Appendix K: FIPS-199 Worksheet

The system's overall FIPS-199 impact level is determined primarily by the sensitivity of the information it processes.

system security plan FIPS-199 categorization page image

The overall FIPS-199 impact level is represented under system-characteristics:

security-sensitivity-level
- The value must be one of fips-199-low, fips-199-moderate or fips-199-high

The FIPS-199 Categorization worksheet is an inventory of information types in the system, based on NIST SP 800-60 Volume 2.

Create one entry under information-types for each information type.
For each information type:
- Assign a uuid
- Assign the NIST SP 800-63 information type name to the title
- description is a required OSCAL field that is not acknowledged by FedRAMP. Consider offering context or citing 800-60.
- The categorizations array should have one entry that includes:
  - system set to "http://doi.org/10.6028/NIST.SP.800-60v2r1"
  - the information-type-ids arraqy should have one entry
    - Use the NIST SP 800-60 invormation type ID
    - Exactly match the case as it appears in 800-60. (e.g., C.2.3.1 or D.15.5)
- The confidentiality-impact must have:
  - a base field with the value defined in 800-60.
  - a selected field with the value selected by the CSP.
  - If the value in selected does not match the value in base, use adjustment-justification to capture the "Statement for Impact Adjustment Justification"
  - base and selected values must be one of fips-199-low, fips-199-moderate or fips-199-high
- integrity-impact and availability-impactare treated the same asconfidentiality-impact` above.

Other information types or categorizations may be present if the SSP also represents compliance with other frameworks; however, the US Government must operate under NIST RMF and will only recognize the NIST SP 800-60 types.

OSCAL Representation

system-security-plan:
  system-characteristics:
  
    security-sensitivity-level: fips-199-high
    
    system-information:
      information-types:
        - uuid: 11111111-2222-4000-8000-006000000001
          title: Information Type Name
          description: A description of the information.
          categorizations:
          - system: http://doi.org/10.6028/NIST.SP.800-60v2r1
            information-type-ids:
            - C.2.4.1
          confidentiality-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.
          integrity-impact:
            base: fips-199-moderate
            selected: fips-199-low
            adjustment-justification: Required if the base and selected values do not
              match.
          availability-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.

OSCAL Allowed Values

Reqired value for system:

http://doi.org/10.6028/NIST.SP.800-60v2r1

Valid values for security-sensitivity-level, base and selected fields:

fips-199-low
fips-199-moderate
fips-199-high

Revision #8
Created 2026-02-11 22:53:24 UTC by Brian Ruf
Updated 2026-04-01 02:13:33 UTC by Brian Ruf