Skip to main content

Appendix K: FIPS-199 Worksheet

The FIPS-199 Categorization in the FedRAMP SSP template, illustrated in the figure below, is expressed through the following core OSCAL property.

system security plan FIPS-199 categorization page image

OSCAL Representation

<system-security-plan>
    <metadata>
        <!-- cut CSP Name -->
    </metadata>
    <system-characteristics>
        <!-- System Name & Abbreviation -->
        <system-name>System's Full Name</system-name>
        <system-name-short>System's Short Name or Acronym</system-name-short>        
        <!-- FedRAMP Unique Identifier -->
        <system-id identifier-type="http://fedramp.gov">F00000000</system-id>
        <!-- cut Service Model -->
        <!-- cut Deployment Model -->
        <!-- cut DIL Determination -->

        <!-- FIPS PUB 199 Level (SSP Attachment 10) -->
        <security-sensitivity-level>fips-199-moderate</security-sensitivity-level>              
         
        <!--  cut -->        
    </system-characteristics>
    <!--  cut -->     
</system-security-plan>

OSCAL Allowed Values

Valid values for security-sensitivity-level:

  • fips-199-low
  • fips-199-moderate
  • fips-199-high

XPath Queries

System Sensitivity Level:
        /*/system-characteristics/security-sensitivity-level

Additional Required Values not Expressed in FedRAMP Template

In addition to the security-sensitivity-level, you must supply impact levels for each security objective: confidentiality, integrity, and availability.

Each objective value corresponds to the highest impact level for that objective across all information types. For example, if two information types are described, one with a confidentiality impact level of fips-199-low and another with fips-199-moderate, the resulting value for security-objective-confidentiality must be fips-199-moderate.

The overall security-sensitivity-level must reflect the highest impact level across all three objectives.

OSCAL Representation

system-security-plan:
    system-characteristics:
        security-impact-level:
            security-objective-confidentiality: "fips-199-moderate"
            security-objective-integrity: "fips-199-moderate"
            security-objective-availability: "fips-199-moderate"

NOTES:

  • The identified System Sensitivity Level governs which FedRAMP baseline applies. See the Importing the FedRAMP Baseline section for more information about importing the appropriate FedRAMP baseline.
Back to top