RA-2: Security Categorization

Control Family:

Risk Assessment

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:


  • Low
    • RA-2
  • Moderate
    • RA-2
  • High
    • RA-2
  • Privacy


Previous Version:

Control Statement

  1. Categorize the system and information it processes, stores, and transmits;
  2. Document the security categorization results, including supporting rationale, in the security plan for the system; and
  3. Verify that the authorizing official or authorizing official designated representative reviews and approves the security categorization decision.

Supplemental Guidance

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8, mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

Control Enhancements

RA-2(1): Impact-level Prioritization


(Not part of any baseline)

Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.