Skip to main content

Appendix K: FIPS-199 Worksheet

The FIPS-199 Categorization in the FedRAMP SSP template, illustrated in the figure below, is expressed through the following core OSCAL property.

system security plan FIPS-199 categorization page image

OSCAL Representation

system-security-plan:
  system-characteristics:
    system-name: System's Full Name
    system-name-short: System's Short Name or Acronym
    system-ids:
      - identifier-type: http://fedramp.gov
        id: F00000000
    security-sensitivity-level: fips-199-moderate

OSCAL Allowed Values

Valid values for security-sensitivity-level:

  • fips-199-low
  • fips-199-moderate
  • fips-199-high

XPath Queries

System Sensitivity Level:
        /*/system-characteristics/security-sensitivity-level

Digital Identity Level (DIL) Determination

The digital identity level identified in the FedRAMP SSP template document, illustrated in the figure below, isexpressed through the following core OSCAL properties.

system-security-plan:
  system-characteristics:
  props:
    - name: identity-assurance-level
      value: 1
    - name: authenticator-assurance-level
      value: 1
    - name: federation-assurance-level
      value: 1

OSCAL Allowed Values

Valid IAL, AAL, and FAL values (as defined by NIST SP 800-63):

  • 1
  • 2
  • 3

System Sensitivity Level

In addition to the security-sensitivity-level, you must supply impact levels for each security objective: confidentiality, integrity, and availability.

Each objective value corresponds to the highest impact level for that objective across all information types. For example, if two information types are described, one with a confidentiality impact level of fips-199-low and another with fips-199-moderate, the resulting value for security-objective-confidentiality must be fips-199-moderate.

The overall security-sensitivity-level must reflect the highest impact level across all three objectives.

OSCAL Representation

system-security-plan:
  system-characteristics:
    security-impact-level:
      security-objective-confidentiality: fips-199-moderate
      security-objective-integrity: fips-199-moderate
      security-objective-availability: fips-199-moderate

NOTES:

  • The identified System Sensitivity Level governs which FedRAMP baseline applies.
  • The system sensitivity level should match the highest security impact level for the system’s confidentiality, integrity, and availability objectives, but in rare exceptions (e.g., when the AO specifies and overrides the expected security sensitivity level), they may differ.
Back to top