Page History

...

The FIPS-199 Security Categorization process addresses the first task required by the Risk Management Framework (RMF) to develop standards for categorizing information and information systems. The FIPS-199 publication from NIST establishes security objectives for both information and information systems on Confidentiality, Integrity, and Availability as well as defines correlating potential impact levels of Low, Moderate, and High. Security categories (security objective + impact level) are then derived based on the potential impact on each of the Confidentiality, Integrity, and Availability of information and information systems within an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.  The security categorization is the collection of all security categories for all security objectives and is recorded on the FIPS-199 form.  NCI uses the high watermark approach, so the overall categorization of the system is the equivalent to the highest individual security category(ies). 

High Water Mark

For an information system, the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident on the information system.  So for example a system rated M-L-L, L-M-L, M-M-L, etc. would all be rated Moderate overall since Moderate is the highest rated security objective.

Low-Impact Software-as-a-Service (LI-SaaS) Approval

...