It might be helpful to include an understanding in the document of how OMB or other authorities will monitor and measure agency compliance with these guidelines. For example, section 3 states that agencies should use FIPPS 199 to assess impact level of data to determine the necessary security assessments. There may be an incentive towards identifying impact as low. It would be helpful for there to be a mechanism to at least understand how agencies evaluate impact level relative to security assessments, and to understand if there is some correlation of sensitivity of data to required assessments across agencies.
Also first bullet section 3 suggests that FIPS 199 should be used to determine the necessary controls. However the rest of the document stipulates the controls considered necessary (800-53 for internal contractor operated systems, 800-171 for external systems). It's a little confusing
It might be helpful to include an understanding in the document of how OMB or other authorities will monitor and measure agency compliance with these guidelines. For example, section 3 states that agencies should use FIPPS 199 to assess impact level of data to determine the necessary security assessments. There may be an incentive towards identifying impact as low. It would be helpful for there to be a mechanism to at least understand how agencies evaluate impact level relative to security assessments, and to understand if there is some correlation of sensitivity of data to required assessments across agencies.
Also first bullet section 3 suggests that FIPS 199 should be used to determine the necessary controls. However the rest of the document stipulates the controls considered necessary (800-53 for internal contractor operated systems, 800-171 for external systems). It's a little confusing