NIST Requests Comments on SP 800-60r2, Guide for Mapping Types of Information and Systems to Security Categories

NIST seeks to update and improve the guidance in Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on its current use, proposed updates in the Revision 2 initial working draft and information types taxonomy, and opportunities for ongoing improvement to SP 800-60. The public is invited to provide input by March 18, 2024.

In the initial working draft, NIST is proposing updates to the information types categorization methodology to better address privacy considerations during security categorization and align with updates in SP 800-37r2 (Revision 2), Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Additionally, NIST intends to update the information types taxonomy and provisional impact levels (found in SP 800-60 Volume 2, Revision 1) to ensure that they are consistent with current federal information types, including the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) registry, and allow for a more user-friendly experience. 

The public comment period is open through March 18, 2024. See the publication details for a copy of the draft, a spreadsheet of the information types taxonomy, and a template for submitting comments on both.

NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.