Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Risk Management

Security Categorization

The Federal Information Security Modernization Act (FISMA) tasked NIST to develop:

  • Standards to be used by Federal agencies to categorize information and systems based on the objectives of providing appropriate levels of information security according to a range of risk levels;
  • Guidelines recommending the types of information and systems to be included in each category; and
  • Minimum information security requirements, (i.e., management, operational, and technical security controls), for information and systems in each such category.

The following publications provide additional guidance on security categorization

FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, addresses the first of these three tasks. FIPS 199 establishes security categories for both information and systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization resulting from the operation of its systems.

 

Special Publication 800-60 Rev. 1 (Volume 1, Volume 2), Guide for Mapping Types of Information and Information Systems to Security Categories, assists Federal agencies in identifying information types and systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199. Special Publication 800-60 contains two volumes. Volume I provides guidelines for identifying impact levels by information type and suggests impact levels for administrative and support information common to multiple agencies. Volume II includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific, mission-related information.

Created November 30, 2016, Updated November 20, 2018