Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Risk Management Framework RMF

Risk Management Framework (RMF) - Categorize Step

At A Glance

RMF Categorize Step



Purpose: Inform organizational risk management processes and tasks by determining the adverse impact  with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems

  • system characteristics documented
  • security categorization of the system and information completed
  • categorization decision reviewed/approved by authorizing official


Resources for Implementers

Federal Information Processing Standard (FIPS) 199Standards for Security Categorization of Federal Information and Information Systems

  • Standard for categorizing information and systems according to an organization's level of concern for confidentiality, integrity, and availability and the potential impact on organizational assets and operations.

NIST SP 800-60 Volume I and Volume II, Guide for Mapping Types of Information and Information Systems to Security Categories

  • Developed to assist agencies categorize information and systems.
  • Guidelines recommending the types of information and systems to be included in each security impact level for confidentiality, integrity, and availability.


Back to About the RMF

Created November 30, 2016, Updated June 14, 2024