Documents/FEASPP/1: Identification

Stage I: Identification

Identify the appropriate set of controls.

Other Information:

Stage I is an identification of an agency’s business-supportive security and privacy requirements and the existing or planned capabilities that support security and privacy. As a result of Stage I activities an agency will be able to: * Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. * Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. * Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government. To accomplish those goals, agencies may wish to evaluate three types of requirements: * Externally driven laws, regulations, and executive branch policies; * Internally driven policies, interagency agreements, contracts, market practices, and organizational preferences; and * Mission-centric drivers such as performance objectives and lines of business. Agencies may also wish to evaluate three types of capabilities: * Centralized security or privacy services and technologies, * Program or system-specific security or privacy services and technologies; and * Services or technologies with built-in security or privacy features... Stage I activities immediately enable agencies to improve operations by: * Analyzing gaps between requirements and capabilities to identify unmet requirements * Analyzing their portfolio of current capabilities (an as-is security and privacy architecture) to identify opportunities to increase interoperability and standardization, and reduce costs * Proposing future capabilities based on improved insights into the enterprise * Facilitating enterprise-level choices about the implication of security and privacy decisions and investments.

Stakeholder(s):

  • Information Security OfficialsAgencies’ information security officials identify the appropriate set of controls from each control family through categorizing each information system; they categorize systems based on the potential impact of a loss based on the data they contain.

Objective(s):

I.A.1: Architecture
I.A.1.a: Business Requirements
I.A..1.b: Security & Privacy Requirements
I.A.2: Business Architecture
I.A.2.a: Mission Statements & Policies
I.A.2.b: Roles & Responsibilities
I.A.2.c: Commitments
I.A.2.d: Preferences & Practices
I.A.3: Business Requirements
I.A.3.a: Performance Objectives
I.A.3.b: Security & Privacy Attributes
I.A.3.c: Data Descriptions
I.B: Security and Privacy Capabilities
I.B.1.a: Dedicated Services
I.B.1.b: Ancillary Processes & Technologies
I.B.2: Capabilities Mapping
Content