CNSSI 1253 says:
Within the national security community, it is understood that certain losses are to be expected when performing particular missions. Therefore, for NSS interpret the FIPS 199 amplification for the moderate and high potential impact values, as if the phrase “…exceeding mission expectations.” is appended to the end of the sentence in FIPS 199, Section 3.
Thus the definition of moderate would be:
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals (FIPS 199) …exceeding mission expectations (CNSSI 1253).
Does this mean that national security systems can withstand or tolerate a greater degree of serious adverse impact before it is categorized as moderate? I would have expected the opposite. Shouldn't the NSS systems have a lower impact threshold, rather a higher impact threshold?
[link] [comments]