The FIPS 199 process involves identifying the “information
type” of a data attribute. Predefined information types are
described in NIST Special Publication 800-60, though it is possible to create a
non-standard information type. After identifying an 800-60 information
type for a data attribute, you then decide to accept the provisional
Confidentiality, Integrity, and Availability categorizations suggested for that
information type, or you can increase or decrease the categorization if
applicable.
The three current child metadata elements capture the final categorization
resulting from this process. Is there value in including the NIST SP
800-60 information type as a child metadata element as well? Perhaps this
would provide the opportunity to identify when there have been increases or
decreases from the provisional recommendation to verify the accuracy of these
decisions. Might there be other needs to identify the information type of
the data?
Another option (perhaps better) is to add two child metadata
elements – information type and information type source. The
information type source would most frequently be NIST SP 800-60, but agency
specific / custom information types can also be defined, which perhaps is
likely to have already occurred in organizations which have a mature enterprise
data dictionary.