General Support System (GSS) and Major Application (MA)

Status: Deprecated

Summary

The categories of General Support System (GSS) and Major Application (MA) were created in 1988 through Office of Management and Budget (OMB) Bulletin No. 88-16, which provided the first federal guidance on creating security plans for information systems. A General Support System referred to a general collection of hardware and software, such as a building’s Local Area Network (LAN), while a Major Application referred to a specific system that performed a clearly defined function. The primary function of the GSS/MA distinction was to determine the appropriate security control baseline for a system. For example, NIST’s initial guidance for creating security plans, published in 1998, is separated into distinct categories for Major Applications and General Support Systems and their controls.

The decline of the GSS/MA distinction started in the early 2000s, particularly after the Federal Information Security Management Act (FISMA) of 2002 was signed into law. These laws focused federal information security on risk-based frameworks. To fulfill FISMA’s requirement to have information systems be protected commensurate with the risk of the systems, NIST, between 2004 and 2006, released its mandatory FIPS 199 and FIPS 200 publications, requiring systems to be categorized as low-, moderate-, or high-impact and abide by the associated Low, Moderate, or High security control baseline. The implementation of FIPS 199 and FIPS 200 can be seen as the replacement of the GSS/MA categories, though they still live on in a handful of policies and guidance documents that have not been updated since the 2000s.

History

The first use of the categories Major Applications (MA) and General Support Systems (GSS) came in guidance released on July 6, 1988, by the Office of Management and Budget (OMB), called Bulletin No. 88-16. This bulletin, created in response to the Computer Security Act of 1987, provided the first formal federal guidance on creating security plans.

As a means of acknowledging that information systems can vary in scope and constitution, Bulletin 88-16 defined two categories of information systems:

  • Major application systems, which are “systems that perform clearly defined functions and for which there are clearly identifiable security considerations and needs.”
  • General ADP support systems, which “consist of hardware and software that provide general [Automated Data Processing] support for a variety of users and applications.”

Bulletin 88-16 contained two sets of security controls (i.e., security control baselines), one for each of the two categories above. The Bulletin’s list of security controls required for Major Applications, shown below, include requirements such as software maintenance.

In comparison with the security controls required for Major Applications, General Support System controls included unique requirements regarding physical and environmental protection controls and encryption.

The GSS–MA distinction was reiterated in OMB’s successor to Bulletin 88-16, Bulletin 90-08, which describes there as being “two sets of controls: one for major applications and one for general ADP support systems.” Both bulletins were eventually rolled into the February 20, 1996, version of OMB Circular A-130, superseding previous security planning guidance.

The continued use of the GSS and MA categories to determine the security control baseline for a federal information system continued in security planning guidance issued in December 1998 by the National Institute of Science and Technology (NIST) in Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems. The except of the table of contents for SP 800-18 shows the continued distinction between GSS controls and MA controls:

The end of the GSS–MA categories started in the early 2000s around when the Federal Information Security Management Act (FISMA) was signed into law. To fulfill FISMA’s requirement to have information systems be protected commensurate with the risk of the systems, NIST released its mandatory FIPS 199 (2004) and FIPS 200 (2006) publications, which required federal information systems to be categorized as low-, moderate-, or high-impact and implement the associated security control baseline in NIST SP 800-53. While agencies were allowed to defer performing assessments against the NIST SP 800-53 controls in Fiscal Year (FY) 2006, all agencies were required to do so in FY 2007. As stated in that year’s OMB FISMA guidance:

For FY 2007 and beyond, agencies are required to use FIPS 200/NIST Special Publication 800-53 for the specification of security controls and NIST Special Publications 800-37 and 800-53A for the assessment of security control effectiveness.

OMB M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

Even though 2007 was the formal end of General Support Systems and Major Applications as means of categorizing information systems and determining their baseline security controls, the terms have lived on in aging federal guidance. For a few examples:

  • NIST SP 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, still describes systems using the GSS–MA categories because the publication itself was last updated in February 2006 (a month earlier than FIPS 200’s release).
  • NIST SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, only removed GSS and MA terminology in 2010.
  • OMB Circular A-130, Managing Information as a Strategic Resource, only removed the GSS and MA terminology in 2016, with the Circular’s last update before that having been performed in 2000.

The GSS–MA categories also still live on in the names of federal information systems, with many agencies still including the “GSS” in the names of systems that provide generalized computing services or infrastructure.1

  1. See, for example, various Privacy Impact Assessments online. ↩︎