HYPOTHETICAL GOVERNMENT AGENCY

INFORMATION TECHNOLOGY SECURITY

General Support Systems an Ma!or Appl"#at"ons
In$entory Gu"e
1
TABLE OF CONTENTS
1.0 OVERVIEW..........................................................................................................1
2.0 METHODOLOGY FOR DETERMINATION OF GSS AND MA INVENTORY..........3
3.0 CHANGES TO THE INVENTORY BETWEEN CYCLES........................................18
4.0 RELEVANT DEFINITIONS...................................................................................19
5.0 REFERENCES.....................................................................................................21
APPENDIX A GSS AND MA INVENTORY S!BMISSION FORM..............................1
APPENDIX B SAMPLE GSS AND MA INVENTORY S!BMISSION FORM................1
APPENDIX C SAMPLE MEMORANDA....................................................................1
APPENDIX D INFORMATION COVERED BY THE PRIVACY ACT " FREEDOM OF
INFORMATION ACT #FOIA$ EXEMPTIONS.....................................1
2
1.0 OVERVIEW
1.1 P!RPOSE
The purpose of this document is twofold. First, the document describes the process that will be
used by the Hypothetical Government Agency to establish and maintain an inventory of general
support systems G!!s" and ma#or applications $As". !econd, the document provides guidance
to the %rincipal &ffices %&s" regarding the standards to be employed throughout this process.
The concepts of G!!s and $As are defined in &$' (ircular A)1*+ Management of Federal
Information Resources as follows,
G!! is -an interconnected set of information resources under the same direct management
control which shares common functionality,.
$A is -an application that re/uires special attention to security due to the ris0 and magnitude
of the harm resulting from the loss, misuse, or unauthori1ed access to or modification of the
information in the application..
This process enables the Hypothetical Government Agency2s G!! and $A inventory to
officially identify and document the security classifications of G!!s and $As in use by the
Agency, in compliance with Federal re/uirements. This G!! and $A inventory is intended to
complement e3isting Agencyal security initiatives, such as those under the Government
4nformation !ecurity 5eform Act G4!5A"
1
and (ritical 4nfrastructure %rotection mandates.
1.2 OB%ECTIVES " GOALS
The primary ob#ective in developing a systematic approach for the inventory and classification of
the G!!s and $As in the Agency is to ensure that automated information resources, which
-include both government information and information technology,.
2
have ade/uate security to
protect -information collected, processed, transmitted, stored, or disseminated by the Agency..
3

6ithout an accurate assessment of what constitutes the Agency7s G!!s and $As, it is impossible
to ensure that all automated information resources implement the appropriate level of protection.
6hile all automated information resources re/uire a level of security, some re/uire additional
security controls due to the sensitivity of the information processed or criticality to the Agency2s
missions. !uccessful completion of this G!! and $A inventory process will identify the G!!s
and $As that re/uire additional security controls. This follows the tenet that applications that do
not /ualify for inclusion in this G!! and $A inventory rely on the G!!s in which they operate
for the provision of ade/uate security. 4t is therefore incumbent to accurately complete this G!!
and $A inventory process to ensure that ade/uate security is applied to the entirety of the
Agency2s automated information resources. The specific security re/uirements for the G!!s and
$As included in the inventory can be found in the Agency2s (ertification and Accreditation
related guidance.
1 Public Law 106-39!
2 "M# $ircular %-130!
3 "M# $ircular%-130& %''endi( III!
1
1.3 A!DIENCE
This document is intended for the following Hypothetical Government Agency personnel,
%rincipal &fficers 8 4n their capacity as the senior officials responsible for providing security
for the information collected, processed, transmitted, stored, or disseminated by G!!s and
$As under their control.
)
(omputer !ecurity &fficers (!&s" 8 4n their capacity for maintaining the information
security program within their respective %&s.
!ystem owners 8 4n their capacity to provide security controls appropriate for the protection
of Agency information.
The (hief 4nformation &fficer (4&" 8 4n his9her capacity as the official responsible for
providing guidance on information security throughout the Agency.
1.4 DOC!MENT STR!CT!RE
This document is organi1ed into five sections, each discussing an aspect of the G!! and $A
inventory process. The first section provides an overview of the Guide. The second section
details the steps to be ta0en to complete the process along with standardi1ed definitions and
criteria to be employed throughout the process. The third section includes guidance for ongoing
maintenance of the G!! and $A inventory. The fourth section provides a listing of all applicable
definitions. The fifth section is a list of references relevant to the creation and maintenance of the
Agency2s G!! and $A inventory.
Appendi3 A provides the G!! and $A 4nventory !ubmission Form that should be used to
document and submit the results of the inventory process. Appendi3 ' provides a sample
completed G!! and $A 4nventory !ubmission Form. Appendi3 ( then provides sample
memoranda for %& and (4& validation of the G!! and $A inventory. Appendi3 : provides
additional guidance related to the classification of information.
) Public Law 106-39& "ctober 30& 2000
2
2.0 METHODOLOGY FOR DETERMINATION OF GSS
AND MA INVENTORY
The following subsections provide detailed information on the five steps necessary for the
Agency to create and maintain its G!! and $A inventory,
*te' 1+ Identif, -**s and %''lications 8 :etermine the business functions that are automated
and identify the automated information resources that support them
a" 4dentify 'usiness Functions
b" 4dentify Automated 4nformation 5esources
c" (ategori1e Automated 4nformation 5esources as G!! or Applications
*te' 2+ $lassif, -**s and %''lications 8 Ascertain the security needs of each based upon
additional considerations
*te' 3+ Identif, M%s 8 ;se security
classifications to determine if an
application /ualifies as an $A 8 those
applications that re/uire special
security considerations due to the
nature of the information in the
application. &nly applications
determined to be $As will be
included in the G!! and $A
inventory< see !ection 2.*"
*te' )+ *ubmit to $I" 8 %&s
validate and ac0nowledge the
G!! and $A inventory as
accurate
*te' .+ /ndorsement b, $I" 8
Generate the official G!! and $A
4nventory for the Agency.
&nce steps 1)* are completed for a
particular G!! or $A their results
should be documented in the attached
form in Appendi3 A and endorsed,
with the entirety of the %&2s G!!s and
$As, under cover of the sample
memorandum in Appendi3 (. This process is highlighted in Figure 2)1.
To retain a current and comprehensive list of the G!!s and $As, the inventory process will be
underta0en semi)annually, with final validation of the G!! and $A inventory to occur on
=anuary *1 and =uly *1. :uring each cycle, %&s will need to validate the inventory on record or
update information on the G!!s and $As in their %&. (4& receipt of %& validation of the G!!
and $A inventory will be re/uired no less than 2 wee0s prior to the final validation date. 4f, at
any point during the G!! and $A inventory process, there is need for clarification, (!&s should
*
F&'()* 2+1, GSS -./ MA I.0*.12)3 P)24*55
consult with the &ffice of the (hief 4nformation &fficer &(4&" to ensure compliance with the
applicable re/uirements.
2.1 STEP 1, IDENTIFY GENERAL S!PPORT SYSTEMS AND
APPLICATIONS
2.1.1 STEP 1A: IDENTIFY BUSINESS FUNCTIONS
The first step in creating and maintaining an inventory of G!!s
and $As is to identify all automated information resources used by
the %& to perform its business functions. All automated
information resources in the %& are either a G!! or an application.
!ee !ection 2.1.*"
To begin, identify the business functions that occur within the %&
8 the wor0 the %& performs in support of the Agency2s mission,
vision, and goals. This may include such functions as grants
management, provision of public information, or human resources
management. These functions should then be divided into the
specific activities that support the overall business function.
2.1.2 STEP 1B: IDENTIFY AUTOMATED INFORMATION
RESOURCES
>ach business function identified may have certain associated
automated processes. &nce these automated processes have been
identified, the automated information resources that support these
processes must be identified. Those automated information
resources are included as candidates for the G!! and $A
inventory.
For each business function, identify and describe any automated
process that supports it. 4dentify the automated information
resources employed by the automated process including databases,
stand)alone systems, communications systems, networ0s, and any
other type of information technology)related support. Automated
information resources that utili1e general)purpose software such as
spreadsheets and word processing software are not included as
candidates as their security is provided by the G!! on which they
reside.
1

?ote, 4t is possible to have several automated information
resources to support a single business function. 4t is also possible
to have a single automated information resource support several
business functions.
2.1.2.1 S6-)*/ R*52()4*5 " S351*7 I.1*)42..*41&0&13
1 0I*1 *P 00-1& Guide for :eveloping !ecurity %lans for 4nformation Technology !ystems
@
&$' (ircular A)1*+ delineates the need for agencies to ensure
-information is protected commensurate with the ris0 and
magnitude of the harm that would result from the loss, misuse, or
unauthori1ed access to or modification of such information,.
regardless of its location or the owner of the automated
information resource.
Therefore, all automated information resources that support
automated processes must be identified, including those that are
owned, in whole or in part, by a party other than the Agency. All
automated information resources that collect, process, transmit,
store, or disseminate Agency information must be identified,
regardless of ownership. For e3ample, if a payroll system is
operated by another Federal agency but part of the system is
loaded on the Agency2s computers to perform a business function,
the Agency is responsible for ensuring appropriate security
controls are in place for that automated information resource.
4f another agency runs a system that processes Agency
information, an interagency agreement should be put in place to
officially verify terms of agreement for the protection of
information between the agencies as well as to ensure ade/uate
security measures are instituted to protect the information.
2
(onsideration must also be given to all automated information
resources operated by contractors in support of Agency wor0.
&$' (ircular A)1*+ states that information technology and,
thereby, automated information resources" includes those resources
-used by a contractor under a contract with the e3ecutive agency
which 1" re/uires the use of such e/uipment, or 2" re/uires the
use, to a significant e3tent, of such e/uipment in the performance
of a service or the furnishing of a product..
2.1.2.2 A(127-1*/ I.82)7-1&2. R*52()4* B2(./-)&*5
An automated information resource is defined by constructing a
logical boundary around a set of processes, communications,
storage, and related resources. The elements within this boundary
constitute a single automated information resource and must,
'e under the same direct management control
Have the same function or mission ob#ective
Have essentially the same operating characteristics and
security needs, and
5eside in the same general operating environment.
3
2 0I*1 *P 00-1& Guide for :eveloping !ecurity %lans for 4nformation Technology !ystems
3 0I*1 *P 00-1& Guide for :eveloping !ecurity %lans for 4nformation Technology !ystems
A
4s any business function
supported by automated
information resources not owned
by the AgencyB
Any automated information
resource that receives federal
funding must be considered as a
candidate general support system
or application.
2.1.2.3 A//&1&2.-9 C2.5&/*)-1&2.5 &. I/*.1&83&.'
A(127-1*/ I.82)7-1&2. R*52()4*5
The following additional items are guidance to be considered
during the process of defining the automated information
resources.
2!1!2!3!1 Manual Processes
The process described in this document is designed to identify and
inventory the automated information resources that support
automated processes. As such, manual processes or locations that
support specific business functions, such as libraries and records
archives, should be e3cluded.

2!1!2!3!2 Lifec,cle $onsiderations
%roviding security is an ongoing process, conducted throughout the
lifecycle. 4deally security is incorporated into the development of
an automated information resource. As noted in &$' (ircular A)
1*+, Appendi3 444, -for security to be most effective, the controls
must be part of day)to)day operations. This is best accomplished
by planning for security not as a separate activity, but as an
integral part of overall planning..
Additionally G4!5A, citing the (linger)(ohen Act and the
(omputer !ecurity Act of 1CDE, directs the heads of agencies to
-incorporate information security principles and practices
throughout the lifecycles of the agency2s information systems..
Therefore, any automated information resource under
development, at any stage, must be included in the list of
candidates identified in this step. Automated information
resources should be considered as they are planned to operate
when fully functional, not necessarily how they currently operate.
!ecurity should be planned for the data that will be processed,
whether or not that data is yet processed by the automated
information resource. 4t is understood that these classifications
may change throughout the life of the automated information
resource, but it is important to have accurate classifications at each
stage of the life cycle, so that appropriate security controls will
applied. As the need for changes to the data classifications arise,
the inventory should be updated to accurately reflect the current
state of the data sensitivity or mission criticality. !ee !ection 2.@"
!imilarly, an automated information resource may not be e3cluded
from the list of candidates if it is only scheduled for retirement.
The automated information resource may not be removed from
consideration unless it has been completely disconnected or shut
down, information re/uiring protection is properly removed from
F
Are there any automated
information resources under
development to support business
functionsB
the automated information resource, and official confirmation of
such action has been received by the (4&. This must include
completion of the !ystem :isposal (hec0list, Appendi3 H of the
I1 *ecurit, Ris2 %ssessment -uide.
The consideration of automated information resources in all stages
of the system development life cycle !:G(" is in direct
correlation with the Agency2s I1 *ecurit, Ris2 %ssessment -uide,
which provides specific guidelines for ensuring appropriate
security for systems in all phases of the !:G(.
2!1!2!3!3 Information 1ec3nolog, $a'ital Planning
(onsistent with !ection 2.1.2.*.2, Gifecycle (onsiderations, all
automated information resources that receive consideration during
the information technology capital planning process must also be
included among the list of candidates for the G!! and $A
inventory even if they are only in a developmental state.
4f the automated information resource does not receive funding
during the process, the inventory may be updated to reflect this
decision. !ee !ection *.+"
2.1.3 STEP 1C: CATEGORIZE AUTOMATED INFORMATION
RESOURCES AS GSS OR APPLICATION
%er the guidance of &$' (ircular A)1*+, Appendi3 444, Federal
agencies are directed to provide ade/uate security for all
automated information resources, which includes both government
information and information technology.
>ach automated information resource identified in !ection 2.1.2
must be reviewed to determine its status as a G!! or application.
This status should be determined by applying the following
definitions. N21*, E-46 -(127-1*/ &.82)7-1&2. )*52()4* :&99 ;*
*&16*) - GSS 2) -. -<<9&4-1&2..
E
G20*).7*.1 &.82)7-1&2. is
information created, collected,
processed, disseminated, or
disposed of by or for the Federal
Government.
I.82)7-1&2. 1*46.292'3 includes
computers, ancillary e/uipment,
software, firmware and similar
procedures, services including
support services", and related
resources.
2.1.3.1 G*.*)-9 S(<<2)1 S351*7
A G!! is -an interconnected set of information resources under the
same direct management control which shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people. A
system can be, for e3ample, a local area networ0 GA?" including
smart terminals that supports a branch office, an agency)wide
bac0bone, a communications networ0, a Agencyal data processing
center including its operating system and utilities, a tactical radio
networ0, or a shared information processing service organi1ation
4%!&"..
)

2.1.3.2 A<<9&4-1&2.
An application is -the use of information resources to satisfy a
specific set of user re/uirements..
.
4dentification as an $A is based upon the classifications in !ection
2.2 and is fully e3plained in !ection 2.*. N21*, O.93 -<<9&4-1&2.5
&/*.1&8&*/ -5 MA5 :&99 ;* &.49(/*/ &. 16* 8&.-9 GSS -./ MA
&.0*.12)3.
2.2 STEP 2, CLASSIFY GSS AND APPLICATIONS
To support the development and maintenance of appropriate
security controls for G!!s and $As on the inventory, it is
necessary to identify security classifications for each and the
information it handles. This section will describe and define several
sets of security classifications to be applied to the G!!s and
applications identified in !ection 2.1 to appropriately evaluate the
level of security re/uired for each.
4f, in !ection 2.1.*, the automated information resource was
determined to be a GSS, it will be included in the G!! and $A
inventory and re/uires the classifications outlined in the following
sections.
4f, in !ection 2.1.*, the automated information resource was
determined to be an application, the classifications outlined in the
following sections should be used to determine if it /ualifies as an
$A see !ection 2.*". O.93 -<<9&4-1&2.5 /*1*)7&.*/ 12 ;* MA5
:&99 ;* &.49(/*/ &. 16* 8&.-9 GSS -./ MA &.0*.12)3.
2.2.1 INFORMATION SENSITIVITY
To appropriately protect information, its relationship to and impact
on the mission of the Agency must be understood. Therefore, it is
) "M# $ircular %-130& %''endi( III
. "M# $ircular %-130& %''endi( III
D
!ome automated information
resources may be identified as
both a General !upport !ystem
and an application., as in the case
where a database is run from a
stand)alone computer.
4s the automated information
resource used by other automated
information resources to transmit
or store dataB
4s the automated information
resource a local or wide)area
networ0B
:oes the automated information
resource support multiple other
automated information resourcesB
necessary to 0now the re/uirements of the data to be protected from
specific ris0s to apply appropriate security controls.
The 0I*1 *ecurit, *elf %ssessment -uide for I1 *,stems !% D++)
2F", uses three basic protection re/uirements in order to determine
the information sensitivity )) confidentiality, integrity which, for
the purposes of the Guide, includes non)repudiation and
authenticity", and availability.
(onfidentiality 8 %rotection from unauthori1ed disclosure
4ntegrity 8 %rotection from unauthori1ed, unanticipated, or
unintentional modification
?on)repudiation 8 Herification of the origin or receipt of a
message
Authenticity 8 Herification that the content of a message has
not changed in transit
Availability 8 Available on a timely basis to meet mission
re/uirements or to avoid substantial losses.
>ach area must be rated on the scale of High, $edium, or Gow,
using the following guidance from ?4!T !% D++)1D, -uide for
4e5elo'ing *ecurit, Plans for Information 1ec3nolog, *,stems,
and ?4!T !% D++)2F, *ecurit, *elf %ssessment -uide for
Information 1ec3nolog, *,stems, for ma0ing the determination.
H&'6,
A critical concern for the automated information resource
>3tremely grave in#ury accrues to ;.!. interests if the
information is compromised< could cause loss of life, 7-=2)
8&.-.4&-9 9255 #')*-1*) 16-. >1 7&99&2.$? 2) )*@(&)* 9*'-9
-41&2. (< 12 &7<)&52.7*.1 82) 42))*41&2..
M*/&(7,
An important concern, but not necessarily paramount in the
organi1ation2s priorities
!erious in#ury to ;.!. interests if the information is
compromisedA 42(9/ 4-(5* 5&'.&8&4-.1 8&.-.4&-9 9255
#>100?000 12 >1 7&99&2.$ 2) )*@(&)* 9*'-9 -41&2. 82)
42))*41&2..
L2:,
C
N21*, The Agency does not have
automated information resources
that could cause in#ury to ;.!.
interests. Thus, the financial and
legal ramifications should be used
as a guide to determine
information sensitivity.
!ome minimal level of security is re/uired, but not to the
same degree as the previous two categories.
4n#ury accrues to ;.!. interests if the information is
compromised< :2(9/ 4-(5* 2.93 7&.2) 8&.-.4&-9 9255 #9*55
16-. >100?000$ 2) )*@(&)* 2.93 -/7&.&51)-1&0* -41&2. 82)
42))*41&2..
2.2.1.1 C2.8&/*.1&-9&13
To determine the appropriate level of confidentiality, an application
or G!! must ta0e into consideration the need for its information to
be protected from unauthori1ed disclosure. The level of
confidentiality depends on the nature of the information. For
e3ample, information that is widely available to the public has a
low level of confidentiality because it re/uires only minimal, or
perhaps no, protection from disclosure. However, there are certain
types of information that must be protected from disclosure due to
the e3pectation or assurance of privacy, or because unauthori1ed
disclosure could result in a loss to the Agency.
Information that includes financial, proprietary, or personal
information should be protected at a high or medium level of
confidentiality. The Privacy Act makes it clear that the Agency is
not allowed to disclose any record that is contained in a system of
records, by any means of communication, to any person or agency,
except pursuant to a written authorization.
Although an application or G!! may not meet %rivacy Act criteria,
it may still contain information that should be protected at a high or
medium level of confidentiality.
F&4A provides access to federal agency records e3cept those that
are protected from disclosure by any of nine e3emptions and three
special law enforcement record e3clusions in the Act. For the
Agency, only three of these e3emptions are applicableI
4nformation related solely to the internal personnel rules and
practices of an agency, but does not include business
contact information of employees or contractors
Trade secrets, commercial information, or financial
information obtained from a person that is privileged or
confidential
%ersonal or medical information or information that would
constitute a clearly unwarranted invasion of personal
privacy.
1+
How severe a loss would occur as
a result of disclosure of dataB
4f an application or G!! contains
social security numbers, the
confidentiality level should be no
less than High.
4f the G!! or application contains
any information protected by the
%rivacy Act or the Freedom of
4nformation Act FOIA), then
the confidentiality level
should be no less than
Medium.
S** A<<*./&B D 82) 72)* &.82)7-1&2. 2. 16* P)&0-43 A41 -./
FOIA *B*7<1&2.5. If an application or GSS has information
covered under the Privacy Act, the system owner should contact the
Agency Privacy Officer to ensure compliance through the
completion of a Privacy Act questionnaire.
EB-7<9* C2.8&/*.1&-9&13 C2.5&/*)-1&2.5
H&'6
The application or G!! contains information such as proprietary
business information, financial information, or personal
information i.e., social security numbers", which, if disclosed to
unauthori1ed sources, could adversely impact the Agency, resulting
in over J1 million dollars in damages or leading to legal action with
the potential of a #ail sentence. This level indicates that security
re/uirements for assuring confidentiality are of high importance.
For e3ample, an application that 0eeps trac0 of letters sent to
various offices within the Agency scans higher priority letters and
stores them as an image in case the letter is lost or destroyed.
General information such as the sender7s name and address is often
captured in the image. However, some letters contain social
security numbers. !ince unauthori1ed disclosure of social security
numbers could result in identity theft, the confidentiality
re/uirement is high.
As a second e3ample, an application is re/uired to provide sensitive
structured personnel and payroll information for the Agency.
%rogram offices are sta0eholders in the analysis and usage of this
information. ;nauthori1ed disclosure or modification of this
information could result in fraud or loss of public confidence. 4f
the information were to be disclosed, the financial impact could be
over J1 million dollars. Therefore, the confidentiality re/uirement
for this application is high.
M*/&(7
The application or G!! contains only information that could only
moderately impact the Agency if disclosed. A G!! or application
with information specifically covered by the %rivacy Act or a F&4A
e3emption see Appendi3 :" should have a confidentiality
re/uirement of no less than $edium. ;nauthori1ed disclosure of
information could result in between J1++,+++ and J1 million
dollars in damages or lead to legal action without the potential of a
#ail sentence. This level indicates that security re/uirements for
assuring confidentiality are of moderate importance.
11
For e3ample, an application that manages grant abstracts for the
Agency contains home addresses and other sensitive information
that should not be disclosed to unauthori1ed individuals. Although
a personal identifier cannot retrieve the addresses, the information
should still be protected by some means such as an application)
specific password or privileges that determine access level.
Financially, a breach in confidentiality could result in damages
between J1++,+++ to J1 million. !ince the confidentiality of the
data is of some importance, the level of confidentiality for this
application is medium.
L2:
The application or G!! contains general information that is widely
available to the public and, if disclosed, could not have an impact
on the Agency. ?one of the information on the application or G!!
re/uires protection against disclosure. The impact on the Agency2s
assets and resources could be minor, resulting in less than J1++,+++
in damages or leading to administrative penalties. This level
indicates that security re/uirements for assuring confidentiality are
of low importance.
For e3ample, an application designed to disseminate information to
the public, such as a database of regulations, contains no
proprietary data or data that re/uires protection under the %rivacy
Act or a F&4A e3emption. :isclosure of data could not result in
any unfair advantage in activities performed or decisions made
resulting from the revelation of that information.
2.2.1.2 I.1*')&13
To determine the appropriate level for integrity, consider the needs
of the information to be protected from unauthori1ed,
unanticipated, or unintentional modification. This includes, but is
not limited to, consideration of authenticity, non)repudiation, and
accountability re/uirements can be traced to the originating entity".
As an e3ample, the nature of the loan information processed by the
Agency may cause it to be targeted for unauthori1ed modification.
4ncluded in this decision should be how the G!! or application is
employed in the business process. For e3ample, if the data in the
G!! or application is not the sole source of input into the business
process and the normal course of business is to chec0 data provided
electronically against the original source, the need for data integrity
would be generally lower than if the data is fully relied upon to
complete the business function. However, merely having a bac0up
source of data does not fit this criteria< the data chec0 must e3ist as
a regular part of the business process.
12
How severe a loss would occur if
the data were incorrectB
The following e3amples from ?4!T !% D++)1D can be used as
guidance in ma0ing this determination.
EB-7<9* I.1*')&13 C2.5&/*)-1&2.5
H&'6
The application is a financial transaction system. ;nauthori1ed or
unintentional modification of this information could result in fraud,
under or over payments of obligations, fines, or penalties resulting
from late or inade/uate payments, and loss of public confidence.
M*/&(7
Assurance of the integrity of the information is re/uired to the
e3tent that destruction of the information could re/uire significant
e3penditures of time and effort to replace. Although corrupted
information could present an inconvenience to the staff, most
information, and all vital information, is bac0ed up by either paper
documentation or on dis0.
L2:
The G!! or application mainly contains messages and reports. 4f
these messages and reports were modified by unauthori1ed,
unanticipated, or unintentional means, employees would detect the
modifications< however, these modifications would not be a ma#or
concern for the organi1ation.
2.2.1.3 A0-&9-;&9&13
To determine the appropriate level for availability, consider the
needs of the information to be available on a timely basis to meet
mission re/uirements or to avoid substantial losses. Availability
also includes ensuring that resources are used only for intended
purposes.
T6* -0-&9-;&9&13 )*@(&)*7*.1 562(9/ ;* ;-5*/ 2. 16* <*)&2/ 28
2<*)-1&2. /()&.' :6&46 16* GSS 2) -<<9&4-1&2. &5 7251 4)&1&4-9
12 16* ;(5&.*55 8(.41&2. &1 *.-;9*5. For instance, if a G!! or
application operates only one month a year, consider the
availability re/uirement for that month.
The following e3amples from ?4!T !% D++)1D can be used as
guidance in ma0ing this determination.
EB-7<9* A0-&9-;&9&13 C2.5&/*)-1&2.5
1*
How severe a loss would occur if
the information were not
available as neededB
H&'6
The application contains personnel and payroll information
concerning employees of the various user groups. Unavailability of
the application could result in an inability to meet payroll
obligations and could cause work stoppage and failure of user
organizations to meet critical mission requirements. The application
requires 24-hour access.
M*/&(7
Information availability is of moderate concern to the mission.
Availability would be required within the four to five-day range.
Information backups maintained at off-site storage would be
sufficient to carry on with limited office tasks.
L2:
The GSS or application has a duplicate from which the information
can be accessed and processed, causing no interruption in the
continuity of business functions.
2.2.2 MISSION CRITICALITY
$ission criticality, or how integral the G!! or application is to
carrying out the mission of the agency
6
, must also be considered in
this inventory process. ;sing the current Agency definitions
below, each must be evaluated to be $ission (ritical, $ission
4mportant, or $ission !upportive. N21*, 16* 4)&1&4-9&13 28 527*
GSS5 -./ -<<9&4-1&2.5 82) <*)82)7&.' - ;(5&.*55 8(.41&2. 7-3
;* 72)* 4)&1&4-9 /()&.' 4*)1-&. <*)&2/5 28 2<*)-1&2.. D*1*)7&.*
16* 7&55&2.+4)&1&4-9&13 ;-5*/ 2. 16* <*)&2/ 28 2<*)-1&2. /()&.'
:6&46 &1 &5 7251 *55*.1&-9 82) 16* ;(5&.*55 8(.41&2. 12 ;*
42./(41*/.
$ission criticality will be validated by employing the Agency2s
$ission >ssential 4nfrastructure >valuation !urvey. This
evaluation will provide a more ob#ective, repeatable means of
determining mission criticality, based on answering a range of
/uestions related to the critical missions of the Agency. All
candidate G!!s and applications must complete the $>4
>valuation !urvey to determine mission criticality. The resultant
data will be considered as the official Agency list of $ission
(ritical, $ission 4mportant, and $ission !upportive G!!s and
applications. 4n future inventory cycles, the $>4 >valuation
!urvey will serve as the sole source of mission criticality data.
2.2.2.1 M&55&2. C)&1&4-9
6 *ee $ritical Missions and Mission-/ssential Infrastructure %ssets& Ma, 16& 2001
1@
$ission critical G!!s and applications are those automated
information resources whose failure would preclude the Agency
from accomplishing its core business operations.
A G!! or application is assessed as mission critical if it meets any
of the following criteria,
!upports core Agency business functions
%rovides the single source of Agency mission critical data
$ay cause immediate business failure upon its loss.
2.2.2.2 M&55&2. I7<2)1-.1
$ission important G!!s and applications are those automated
information resources whose failure would not preclude the Agency
from accomplishing core business processes in the short term, but
would cause failure in the mid to long term * days to 1 month".
A G!! or application determined not to be mission critical would
be mission important if it meets any of the following criteria,
!erves as a bac0up source for data that is mission critical
6ould have impact on business over an e3tended period of
time.
2.2.2.3 M&55&2. S(<<2)1&0*
$ission supportive G!!s and applications are those automated
information resources whose failure would not preclude the Agency
from accomplishing core business operations in the short to long
term more than 1 month", but would have an impact on the
effectiveness or efficiency of day)to)day operations. A G!! or
application will be considered mission supportive only if it meets
the following criteria,
Trac0s or calculates data for organi1ational convenience
6ould only cause loss of business efficiency and effectiveness
for the owner.
1A
4s the system or the data
processed re/uired to complete
the Agency7s missionB
4f the G!! or application were
unavailable for * business
days to 1 month, would it
seriously affect the ability to
perform core business
functions through non)
automated meansB
(an the core business
operations be accomplished
through manual means, even
if less efficient, if the G!! or
application is unavailable for
more than 1 monthB
4f the G!! or application were
unavailable for up to @D
business hours, would it
seriously affect the ability to
perform core business
functionsB
2.3 STEP 3, IDENTIFY MA%OR APPLICATIONS
%er &$' (ircular A)1*+, an application should be considered an $A when it -re/uires special
attention to security due to the ris0 and magnitude of the harm resulting from the loss, misuse, or
unauthori1ed access to or modification of the information in the application. ?ote, All Federal
applications re/uire some level of protection. (ertain applications, because of the information in
them, however, re/uire special management oversight and should be treated as ma#or. Ade/uate
security for other applications should be provided by the security of the G!! in which they
operate..
6

?ote, The term ma#or application is not synonymous with the term -ma#or information system,.
defined in &$' (ircular A)1*+ as -an information system that re/uires special management
attention because of its importance to an agency mission< its high development, operating, or
maintenance costs< or its significant role in the administration of agency programs, finances,
property, or other resources.. The status of an application as a ma#or information system also
does not preclude it from being a ma#or application.
2.3.1 DETERMINATION OF STATUS AS MAJOR APPLICATION
An application will be considered an $A if it meets one of the following criteria,
:etermined to be $ission (ritical or $ission 4mportant
:etermined to be $ission !upportive, but for which at least one of the 4nformation
!ensitivity categories is rated as $edium or High.
O.93 -<<9&4-1&2.5 /*1*)7&.*/ 12 ;* MA5 -)* &.49(/*/ &. 16* GSS -./ MA &.0*.12)3.
2.3.2 MAJOR APPLICATION-GENERAL SUPPORT SYSTEM LINKAGES
4f the application meets the definition of an $A, it is necessary to identify the G!! upon which it
resides. 4dentifying these lin0ages will assist with the application of more appropriate security
controls to both the $As and the G!!s.
Additionally, due to the e3istence of these lin0ages, a G!! must be rated, at a minimum, at the
same levels as the highest)rated $A that resides on that G!!. Therefore, if the highest)rated $A
receives a High for (onfidentiality, the G!! must also receive a High rating< if the highest)rated
$A receives a $edium for Availability, the G!! must receive at least a $edium rating.
2.4 STEP 4, S!BMIT TO CIO
All G!!s and $As included in the G!! and $A inventory must include #ustification for their
respective information sensitivity classifications. The documentation should be submitted to the
(4& via the G!! and $A 4nventory !ubmission Form Appendi3 A" accompanying an official,
signed memorandum by the %rincipal &fficer ac0nowledging ownership of and responsibility for
the security of those G!!s and $As see Appendi3 ( for sample memorandum".
6 "M# $ircular %-130& %''endi( III
1F
4t is highly recommended that the G!! and $A 4nventory !ubmission Form be completed for all
other applications as well, to document the reasoning for not considering them $As.
&nce this documentation is provided for every G!! and $A, future cycles

of the G!! and $A

inventory process will re/uire all %&s to validate the inventory by reviewing those G!!s and
$As under their responsibility as listed in the published G!! and $A inventory. This review
will determine whether changes need to be made or the inventory is accurate.
&nce the process is completed, an official, signed memorandum must be submitted to the (4& by
the %rincipal &fficer to verify that the G!! and $A inventory is accurate. This memorandum
will also ac0nowledge responsibility for the security of those G!!s and $As. 4f a changes" must
be made, a G!! and $A 4nventory !ubmission Form, with the changes" incorporated, including
#ustification for the changes", must accompany this memorandum.
The G!! and $A 4nventory !ubmission Form will include the following information,
%rincipal &ffice
Automated 4nformation 5esource ?ame
%oints of (ontact
Type of automated information resource 8 G!! or $A
:escription of data and business function supported by G!! or $A and technical
information
4n development or operational
$ission (riticality including #ustification"
4nformation !ensitivity including #ustification" in the areas of
) (onfidentiality
) 4ntegrity
) Availability
4nterconnectivity
(omments.
13e -** and M% in5entor, 5alidation 'rocess will be com'leted semi-annuall,& on 7anuar, 31 and 7ul, 31& wit3 $I"
recei't of P" 5alidation of t3e -** and M% in5entor, no less t3an 2 wee2s 'rior to t3e final 5alidation date!
1E
2.5 STEP 5, ENDORSEMENT BY THE CIO
2.5.1 OCIO REVIEW OF INVENTORY
Following receipt of the %rincipal &fficers2
submission and prior to official publication,
&(4& will review the lists and the supporting
classifications using the criteria outlined
above to ensure the validity and
completeness of the lists. 4f any issue is
uncovered, &(4& will wor0 with the
appropriate %rincipal &fficer to resolve any
and all outstanding /uestions.
2.5.2 PUBLISING TE INVENTORY
Following receipt of the %rincipal &fficers2 submission and the completion of the review
process, (4& will officially publish the comprehensive G!! and $A inventory on the Agency2s
intranet to ensure it is accessible for reference. The (4& will send an endorsement memorandum
to each %rincipal &fficer and will also publish a statement ac0nowledging the G!! and $A
inventory and the previous endorsements of the %rincipal &fficers, as highlighted in Figure 2)2.
3.0 CHANGES TO THE INVENTORY BETWEEN
CYCLES
The information included in the G!! and $A inventory, and even those G!!s and $As
included, may change between inventory cycles. ?otification of these changes must be made to
&(4& to maintain the appropriate level of security controls for respective G!!s and $As. >dits
to the G!! and $A inventory may occur for any number of reasons including changes in the
nature of the information processed or a change in dependence on a G!! or $A. These changes
may also include system birth and death or changes to the mission criticality or information
sensitivity levels. For guidance on automated information resource birth and death, see !ection
2.1.2.*.2< for guidance on changes to mission criticality or information sensitivity levels, see
!ection 2.2 and its subsections.
1D
F&'()* 2+2, R*0&*: -./ E./2)5*7*.1 28
GSS -./ MA I.0*.12)3

PO Specific
Endorsement Memo
to CIO
PO Specific
GSS & MA Submission Forms
CIO Endorsement
Memo
CIO Endorsement
Memo
4.0 RELEVANT DEFINITIONS
Application The use of information resources to satisfy a specific set of user
re/uirements.
Automated 4nformation
5esource
'oth government information and information technology.
(apital planning and
investment control process
A management process for ongoing identification, selection,
control, and evaluation of investments in information resources.
The process lin0s budget formulation and e3ecution, and is
focused on agency missions and achieving specific program
outcomes.
General !upport !ystem
G!!"
An interconnected set of information resources under the same
direct management control, which shares
common functionality. A G!! normally includes
hardware, software, information, data,
applications, communications, and people. A
G!! can be, for e3ample, a local area networ0
GA?" including smart terminals that supports a
branch office, an agency)wide bac0bone, a
communications networ0, a Agencyal data
processing center including its operating system
and utilities, a tactical radio networ0, or a shared
information processing service organi1ation
4%!&".
Government information 4nformation created, collected, processed, disseminated, or
disposed of by or for the Federal Government.
4nformation Any communication or representation of 0nowledge such as facts,
data, or opinions in any medium or form, including te3tual,
numerical, graphic, cartographic, narrative, or audiovisual forms.
4nformation life cycle The stages through which information passes, typically
characteri1ed as creation or collection, processing, dissemination,
use, storage, and disposition.
4nformation resources 'oth government information and information technology.
4nformation technology Any e/uipment or interconnected system or subsystem of
e/uipment that is used in the automatic ac/uisition, storage,
manipulations, management, movement, control, display,
switching, interchange, transmission, or reception of data or
information by an e3ecutive agency. This includes computers,
ancillary e/uipment, software, firmware and similar procedures,
services including support services", and related resources.
1C
$a#or Application $A" An application that re/uires special attention to security due to the
ris0 and magnitude of the harm resulting from the
loss, misuse, or unauthori1ed access to or
modification of the information in the
application.
$a#or 4nformation !ystem An information system that re/uires special management attention
because of its importance to an agency mission<
its high development, operating, or maintenance
costs< or its significant role in the administration
of agency programs, finances, property, or other
resources.
2+
5.0 REFERENCES
This is a listing of legislation, &$' guidance, and ?4!T documents relevant to the maintenance
of an inventory of G!!s and $As.
LAWS
(linger)(ohen Act, %ublic Gaw 1+@)1+F
%aperwor0 5eduction Act, %ublic Gaw 1+@)1*
Freedom of 4nformation Act, %ublic Gaw 1+@)2*1
Government 4nformation !ecurity 5eform Act, %ublic Gaw 1+F)*CD
(omputer !ecurity Act of 1CDE, %ublic Gaw 1++)2*A
%rivacy Act, %ublic Gaw C*)AEC
OMB CIRCULARS
&$' (ircular A)1*+, Management of Federal Information Resources
&$' (ircular A)11, Planning& #udgeting& %c8uisition of $a'ital %ssets& *trategic Plans&
Performance Plans
NIST GUIDANCE
?4!T !% D++)12, %n Introduction to $om'uter *ecurit,+ 13e 0I*1 9andboo2
?4!T !% D++)1D, -uide for 4e5elo'ing *ecurit, Plans for Information 1ec3nolog, *,stems
?4!T !% D++)2F, *elf %ssessment -uide for Information 1ec3nolog, *,stems
?4!T !% A++)1FE, Information Management 4irections+ 13e Integration $3allenge
AGENCY GUIDANCE
Interim I1 *ecurit, Polic,
I1 *ecurit, Program and Management Plan
4raft I1 *ecurit, $ertification and %ccreditation -uide
I1 *ecurit, Ris2 %ssessment -uide.
21
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A
=uly 2++2
HYPOTHETICAL GOVERNMENT
AGENCY
GENERAL S!PPORT SYSTEMS AND MA%OR
APPLICATIONS INVENTORY,
A!!"#$%& A' GSS (#$ MA I#)"#*+,- S./0%11%+# F+,0

Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A
H3<216*1&4-9 G20*).7*.1 A'*.43
G*.*)-9 S(<<2)1 S351*7 #GSS$ " M-=2) A<<9&4-1&2. #MA$ I.0*.12)3 S(;7&55&2. F2)7
:ate,
%rincipal &ffice,
Automated 4nformation 5esource ?ame,
%oints" of (ontact,
C27<(1*) S*4()&13 O88&4*)
?ame, %hone K,
A(127-1*/ I.82)7-1&2. R*52()4* O:.*)#5$
?ame, %hone K,
?ame, %hone K,
A(127-1*/ I.82)7-1&2. R*52()4* M-.-'*)#5$
?ame, %hone K,
?ame, %hone K,
A)1
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A
The following form should be completed for every G!! and $A within the %rincipal &ffice. 4n addition, completion of this form is
highly recommended for each application in order for each %rincipal &ffice to document that all automated information resources are
properly evaluated.
%lease fill in the columns labeled -(ategory. and ->3planation. for each area. For each of the areas addressed, there should be at
least one chec0 in the -(ategory. column. The ->3planation. column should include your e3planation as to why the selected answer
in the -(ategory. column was provided. >3planations should be based on Federal laws and guidance as well as the appropriate
Agency guidance as indicated in the -5eference. section. !pecific references to the definitions provided in the Hypothetical
Government Agency G!! and $A 4nventory Guidance should be included in the e3planation. The -5eference. column is provided
solely for guidance and does not re/uire a response.
A)2
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A
C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4*
A
U
T
O
M
A
T
E
D

I
N
F
O
R
M
A
T
I
O
N

R
E
S
O
U
R
C
E
G*.*)-9 S(<<2)1 S351*7 #GSS$
M-=2) A<<9&4-1&2. #MA$
4dentified as,
mission)critical or important<
or
mission)supportive and an
4nformation !ensitivity
category rated as L$edium2 or
LHigh2
A<<9&4-1&2.
4dentified as mission)supportive and
all 4nformation !ensitivity categories
rated as LGow2
B(5&.*55 F(.41&2.,
D-1-,
H-)/:-)*,
H-)/:-)* L24-1&2.,
S281:-)*,
S281:-)* L24-1&2.,
I. /*0*92<7*.1 2) 2<*)-1&2.-9,
4nclude business processes that the automated information
resource accomplishes, such as the type of data it contains
and technical information hardware, hardware location,
software, software location, etc.".
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory Guide
!ection 2.1.2 4dentify Automated 4nformation 5esources
!ection 2.1.* (ategori1e Automated 4nformation 5esources
as G!! or Application
!ection 2.*. 4dentify $As
I
N
F
O
R
M
A
T
I
O
N

C2.8&/*.1&-9&13
High
$edium
Gow
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory Guide
!ection 2.2.1 4nformation !ensitivity
I.1*')&13
High
$edium
Gow
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory, Appendi3 A 8
4nventory %rocess
!ection 2.2.1 4nformation !ensitivity
A)*
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A
C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4*
S
E
N
S
I
T
I
V
I
T
Y
A0-&9-;&9&13
High
$edium
Gow
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory, Appendi3 A 8
4nventory %rocess
!ection 2.2.1 4nformation !ensitivity
M
I
S
S
I
O
N

C
R
I
T
I
C
A
L
I
T
Y
(ritical
4mportant
!upportive
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory, Appendi3 A 8
4nventory %rocess
!ection 2.2.2 $ission (riticality
I
N
T
E
R
C
O
N
N
E
C
T
I
V
I
T
Y
4f an application or ma#or
application, list the G!! on which it
resides
:oes the automated information
resource have interconnectivity with
other G!!s or applicationsB
Mes
?o
A)@
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 A
A)A
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 '
HYPOTHETICAL GOVERNMENT
AGENCY
GENERAL S!PPORT SYSTEMS AND MA%OR
APPLICATIONS INVENTORY,
A!!"#$%& B' S(0!2" GSS (#$ MA I#)"#*+,-
S./0%11%+# F+,0

Hypothetical Government Agency G!! and $A 4nventory, Appendi3 '
H3<216*1&4-9 G20*).7*.1 A'*.43
G*.*)-9 S(<<2)1 S351*7 #GSS$ " M-=2) A<<9&4-1&2. #MA$ I.0*.12)3 S(;7&55&2. F2)7
:ate, :ec 2D, 2++1
%rincipal &ffice, &ffice of Governmental Furniture
Automated 4nformation 5esource ?ame, 4maginary (hair Trac0ing !ystem (hT!"
%oints" of (ontact,
C27<(1*) S*4()&13 O88&4*)
?ame, 4.'. !ecurityNNNNNNNNNNNNNNNNNNNNNNN %hone K, 111)2222NNNNNNNNNNNNNNNNNNNNN
A(127-1*/ I.82)7-1&2. R*52()4* O:.*)#5$ -./ M-.-'*)#5$
?ame, 'ob !mithNNNNNNNNNNNNNNNNNNNNNNNNN %hone K, 111)AF2ANNNNNNNNNNNNNNNNNNNNN
?ame, NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN %hone K, NNNNNNNNNNNNNNNNNNNNNNNNNNNN
A(127-1*/ I.82)7-1&2. R*52()4* M-.-'*)#5$
?ame, %hone K,
?ame, >than Allen %hone K, 111)AFD@
')1
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 '
The following form should be completed for every G!! and $A within the %rincipal &ffice. 4n addition, completion of this form is
highly recommended for each application in order for each %rincipal &ffice to document that all automated information resources are
properly evaluated.
%lease fill in the columns labeled -(ategory. and ->3planation. for each area. For each of the areas addressed, there should be at
least one chec0 in the -(ategory. column. The ->3planation. column should include your e3planation as to why the selected answer
in the -(ategory. column was provided. >3planations should be based on Federal laws and guidance as well as the appropriate
Agency guidance as indicated in the -5eference. section. !pecific references to the definitions provided in the Hypothetical
Government Agency G!! and $A 4nventory Guidance should be included in the e3planation. The -5eference. column is provided
solely for guidance and does not re/uire a response.
')2
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 '
C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4*
A
U
T
O
M
A
T
E
D

I
N
F
O
R
M
A
T
I
O
N

R
E
S
O
U
R
C
E
G*.*)-9 S(<<2)1 S351*7 #GSS$
M-=2) A<<9&4-1&2. #MA$
4dentified as,
mission)critical or important< or
mission)supportive and an
4nformation !ensitivity category
rated as L$edium2 or LHigh2
A<<9&4-1&2.
4dentified as mission)supportive and
all 4nformation !ensitivity categories
rated as LGow2
B(5&.*55 F(.41&2., !upports a %&)wide activity limited to #ust the &ffice of
Governmental Furniture. The database helps produce an annual report on the chairs in
the %&(. 4t is used to assist in the assignment of new chairs. &GF tests all 0inds of
Governmental Furniture. There are more chairs to be tested than any other type of
furniture. &GF assigns a particular chair to one staff member for one month and then
the chair is rotated to another staff person for another month. The database trac0s the
initial delivery of the chair and its pertinent information, and then follows the chair
through five staff assignments. &nly >3ecutive &ffice staff can assign chairs, but
everyone must complete their chair evaluations in the database. A wee0ly chair status
report is prepared for the >3ecutive &fficer. A monthly report and briefing is prepared
for the Assistant !ecretary.
D-1-, !pecific details about the chairs such as, color, brand, model number,
category arm, side, table", or fabric. :etails about where the chair is currently
assigned such as staff name, room number, and date assigned. There is no privacy act
information. The last four digits of the !!? are used in con#unction with the staff
name as a staff 4: number.
There is not %rivacy Act, financial or proprietary data contained in the (hT!.
C())*.193 2<*)-1&2.-9
H-)/:-)*, AG>?(M GA? Application !erver 8 (ompa/ *+++ and AG>?(M GA?
:>GG wor0stations used by &GF staff.
H-)/:-)* L24-1&2., AG>?(M GA? server room in AG>?(M H>A:O;A5T>5
';4G:4?G, the 5A! server in AG>?(M H>A:O;A5T>5 ';4G:4?G
for those dialing into AG>?(M GA?" and &GF offices in AG>?(M
!AT>GG4T> ';4G:4?G.
S281:-)*, Access CE
S281:-)* L24-1&2., Two Access CE database files forms and tables" reside on
AG>?(M GA? server PPFileand %rint !erverP!hared AreaP&G%"< access CE is
launched off of local AG>?(M GA? wor0stations and connect to the forms database
that accesses lin0ed tables from the tables database.
4nclude business processes that the automated information
resource accomplishes, such as the type of data it contains
and technical information hardware, hardware location,
software, software location, etc.".
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory Guide
!ection 2.1.2 4dentify Automated 4nformation 5esources
!ection 2.1.* (ategori1e Automated 4nformation 5esources
as G!! or Application
!ection 2.*. 4dentify $As
')*
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 '
C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4*
I
N
F
O
R
M
A
T
I
O
N

S
E
N
S
I
T
I
V
I
T
Y
C2.8&/*.1&-9&13
High
$edium
Gow
There is no privacy act or proprietary data to protect. ?o vendor or cost information is
trac0ed on the chairs, only brand and model. 4f a non)authori1ed person read data that
they are not -allowed. to see, administrative action such as suspension or a letter of
reprimand" would be the most severe conse/uence. 4f the chair ratings were
discovered by outside chair competitors, the financial impact would be under 1++,+++
dollars.
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory Guide
!ection 2.2.1 4nformation !ensitivity
I.1*')&13
High
$edium
Gow
The data maintained on the chair ratings does affect recommendations for particular
chairs. !ince entire school districts use these recommendations, the financial impact of
manipulated ratings could be between J1A+,+++ and J*++,+++, but less than a million
dollars. Anyone involved with such data manipulation would possibly be sued but not
sent to #ail.
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory Guide
!ection 2.2.1 4nformation !ensitivity
A0-&9-;&9&13
High
$edium
Gow
The reports are much easier to prepare with the database and it would be very
inconvenient if the database were unavailable to /uic0ly locate a specific chair.
However, manual inspection of invoices for receipt information" and office space to
locate chairs" could be used. The conse/uences of the database being unavailable
would probably never be even administrative. The e3tra manpower re/uired to
manually prepare the reports would be less than J1++,+++ since at worst, a contractor
could be hired to prepare the most important reports for JEA,+++.
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory Guide
!ection 2.2.1 4nformation !ensitivity
M
I
S
S
I
O
N

C
R
I
T
I
C
A
L
I
T
Y
(ritical
4mportant
!upportive
4t ma0es &GF more efficient and e3pedites their reports but does not directly support
one of the D primary Agency missions as identified under %::F*".
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory, Appendi3 A 8
4nventory %rocess
!ection 2.2.2 $ission (riticality
')@
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 '
C-1*'2)3 #46*4C 2.*$ EB<9-.-1&2. R*8*)*.4*
I
N
T
E
R
C
O
N
N
E
C
T
I
V
I
T
Y
4f an application or ma#or application,
list the G!! on which it resides
:oes the automated information
resource have interconnectivity with
other G!!s or applicationsB
Mes
?o
The (hT! does not give or receive any data to any other $A or G!!. 4t resides on
AG>?(M GA? as its G!!, but otherwise does not interface with any other system. 4t
is accessed from local &GF wor0stations. &GF staff may access this database when
they connect remotely either through analog dialup to the 5A! server or through the
H%? connection.
Hypothetical Government Agency General !upport !ystem
and $a#or Applications 4nventory, Appendi3 A 8
4nventory %rocess
!ection 2.*.2 $a#or Application)General !upport !ystem
Gin0ages
')A
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 (
HYPOTHETICAL GOVERNMENT
AGENCY
GENERAL S!PPORT SYSTEMS AND MA%OR
APPLICATIONS INVENTORY,
A!!"#$%& C ' S(0!2" M"0+,(#$(

Hypothetical Government Agency G!! and $A 4nventory, Appendi3 (
SAMPLE MEMORAND!M FROM THE CHIEF INFORMATION
OFFICER
To, Q%54?(4%AG &FF4(>5 ?A$>R
%rincipal &fficer for Q%& ?A$>R
From,
(hief 4nformation &fficer
!ub#ect, >ndorsement of Q%& ?A$>R2s General !upport !ystem and $a#or Application
4nventory.
As the (hief 4nformation &fficer for the Hypothetical Government Agency, 4 hereby
ac0nowledge that the following General !upport !ystem G!!" and $a#or Application $A"
inventory is accurate and comprehensive 8 consistent with the re/uirements of the &ffice of
$anagement and 'udget &$'" (ircular A)1*+, Management of Federal Information
Resources, the (linger)(ohen Act
1
, the Government 4nformation !ecurity 5eform Act G4!5A"
2
,
and the (omputer !ecurity Act of 1CDE
3
8 as of Q:AT> &F !;'$4!!&?R for the Q%& ?A$>R.
G!!9$A
?ame
Type
G!! or
$A"
$ission
(riticality
4nformation !ensitivity Gast 4nventory
;pdate
(onfidentiality 4ntegrity Availability
$y point of contact for the maintenance of this G!! and $A inventory is
1 Public Law 10)-106
2 Public Law 106-39
3 Public Law 100-23.
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 (
SAMPLE MEMORAND!M FROM PRINCIPAL OFFICERS TO
THE CHIEF INFORMATION OFFICER VALIDATING THE GSS
AND MA INVENTORY
To,
(hief 4nformation &fficer
From, Q%54?(4%AG &FF4(>5 ?A$>R
%rincipal &fficer for Q%& ?A$>R
!ub#ect, >ndorsement of Q%& ?A$>R2s General !upport !ystem and $a#or Application
4nventory.
As the %rincipal &fficer for the Q%& ?A$>R, 4 hereby ac0nowledge that the following General
!upport !ystem G!!" and $a#or Application $A" inventory and the attached inventory
submission forms for each G!! and $A is accurate and comprehensive 8 consistent with the
re/uirements of the &ffice of $anagement and 'udget &$'" (ircular A)1*+, Management of
Federal Information Resources, the (linger)(ohen Act
)
, the Government 4nformation !ecurity
5eform Act G4!5A"
.
, and the (omputer !ecurity Act of 1CDE
6
, as of Q:AT> &F !;'$4!!&?R
for the Q%& ?A$>R.
G!!9$A
?ame
Type
G!! or
$A"
$ission
(riticality
4nformation !ensitivity Gast 4nventory
;pdate
(onfidentiality 4ntegrity Availability
$y point of contact for the maintenance of this G!! and $A inventory is Q%&( ?A$> S
?;$'>5R.
Attachments Q?R inventory submission forms
) Public Law 10)-106
. Public Law 106-39
6 Public Law 100-23.
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 :
HYPOTHETICAL GOVERNMENT
AGENCY
GENERAL S!PPORT SYSTEMS AND MA%OR
APPLICATIONS INVENTORY,
A!!"#$%& D ' I#3+,0(*%+# C+)","$ /- *4" P,%)(5- A5*
6 F,""$+0 +3 I#3+,0(*%+# A5* 7FOIA8 E&"0!*%+#1
Hypothetical Government Agency G!! and $A 4nventory, Appendi3 :
(onfidential information transmitted, stored, or processed on the G!! or $A, may include, but
is not limited to, financial, proprietary and personal information.
TYPES OF CONFIDENTIAL INFORMATION
F%#(#5%(2 I#3+,0(*%+# ' FOIA E&"0!*%+# 9
!ales statistics
%rofit and loss data
&verhead and operating
costs
5eports on financial
condition
(apital e3penditures
'udgets
Financial information falls under commercial or financial
information obtained from a person that is privileged or
confidential. The term TpersonT refers to a wide range of
entities, including corporations, ban0s, state governments,
agencies of foreign governments, and ?ative American tribes
or nations. This protects the interests of both the government
and submitters of information.
P,+!,%"*(,- I#3+,0(*%+# ' FOIA E&"0!*%+#1 2 6 9
'usiness plans or technical
designs
5esearch and development
data
:ata labeled -For &fficial
;se &nly.
%roprietary information falls under information related solely
to the internal personnel rules and practices of an agency.
This includes a Ttrade secret,T which is a broad term
e3tending to virtually any information that provides a
competitive advantage.
P",1+#(2 I#3+,0(*%+# ' FOIA E&"0!*%+# :
!ocial security numbers
(redit history
Goan history
%ersonal addresses
%erformance appraisal data
%ersonal financial
information
%ersonal information falls under personnel or medical
information or information that would constitute a clearly
unwarranted invasion of personal privacy. An individual7s
name and address may not be sold or rented by an agency
unless specifically authori1ed by law. &n the other hand, no
agency shall withhold names and addresses that are
otherwise permitted to be made public. Any contractor or
employee of a contractor is considered to be an employee of
the agency.
TYPES OF NON+CONFIDENTIAL INFORMATION
Grantee name
>mployee names, titles,
grades, salaries, duty stations
or office phone numbers
(ontractor names, e)mail
addresses or business contact
information
4nformation that is submitted with no e3pectation of privacy
should be considered non)confidential information. QF&4A
>3emption FR
:)1