FIPS 199 is a federal standard published by the National Institute of Standards and Technology (NIST) that establishes how government agencies must categorize their information and information systems based on security risk. The core idea is straightforward: before you can protect something, you need to know how much damage would result if it were compromised. FIPS 199 provides a consistent framework for making that determination by evaluating potential impact across three security objectives and assigning a rating of low, moderate, or high.
Published in February 2004, FIPS 199 was created in response to the Federal Information Security Management Act (FISMA), which directed NIST to develop standards for securing government data. It applies to all federal information and information systems, with the exception of classified national security systems. Every federal agency is required to use FIPS 199 categorizations whenever a federal requirement calls for rating the security level of information or systems.
The Three Security Objectives
FIPS 199 evaluates risk through three security objectives that together cover the major ways information can be compromised:
- Confidentiality: Protecting information from unauthorized disclosure. A breach of confidentiality means someone who shouldn’t have access to certain data gets to see it. Think of leaked personal records or exposed financial data.
- Integrity: Protecting information from unauthorized modification or destruction. A loss of integrity means data has been changed or deleted without permission, which can undermine trust in that information. An example would be someone altering records in a financial database.
- Availability: Ensuring information and systems are accessible and usable when needed. A loss of availability means authorized users can’t get to the data or services they rely on, such as during a system outage caused by a cyberattack.
Each of these objectives is evaluated independently. A system might handle public information with no confidentiality concerns at all, but if that system going offline would disrupt critical operations, it could still receive a high impact rating for availability.
Low, Moderate, and High Impact Levels
For each of the three security objectives, FIPS 199 defines three potential impact levels based on the severity of consequences if something goes wrong.
A low impact rating means that a loss of confidentiality, integrity, or availability would have a limited adverse effect on the organization’s operations, assets, or on individuals. The agency could still carry out its primary functions, though with noticeably reduced effectiveness. Minor financial loss or minor harm to individuals might occur, but nothing severe.
A moderate impact rating means the adverse effect would be serious. The organization could still perform its primary mission, but operations would be significantly degraded. Moderate financial loss could result, or significant harm to individuals, though not loss of life or life-threatening injuries.
A high impact rating means the consequences would be severe or catastrophic. A breach at this level could cause a major loss of the agency’s ability to perform its mission, major financial damage, or severe harm to individuals, potentially including loss of life. Systems handling law enforcement data, emergency response coordination, or critical infrastructure controls often fall into this category.
How the Categorization Formula Works
FIPS 199 expresses a system’s security category using a structured format that captures the impact level for each objective separately. It looks like this:
Security Category = {(confidentiality, impact), (integrity, impact), (availability, impact)}
For example, a system that handles routine administrative information might be categorized as: {(confidentiality, low), (integrity, low), (availability, low)}. A system managing sensitive financial records could be: {(confidentiality, moderate), (integrity, high), (availability, moderate)}.
When it comes to determining the overall security category of the system as a whole, FIPS 199 uses what’s known as the high-water mark principle. The system’s overall category is determined by the highest impact level assigned across all three objectives. So if a system is rated low for confidentiality, low for availability, but high for integrity, the overall system category is high. This ensures that the most critical risk drives the level of protection the system receives.
For systems that process multiple types of information, the categorization considers all of them. If one type of information stored on a system has a high confidentiality impact while another has only low, the system inherits the higher rating. The most sensitive data on the system sets the floor for how the entire system must be protected.
Putting It Into Practice
FIPS 199 itself is deliberately short and principle-based. It tells agencies what to evaluate and how to express the result, but it doesn’t prescribe exactly how to decide whether a particular type of information warrants a low, moderate, or high rating. That practical guidance comes from a companion document: NIST Special Publication 800-60.
SP 800-60 provides a catalog of common federal information types, such as budget formulation, law enforcement, human resources, and healthcare data, along with recommended provisional impact levels for each. Agencies use SP 800-60 as a starting point, then adjust the recommended levels based on their own mission context and operational environment. If an agency’s specific use of a particular information type creates higher risk than the default recommendation, the agency raises the impact level accordingly.
Where FIPS 199 Fits in Federal Security
Security categorization under FIPS 199 is the first step in the broader FISMA compliance process. Once a system is categorized, that rating directly determines what happens next. FIPS 200, a companion standard, takes the FIPS 199 categorization and maps it to minimum security requirements. A system categorized as moderate overall, for instance, must meet a specific baseline of security controls that a low system would not.
Those security controls themselves are detailed in NIST SP 800-53, which provides a comprehensive catalog organized by control families like access control, audit logging, and incident response. The higher the FIPS 199 categorization, the more controls are required and the more rigorously they must be implemented. This cascade, from categorization to requirements to specific controls, is what makes FIPS 199 so foundational. Getting the categorization wrong means every downstream security decision is built on the wrong assumptions.
The standard also supports consistent reporting across the federal government. Because every agency uses the same framework and the same impact definitions, the Office of Management and Budget and Congress can compare security postures across agencies in a meaningful way. Without that common language, one agency’s “high priority system” might be another’s “moderate,” making oversight nearly impossible.
Who Needs to Know FIPS 199
FIPS 199 is mandatory for all federal agencies and applies to any contractor or service provider that handles federal information or operates federal systems. If you work in IT for a government agency, a defense contractor, or a cloud provider serving government clients, FIPS 199 categorization is likely part of your compliance requirements.
The standard is also a core topic in cybersecurity certifications such as the Certified Information Systems Security Professional (CISSP) and CompTIA Security+, where it’s tested as part of broader risk management and governance frameworks. Even outside the federal space, the categorization approach, evaluating confidentiality, integrity, and availability independently and letting the highest risk drive protection decisions, is a widely adopted model for thinking about information security in any organization.