• Say What You Do Products
• Change Management
• Information Assurance Compliance Maturity Model Index (IACMMI)
• The Language of Compliance
• Systems and Info Classification
• Administrative Management
• Workplace Policy Development and Management
• Travel
• Help Desk Services
• Facilities, Fleet, and Equipment Management
• Physical Security Management
• Compliance Development and Enforcement
• Inspections and Auditing
• Standards Setting/Reporting Guideline Development
• Regulatory Creation
• Public Comment Tracking
• Policies, Standards, and Procedures Publication
• Policy and Guidance Development
• Controls and Oversight
• Corrective Action
• Program Evaluation
• Program Monitoring
• Credit and Insurance
• Direct Loans
• Loan Guarantees
• General Insurance
• Education
• Higher Education
• Elementary, Secondary, and Vocational Education
• Financial Management
• Accounting
• Budget & Finance
• Financial Reporting Information
• Asset & Liability Management
• Collections and Receivables
• Payments
• General Retirement and Disability Program Management
• Unemployment Compensation
• General Organizational Support
• Records and Statistics Management
• Centralized Personnel Management
• Property Management
• General Executive Functions
• Legal Functions
• Centralized Fiscal Operations
• Taxation management (governmental agencies)
• Staff Income Information
• Strategic Executive Functions
• Representative Payee Information
• Personal Identity and Authentication
• Benefits Entitlement Event Information
• Goods and Services Creation and Management
• Goods and Services Production
• Facilities and Infrastructure Management
• Construction
• Healthcare
• Health Care Services
• Consumer Health and Safety
• Human Resources
• Worker Safety
• Labor Rights Management
• Staff Recruitment and Employment
• Security Clearance Management
• Benefits Management
• Personnel Management
• Resource Training and Development
• Payroll Management and Expense Reimbursement
• Information & Technology Management
• Information Management
• Record Retention
• IT Security
• IT Infrastructure Maintenance
• System Maintenance
• Lifecycle/Change Management
• System Development
• Internal Risk Management and Mitigation
• Emergency Response
• Disaster Preparedness and Planning
• Service Recovery
• Continuity of Operations
• Contingency Planning
• Law Enforcement
• Citizen Protection
• Criminal Investigation and Surveillance
• Crime Prevention
• Property Protection
• Criminal Apprehension
• Legal, Litigation, and Judicial
• Resolution Facilitation
• Permits and Licensing
• Legal Litigation
• Legal Investigation
• Legal Defense
• Judicial Hearings
• Planning and Resource Allocation
• Budget Formulation
• Enterprise Architecture
• Capital Planning
• Strategic Planning
• Research Operations
• Management Improvement
• Workforce Planning
• Budget Execution
• Public Affairs
• Customer Services
• Official Information Dissemination
• Product Outreach
• Public Relations
• Revenue Collection
• Staff Fee Collection
• Debt Collection
• Organizational Asset Sales
• Supply Chain Management
• Logistics Management
• Inventory Control
• Goods Acquisition
• Knowledge Dissemination
• Advising and Consulting
• Services Acquisition
• Third Party Relations
• Third Party Liaison
• Third Party Program Project Information
• Third Party Program Tracking
• Third Party Program Proposal Development

Supports the activities associated with the identification of critical systems and processes, and the planning and preparation required to ensure that these systems and processes will be available in the event of a catastrophic event. The overall accountability rating for this information classification is Moderate.

Confidentiality level = Moderate

The confidentiality impact level is the effect of unauthorized disclosure of continuity of operations information on the ability of responsible entities to identify critical systems and processes, and to conduct the planning and preparation required to ensure that these systems and processes will be available in the event of a catastrophic event. Unauthorized disclosure of the entire plan to malicious entities may have serious effects. As a result, the consequence of loss of confidentiality of most continuity of operations plans (and comprehensive continuity of operations plans) is likely to do serious harm to organizational assets, personnel, or missions.

Known mitigating factors toward changing the confidentiality level

Unauthorized disclosure of background information that supports development of organizational continuity of operations plans can reveal sensitive vulnerabilities, capabilities, intelligence assessments, intelligence sources, or methods employed in trade secret activities. Depending on the information in question, the confidentiality impact can be moderate, high, or involve trade secret information (outside the scope of this guideline). Unauthorized disclosure of continuity of operations information for critical infrastructures and key organizational assets may require a high impact level. However, the purpose of most continuity of operations information is to protect against inadvertent or accidental damaging events rather than against malicious attacks. Even so, in the case of organizational systems, hostile attacks on systems must be considered. The consequences of unauthorized disclosure of extracts from continuity of operations plans are likely to have negligible to limited adverse effects on organizational operations. In such cases, the confidentiality impact would be, at most, low. Unauthorized disclosure of continuity of operations information may inform an adversary regarding what facilities and processes are considered to be critical. Such unauthorized disclosure may also equip an adversary with the information necessary to attack a system so that operations are disrupted, and that recovery is impaired. In such cases, the confidentiality impact would be, at least, moderate.

Integrity level = Moderate

The integrity impact level is based on the specific mission and the data supporting that mission, not on the time required to detect the modification or destruction of information. Errors in continuity of operations plans that result from integrity compromise can result in serious consequences to system recovery capabilities. These can range from incorrect telephone numbers and e-mail addresses on notification lists to erroneous version numbers for database back-ups and archives or software baselines, updates, and patches.

Availability level = High

The availability impact level is based on the specific mission and the data supporting that mission, not on the time required to reestablish access to the continuity of operations information.

Known mitigating factors toward changing the availability level

The effects of disruption of access to continuity of operations information or information systems depend on the timing of the disruption. If access to continuity of operations information is denied because of a power outage, recovery may be delayed and the work of organizational entities disrupted. The continuity of operations planning process is usually tolerant of delays. In contrast, the continuity of operations implementation process is not tolerant of delays. The consequences of disruption of access to continuity of operations information depend on both the period of the outage and the criticality of the disrupted processes. The consequent impact level will range from low to high.