly on consequences.

6. Know who is responsible: The information owner typically determines the impact level for their information types, while the system owner determines the overall system categorization. The Authorizing Official reviews and approves the final categorization.

7. Watch for adjustment scenarios: Exam questions may present scenarios where an organization wants to lower the impact level. Remember that adjustments downward require documented justification and approval, while upward adjustments are generally acceptable.

8. Understand aggregation: A collection of individually low-impact data elements may warrant a higher categorization when combined. For example, a database containing thousands of records of low-impact data might be categorized at a higher level due to the aggregate sensitivity.

9. Link impact levels to control baselines: Know that Low, Moderate, and High impact levels directly correspond to the three control baselines in NIST SP 800-53. Questions may ask you to determine which baseline applies based on a given categorization.

10. Read scenarios carefully: Exam questions often embed the answer within the scenario description. Look for keywords like limited, serious, severe, catastrophic, loss of life, significant financial loss, or minor degradation — these directly map to specific impact levels.

11. Distinguish between FIPS 199 and FIPS 200: FIPS 199 is about categorization (determining impact levels), while FIPS 200 is about minimum security requirements. Do not confuse their purposes on the exam.

12. Practice with scenarios: The best preparation is to practice categorizing systems using sample information types. Work through examples where you identify information types, assign provisional impact levels, apply the high-water mark, and determine the overall system categorization.

13. Remember the three security objectives: Every categorization question will involve Confidentiality, Integrity, and Availability. Make sure you evaluate each one independently before determining the overall level.

14. Be aware of special considerations: Some systems, such as national security systems, may have different categorization processes. Federal civilian systems follow FIPS 199, while national security systems follow CNSSI 1253.

Summary

Risk Impact Level Determination is the essential first step in securing an information system under the NIST RMF. By correctly categorizing systems based on the potential impact to confidentiality, integrity, and availability, organizations ensure that appropriate security controls are applied. For the CGRC exam, mastering FIPS 199, the high-water mark principle, the three impact levels, and the roles involved in the categorization process will position you well to answer related questions with confidence.