Editing FIPS 199

== Citation ==

[[NIST]], Standards for Security Categorization of Federal Information and Information Systems ('''FIPS 199''') (Feb. 2004) ([http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf full-text]).

== Overview ==

FIPS 199 defines the [[security categories]], [[security objectives]], and impact levels to which [[NIST Special Publication 800-60]] maps [[information]] types. FIPS 199 establishes [[security categories]] based on the magnitude of harm expected to result from [[compromise]]s rather than on the results of an assessment that includes an attempt to determine the probability of [[compromise]]. FIPS 199 also describes the context of use for this guideline.

FIPS 199 is the mandatory standard to be used by all federal agencies to categorize all [[information]] and [[information system]]s [[collect]]ed or [[maintain]]ed by or on behalf of each agency based on the objectives of providing appropriate levels of [[information security]] according to impact. [[Security]] categorization standards for [[information]] and [[information system]]s provide a common framework and understanding for expressing [[security]] that, for the federal government, promotes: (i) effective management and oversight of [[information security]] programs, including the coordination of [[information security]] efforts throughout the civilian, [[national security]], emergency preparedness, [[homeland security]], and law enforcement communities; and (ii) consistent reporting to the [[Office of Management and Budget]] ([[OMB]]) and [[Congress]] on the adequacy and [[effectiveness]] of [[information security]] policies, procedures, and practices.

== Security categories ==

FIPS 199 establishes [[security categories]] for both information<ref>Information is categorized according to its information type. An information type is a specific category of [[information]] (e.g., [[privacy]], medical, [[proprietary]], financial, investigative, contractor sensitive, [[security management]]) defined by an organization or, in some instances, by a specific law, Executive Order, directive, policy, or regulation.</ref> and [[information system]]s. The security categories are based on the potential impact on an organization should certain events occur. The potential impacts could jeopardize the [[information]] and [[information system]]s needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. [[Security categories]] are to be used in conjunction with [[vulnerability]] and [[threat]] information in assessing the [[risk]] to an organization.

FIPS 199 establishes three potential levels of impact (low, moderate, and high) relevant to securing federal [[information]] and [[information system]]s for each of three stated security objectives ([[confidentiality]], [[integrity]], and [[availability]]).

[[File:Table_1.jpg|650px]]

== Impact assessment ==

FIPS 199 defines three levels of potential impact on organizations or individuals should there be a [[security breach|breach of security]] (i.e., a loss of [[confidentiality]], [[integrity]], or [[availability]]). The application of these definitions must take place within the context of each organization and the overall national interest. Table 2 provides FIPS 199 potential impact definitions.

[[File:Table_2.jpg|650px]]

In FIPS 199, the [[security category]] of an information type can be associated with both [[user information]] and [[system information]] and can be applicable to [[information]] in either [[electronic]] or non-electronic form. It is also used as [[input]] in considering the appropriate [[security]] category for a [[system]].

== References ==
<references />
[[Category:Publication]]
[[Category:Technology]]
[[Category:Security]]
[[Category:Standards]]
[[Category:2004]]