1The only categories of concern are those for which
some users are not authorized access. When counting the number of
categories, count all categories regardless of the sensitivity level
associated with the data. If a category is associated with more than one
sensitivity level, it is only counted at the highest level. Systems in which
all data is in the same category are treated as without
2Where the number of
categories is large or where a highly sensitive category is involved, a
higher rating might be warranted.
3Unclassified data by
definition may not contain categories.
4Examples of N data include financial,
proprietary, privacy, and mission-sensitive data. In some situations (e.g.,
those involving extremely large financial sums or critical mission-sensitive
data), a higher rating may be warranted. Table 2 prescribes minimum
5The rating increment between
the Secret and Top Secret data sensitivity levels is greater than the
increment between other adjacent levels. This difference derives from the
fact that the loss of Top Secret data causes EXCEPTIONALLY GRAVE damage to
U.S. national security, whereas the loss of Secret data causes SERIOUS
E18.104.22.168. Step 4. Determine Risk Index. The risk index depends on
the rating associated with the AIS minimum user clearance (Rmin) and the
rating associated with the maximum classification of the information handled
by the AIS (Rmax).
The risk index is computed as follows:
E22.214.171.124.1. Case a. If Rmin is less than Rmax, then the risk
index is determined by subtracting Rmin from Rmax.
Risk Index = Rmax -- Rmin
NOTE: There is one anomalous value that results because there
are two "types" of Top Secret clearance and only one "type" of Top Secret
data. When the minimum user clearance is TS/BI and the maximum data
sensitivity is Top Secret without categories, then the risk index is 0
(rather than the value 1, which should result from a straight application
of the formula).
E126.96.36.199.2. Case b. If Rmin is greater than or equal to Rmax,
Risk Index = 1, if there are categories to which some users are
not authorized access, or:
Risk Index = 0, in all other cases.
E188.8.131.52. Step 5. Determine Minimum Security Evaluation
Class For Computer-Based Controls.
E184.108.40.206.1. The following table shall be used to
determine the minimum security class required for an AIS based on the computed
risk index in Step 4, above. The levels in the table are those described in DoD
5200.28-STD (reference (k)).