Completing the Federal Information Processing Standard (FIPS)-199: Standards for Security Categorization of Federal Information and Information Systems

The FIPS-199 should be filled out with assistance from the NCI Information Systems Security Officer (ISSO) to ensure that the best information category or categories are selected and the final ratings are well supported. For help, contact the nciirm [at] (NCI ISSO).

A FIPS-199 must be completed for all federal information systems and applications in order to establish a system's security-impact rating based on the sensitivity of the information collected, stored, or processed by the system. The system's final rating is critical to identifying its required minimum security controls and helps determine all subsequent security testing that may be done on the system, following the National Institute of Standards and Technology (NIST) risk management framework (RMF).

NIST SP 800-60 Volume 2, Special Publication Guide for Mapping Types of Information and Information Systems to Security Categories provides an extensive list of information types commonly used by government organizations.

FIPS-199 resources