Completing the Federal Information Processing Standard (FIPS)-199: Standards for Security Categorization of Federal Information and Information Systems
The FIPS-199 should be filled out with assistance from the NCI Information Systems Security Officer (ISSO) to ensure that the best information category or categories are selected and the final ratings are well supported. For help, contact the nciirm [at] mail.nih.gov (NCI ISSO)
A FIPS-199 must be completed for all federal information systems and applications in order to establish a system's security-impact rating based on the sensitivity of the information collected, stored, or processed by the system. The system's final rating is critical to identifying its required minimum security controls and helps determine all subsequent security testing that may be done on the system, following the National Institute of Standards and Technology (NIST) risk management framework (RMF).
NIST SP 800-60 Volume 2, Special Publication Guide for Mapping Types of Information and Information Systems to Security Categories provides an extensive list of information types commonly used by government organizations.
Step 1/Page 1: Complete the System Information Summary
On page 1 of the FIPS, fill in the:
- System Name (if you are unsure of the official system name, please contact the NCI ISSO for verification at NCIIRN [at] nih.gov)
- Fill in NCI under the IC box
- Choose the correct System Type.
- The majority of systems will be Tier 2/3/4. Only select Major or GSS system type if you have verified with the NCI ISSO that yours is one of these two types.
- Fill in the date the FIPS was completed
- Choose the appropriate overall system security rating by choosing the highest watermark of all final adjusted confidentiality, integrity, and availability ratings given on the subsequent pages of the FIPS-199 form (e.g., Choose Moderate if your highest individual rating is Moderate, even if all other ratings are Low)
- Fill in the current SDLC status form the dropdown box options
- Mark the highest watermark rating for each of the categories - Confidentiality, Integrity, and Availability noted on subsequent pages for those respective categories (e.g, Choose Moderate confidentiality if you have one or more moderate confidentiality ratings listed)
Step 2/Page 2: Fill in the System Description and POCs
- On page 2, Provide the official system description. The description should provide enough detail to understand the general purpose of the system and should note whether the system is publicly accessible, if it includes any sensitive information, and the approximate number of users if known.
- List the designated POCs. The only name that should change from system to system is the System Owner name. The system owner name should be the federal business owner/sponsor. The other names are Jeff Shilling (CIO), Bruce Woodcock (ISSO), and Suzanne Milliard (Privacy Coordinator).
- Once the form has been completely fill in, then all three of the provided signature blocks must be completed by their designated representatives. The form supports electronic signatures in MS Word or you can print and apply traditional "wet" signatures if you choose.
Step 3/Page 3: Provide applicable Information Categories and Adjusted Impact Ratings
- Refer to NIST 800-60 Volume 2 for a catalog of common federal information categories
- Choose the appropriate category(ies) from 800-60 V2 that capture the primary function and mission of your system by entering them in one of the Category boxes on page 2
- Enter the provisional impact ratings for confidentiality, integrity, and availability as noted by the NIST 800-60 V2, under the provisional impact levels area
- If you believe that any of the provisional ratings need to be adjusted, then enter the adjusted ratings in the appropriate Adjusted Impact Levels boxes
- If you have adjusted any of the provisional impact ratings, then you MUST provide a rationale for the adjustment(s) in the Rationale box. The rationale box only needs to be completed if you have adjusted one or more provisional ratings
- If you need to use more than one information category, repeat steps 2 and 3 until you have entered all of the appropriate information categories
NOTE: Most systems can be described by using just 1 or 2 information categories from NIST 800-60 Volume 2. In rare cases, a system owner might need to use more than that, but be careful not to choose categories that are a "stretch" or that are not really part of the mission/function of the system. Usually, a careful review of the description in 800-60 Volume 2 will help avoid un-necessary inclusion of additional categories.