RA-2

Security Categorization

Risk Assessment

The organization categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

Medium PriorityAI-Relevant Control

Purpose

Categorize information and systems based on their security requirements and potential impact.

AI Relevance

Critical for categorizing AI systems, models, and data based on their sensitivity and potential impact on organizational operations.

Implementation Guidance

Conduct security categorization assessments, document categorization decisions, and review categorizations regularly.

Assessment

Review categorization documentation, verify categorization accuracy, test categorization processes, and validate categorization controls.

Requirements

  • 1Categorize information in accordance with applicable federal laws
  • 2Categorize information in accordance with applicable Executive Orders
  • 3Categorize information in accordance with applicable directives
  • 4Categorize information in accordance with applicable policies
  • 5Categorize information in accordance with applicable regulations
  • 6Categorize information in accordance with applicable standards
  • 7Categorize information in accordance with applicable guidance
  • 8Categorize the information system in accordance with applicable federal laws
  • 9Categorize the information system in accordance with applicable Executive Orders
  • 10Categorize the information system in accordance with applicable directives

Related Controls

RA-1: RA-1RA-3: RA-3RA-5: RA-5PM-2: PM-2

References

NIST SP 800-53 Rev 5FIPS 199

Framework Context

NIST 800-53 Rev 5

Security and Privacy Controls for Federal Information Systems

Official Documentation →

NIST AI RMF

AI Risk Management Framework

AI RMF Documentation →

OWASP AISVS

AI Security Verification Standard

AISVS Documentation →