# Appendix K: FIPS-199 Worksheet

The system's overall FIPS-199 impact level is determined primarily by the sensitivity of the information it processes.

<img class="page-image-landscape" src="/uploads/images/gallery/2026-02/scaled-1680-/ssp-k-fips-199.png" alt="system security plan FIPS-199 categorization page image" >

The overall FIPS-199 impact level is represented under `system-characteristics`:
- `security-sensitivity-level`
  - The value must be one of `fips-199-low`, `fips-199-moderate` or `fips-199-high`

The FIPS-199 Categorization worksheet is an inventory of information types in the system, based on [NIST SP 800-60 Volume 2](https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-60v2r1.pdf). 

- Create one entry under `information-types` for each information type.
- For each information type:
  - Assign a `uuid`
  - Assign the NIST SP 800-63 information type name to the `title`
  - `description` is a required OSCAL field that is not acknowledged by FedRAMP. Consider offering context or citing 800-60.
  - The `categorizations` array should have one entry that includes:
    - `system` set to "http://doi.org/10.6028/NIST.SP.800-60v2r1"
    - the `information-type-ids` arraqy should have one entry
      - Use the NIST SP 800-60 invormation type ID
      - Exactly match the case as it appears in 800-60.   (e.g., `C.2.3.1` or `D.15.5`)
  - The `confidentiality-impact` must have:
    - a `base` field with the value defined in 800-60.
    - a `selected` field with the value selected by the CSP.
    - If the value in `selected` does not match the value in `base`, use `adjustment-justification` to capture the "Statement for Impact Adjustment Justification"
    - `base` and `selected` values must be one of `fips-199-low`, `fips-199-moderate` or `fips-199-high`
  - `integrity-impact and `availability-impact` are treated the same as `confidentiality-impact` above.

Other information types or categorizations may be present if the SSP also represents compliance with other frameworks; however, the US Government must operate under NIST RMF and will only recognize the NIST SP 800-60 types.

#### OSCAL Representation
```yaml
system-security-plan:
  system-characteristics:
  
    security-sensitivity-level: fips-199-high
    
    system-information:
      information-types:
        - uuid: 11111111-2222-4000-8000-006000000001
          title: Information Type Name
          description: A description of the information.
          categorizations:
          - system: http://doi.org/10.6028/NIST.SP.800-60v2r1
            information-type-ids:
            - C.2.4.1
          confidentiality-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.
          integrity-impact:
            base: fips-199-moderate
            selected: fips-199-low
            adjustment-justification: Required if the base and selected values do not
              match.
          availability-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.
```

<br />
<div class="callout">

**OSCAL Allowed Values**

Reqired value for `system`: 
- `http://doi.org/10.6028/NIST.SP.800-60v2r1`

Valid values for `security-sensitivity-level`,  `base` and `selected` fields:
- `fips-199-low`
- `fips-199-moderate`
- `fips-199-high`

</div>