Security Standards  «Prev 

Security Policy System Classification

Security classification hierarchy consisting of Level I, Level II, and Level III
Security classification hierarchy consisting of Level I, Level II, and Level III

Level I

Level I systems are mission-critical systems, systems with high availability requirements, or systems that cannot tolerate more than a few hours of downtime such as certificate servers, registration and customer billing systems.
These are often publicly exposed servers; usually five percent of your resources.

Level II

Level II systems include operational systems, line-of-business level systems, and systems that can tolerate up to 48 hours of downtime. About 20 percent of your resources, Level II resources are typically comprised of internal servers that are not directly connected to the Internet.

Level III

Level III systems have backup systems and/or can tolerate at least one week of downtime in case of emergency. These are typically end-user machines. About 75 percent of your resources will be classified as Level III.

The Information Assurance Technical Framework

The Information Assurance Technical Framework Forum (IATFF) is an organization sponsored by the National Security Agency (NSA) and supports technical interchanges among U.S. industry, U.S. academic institutions, and U.S. government agencies on the topic of information assurance. The Forum generated the Information Assurance Technical Framework (IATF) document, release 3.1, which describes processes and provides guidance for the protection of information systems based on systems engineering principles.
The document emphasizes the criticality of the people involved, the operations required, and the technology needed to meet the organization’s mission. These three entities are the basis for the Defense-in-Depth protection methodology.


Defense-in-Depth is a layered protection scheme for critical information system components. The Defense-in-Depth strategy comprises the following areas:
  1. Defending the network and infrastructure
  2. Defending the enclave boundary
  3. Defending the computing environment
  4. Supporting Infrastructures
The term enclave as used in the Defense-in-Depth protection strategy refers to a "collection of computing environments connected by one or more internal networks under the control of a single authority and security policy, including personnel and physical security. Enclaves always assume the highest mission assurance category and security classification of the automated information system (AIS) applications or outsourced IT-based processes they support, and derive their security needs from those systems. They provide standard information assurance (IA) capabilities such as boundary defense, incident detection and response, and key management, and also deliver common applications such as office automation and electronic mail. Enclaves are analogous to general support systems as defined in OMB A-130. Enclaves may be specific to an organization or a mission, and the computing environments may be organized by physical proximity or by function independent of location. Examples of enclaves include local area networks (LANs) and the applications they host, backbone networks, and data processing centers."
(DoD Directive 8500.1, "Information Assurance (IA), October 24, 2002). The enclaves in the U.S. federal and defense computing environments can be categorized as public, private, or classified. The Defense-in-Depth strategy is built on three critical elements: people, technology, and operations.