This guideline addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative).
It was developed to assist Federal government agencies to categorize information and information systems. The guideline's objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. The guideline and its appendices:
- Review the security categorization terms and definitions established by FIPS 199;
- Recommend a security categorization process;
- Describe a methodology for identifying types of Federal information and information systems;
- Suggest provisional security impact levels for common information types;
- Discuss information attributes that may result in variances from the provisional impact level assignment; and
- Describe how to establish a system security categorization based on the system’s use, connectivity, and aggregate information content.