Skip to main content

Appendix K: FIPS-199 Worksheet

system security plan FIPS-199 categorization page image

The FIPS-199 Categorization worksheet is an inventory of information types in the system, based on NIST SP 800-60 Volume 2.

  • Create one entry under information-types for each information type.
  • For each information type:
    • Assign a uuid
    • Assign the NIST SP 800-63 information type name to the title
    • description is a required OSCAL field that is not acknowledged by FedRAMP. Consider offering context or citing 800-60.
    • The categorizations array should have one entry that includes:
      • system set to "http://doi.org/10.6028/NIST.SP.800-60v2r1"
      • the information-type-ids arraqy should have one entry
        • Use the NIST SP 800-60 invormation type ID
        • Exactly match the case as it appears in 800-60. (e.g., C.2.3.1 or D.15.5)
    • The confidentiality-impact must have:
      • a base field with the value defined in 800-60.
      • a selected field with the value selected by the CSP.
      • If the value in selected does not match the value in base, use adjustment-justification to capture the "Statement for Impact Adjustment Justification"
      • base and selected values must be one of fips-199-low, fips-199-moderate or fips-199-high
    • integrity-impact and availability-impactare treated the same asconfidentiality-impact` above.

Other information types or categorizations may be present if the SSP also represents compliance with other frameworks; however, the US Government must operate under NIST RMF and will only recognize the NIST SP 800-60 types.

OSCAL Representation

system-security-plan:
  system-characteristics:
    system-information:
      information-types:
        - uuid: 11111111-2222-4000-8000-006000000001
          title: Information Type Name
          description: A description of the information.
          categorizations:
          - system: http://doi.org/10.6028/NIST.SP.800-60v2r1
            information-type-ids:
            - C.2.4.1
          confidentiality-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.
          integrity-impact:
            base: fips-199-moderate
            selected: fips-199-low
            adjustment-justification: Required if the base and selected values do not
              match.
          availability-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.

OSCAL Allowed Values

Reqired value for system:

  • http://doi.org/10.6028/NIST.SP.800-60v2r1

Valid values for base and selected fields:

  • fips-199-low
  • fips-199-moderate
  • fips-199-high
Back to top