- CSRC Home
- Projects / Research
- news & events
The Federal Information Security Management Act (FISMA) tasked NIST to develop:
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, addresses the first of these three tasks. FIPS 199 establishes security categories for both information and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization resulting from the operation of its information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes:
Special Publication 800-60 Rev. 1 (Volume 1, Volume 2), Guide for Mapping Types of Information and Information Systems to Security Categories, assists Federal agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199. Special Publication 800-60 contains two volumes. Volume I provides guidelines for identifying impact levels by information type and suggests impact levels for administrative and support information common to multiple agencies. Volume II includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific, mission-related information.