First published on TECHNET on Oct 15, 2009

This is old news to all of you who have memorized the Department of Defense Instruction (DoDI) Number 8500.2 , which is one of the source documents that the Database STIG is based on, but for the rest of you...

Not all databases are created equal. A database with corporate strategies and payrolls is probably a little more valuable than a database with recipes for desserts. Well, that depends on your perspective, perhaps.

The DoD decided to place all databases into one of three Mission Assurance Categories (MAC), depending on how important the data in it is, and the level of effort required to protect a database depends on the MAC it is assigned to. You may not want the exact same categories as the DoD, but you might want to use them as a guideline for creating your own.

There may be databases which don't fit into a DoD MAC, as E3.4.2 mentions "IT-dependent programs," so a database may not require protective measures if it is only used to test general database capabilities with only fake data for testing purposes, or is not connected to a network. Most databases, though, will need some level of protective measures, and here are the Mission Assurance Categories and the expected level of protection used for the Database STIG, from pages 22-23 of DoDI 8500.2:

E2.1.38. Mission Assurance Category . Applicable to DoD information systems, the mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. Mission assurance categories are primarily used to determine the requirements for availability and integrity. The Department of Defense has three defined mission assurance categories:

E2.1.38.1. Mission Assurance Category I (MAC I) . Systems handling information that is determined to be vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. The consequences of loss of integrity or availability of a MAC I system are unacceptable and could include the immediate and sustained loss of mission effectiveness. Mission Assurance Category I systems require the most stringent protection measures.

E2.1.38.2. Mission Assurance Category II (MAC II) . Systems handling information that is important to the support of deployed and contingency forces. The consequences of loss of integrity are unacceptable. Loss of availability is difficult to deal with and can only be tolerated for a short time. The consequences could include delay or degradation in providing important support services or commodities that may seriously impact mission effectiveness or operational readiness. Mission Assurance Category II systems require additional safeguards beyond best practices to ensure assurance.

E2.1.38.3. Mission Assurance Category III (MAC III) . Systems handling information that is necessary for the conduct of day-to-day business, but does not materially affect support to deployed or contingency forces in the short-term. The consequences of loss of integrity or availability can be tolerated or overcome without significant impacts on mission effectiveness or operational readiness. The consequences could include the delay or degradation of services or commodities enabling routine activities. Mission Assurance Category III systems require protective measures, techniques, or procedures generally commensurate with commercial best practices.


Department of Defense Instruction (DoDI) Number 8500.2: http://www.dtic.mil/whs/directives/corres/pdf/850002p.pdf .