Appendix K: FIPS-199 Worksheet

The FIPS-199 Categorization in the FedRAMP SSP template, illustrated in the figure below, is expressed through the following core OSCAL property.

system security plan FIPS-199 categorization page image

OSCAL Representation

<system-security-plan>plan:
  <metadata>system-characteristics:
    <!--system-name: cut CSP Name -->
    </metadata>
    <system-characteristics>
        <!-- System Name & Abbreviation -->
        <system-name>System's Full Name</system-name>
    <system-name-short>short: System's Short Name or Acronym</
    system-name-short>ids:
      <!-- FedRAMPidentifier-type: Unique Identifier -->
        <system-id identifier-type="http://fedramp.gov">gov
        id: F00000000</system-id>
    <!-- cut Service Model -->
        <!-- cut Deployment Model -->
        <!-- cut DIL Determination -->

        <!-- FIPS PUB 199 Level (SSP Attachment 10) -->
        <security-sensitivity-level>level: fips-199-moderate</security-sensitivity-level>              
         
        <!--  cut -->        
    </system-characteristics>
    <!--  cut -->     
</system-security-plan>

OSCAL Allowed Values

Valid values for security-sensitivity-level:

fips-199-low
fips-199-moderate
fips-199-high

XPath Queries

System Sensitivity Level:
        /*/system-characteristics/security-sensitivity-level

AdditionalDigital RequiredIdentity ValuesLevel not(DIL) ExpressedDetermination

The digital identity level identified in the FedRAMP ~~Template~~SSP template document, illustrated in the figure below, isexpressed through the following core OSCAL properties.

system-security-plan:
  system-characteristics:
  props:
    - name: identity-assurance-level
      value: 1
    - name: authenticator-assurance-level
      value: 1
    - name: federation-assurance-level
      value: 1

OSCAL Allowed Values

Valid IAL, AAL, and FAL values (as defined by NIST SP 800-63):

System Sensitivity Level

In addition to the security-sensitivity-level, you must supply impact levels for each security objective: confidentiality, integrity, and availability.

Each objective value corresponds to the highest impact level for that objective across all information types. For example, if two information types are described, one with a confidentiality impact level of fips-199-low and another with fips-199-moderate, the resulting value for security-objective-confidentiality must be fips-199-moderate.

The overall security-sensitivity-level must reflect the highest impact level across all three objectives.

OSCAL Representation

system-security-plan:
  system-characteristics:
    security-impact-level:
      security-objective-confidentiality: "fips-199-moderate"moderate
      security-objective-integrity: "fips-199-moderate"moderate
      security-objective-availability: "fips-199-moderate"moderate

NOTES:

The identified System Sensitivity Level governs which FedRAMP baseline applies.

~~See~~

The system sensitivity level should match the ~~Importing~~highest security impact level for the ~~FedRAMP~~system’s ~~Baseline~~confidentiality, ~~section~~integrity, ~~for~~and ~~more~~availability ~~information~~objectives, ~~about~~but ~~importing~~in rare exceptions (e.g., when the ~~appropriate~~AO ~~FedRAMP~~specifies ~~baseline.~~and overrides the expected security sensitivity level), they may differ.