Appendix K: FIPS-199 Worksheet

system security plan FIPS-199 categorization page image

The FIPS-199 Categorization inworksheet ~~the~~is ~~FedRAMP~~an ~~SSP~~inventory ~~template,~~of ~~illustrated~~information types in the ~~figure~~system, ~~below,~~based on NIST SP 800-60 Volume 2.

Create one entry under information-types for each information type.

For each information type:
- Assign a uuid
- Assign the NIST SP 800-63 information type name to the title
- description is ~~expressed~~a ~~through~~required OSCAL field that is not acknowledged by FedRAMP. Consider offering context or citing 800-60.
- The categorizations array should have one entry that includes:
  - system set to "http://doi.org/10.6028/NIST.SP.800-60v2r1"
  - the information-type-ids arraqy should have one entry
    - Use the ~~following~~NIST ~~core~~SP ~~OSCAL~~800-60 ~~property.~~invormation type ID
    - Exactly match the case as it appears in 800-60. (e.g., C.2.3.1 or D.15.5)
- The confidentiality-impact must have:
  - a base field with the value defined in 800-60.
  - a selected field with the value selected by the CSP.
  - If the value in selected does not match the value in base, use adjustment-justification to capture the "Statement for Impact Adjustment Justification"
  - base and selected values must be one of fips-199-low, fips-199-moderate or fips-199-high
- integrity-impact and availability-impactare treated the same asconfidentiality-impact` above.

Other information types or categorizations may be present if the SSP also represents compliance with other frameworks; however, the US Government must operate under NIST RMF and will only recognize the NIST SP 800-60 types.

OSCAL Representation

system-security-plan:
  system-characteristics:
    system-name:information:
      System'sinformation-types:
        Full- uuid: 11111111-2222-4000-8000-006000000001
          title: Information Type Name
          system-name-short:description: System'sA Shortdescription Nameof orthe Acronyminformation.
          system-categorizations:
          - system: http://doi.org/10.6028/NIST.SP.800-60v2r1
            information-type-ids:
            - identifier-type:C.2.4.1
          http://fedramp.govconfidentiality-impact:
            id: F00000000
    security-sensitivity-level:base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.
          integrity-impact:
            base: fips-199-moderate
            selected: fips-199-low
            adjustment-justification: Required if the base and selected values do not
              match.
          availability-impact:
            base: fips-199-moderate
            selected: fips-199-moderate
            adjustment-justification: Required if the base and selected values do not
              match.

OSCAL Allowed Values

Reqired value for system:

http://doi.org/10.6028/NIST.SP.800-60v2r1

Valid values for ~~security-sensitivity-level:~~base and selected fields:

fips-199-low
fips-199-moderate
fips-199-high

XPath Queries

System Sensitivity Level:
        /*/system-characteristics/security-sensitivity-level

Digital Identity Level (DIL) Determination

~~The digital identity level identified in the FedRAMP SSP template document, illustrated in the figure below, isexpressed through the following core OSCAL properties.~~

system-security-plan:
  system-characteristics:
  props:
    - name: identity-assurance-level
      value: 1
    - name: authenticator-assurance-level
      value: 1
    - name: federation-assurance-level
      value: 1

~~OSCAL Allowed Values~~

~~Valid IAL, AAL, and FAL values (as defined by NIST SP 800-63):~~

System Sensitivity Level

~~In addition to the~~ security-sensitivity-level~~, you must supply impact levels for each security objective: confidentiality, integrity, and availability.~~

~~Each objective value corresponds to the highest impact level for that objective across all~~ ~~information types. For example, if two information types are described, one with a confidentiality impact level of~~ fips-199-low ~~and another with~~ fips-199-moderate~~, the resulting value for~~ security-objective-confidentiality ~~must be~~ fips-199-moderate.

~~The overall~~ security-sensitivity-level ~~must reflect the highest impact level across all three objectives.~~

~~OSCAL Representation~~

system-security-plan:
  system-characteristics:
    security-impact-level:
      security-objective-confidentiality: fips-199-moderate
      security-objective-integrity: fips-199-moderate
      security-objective-availability: fips-199-moderate

~~NOTES:~~

~~The identified System Sensitivity Level governs which FedRAMP baseline applies.~~

The system sensitivity level should match the highest security impact level for the system’s confidentiality, integrity, and availability objectives, but in rare exceptions (e.g., when the AO specifies and overrides the expected security sensitivity level), they may differ.