How to Determine Cybersecurity Impact Level Using FIPS 199

fips 199 featured

The Federal Information Processing Standard (FIPS) 199 provides organizations and individuals with the necessary guidance to determine a cybersecurity threat’s impact level accurately. These impact levels define the level of security a system should have to protect the data contained therein adequately. 

This article will take you through an overview of FIPS 199 and how it can help you understand the three categories of impact levels, define terms used in FIPS 199, assess the impact of a cybersecurity threat, and provide best practices for interpreting results and mitigating risk. 


What Is FIPS 199?

FIPS 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” is a National Institute of Standards and Technology (NIST) publication providing standards for categorizing information and information systems based on the potential impact on an organization should a security breach.

The foundation of the assessment of information systems is the CIA triad:

  • Confidentiality: Confidentiality refers to the privacy of information and serves as the basis for most of our understanding of cybersecurity. It calls for basic protections against unauthorized viewing or access to data: encryption, perimeter security, and access controls (as just a few examples.
  • Integrity: It’s critical that, as data moves through an IT system, it remains unchanged. Integrity refers to the ability of a system to determine the integrity of data against corruption, tampering, or other changes that impact how it’s used. 
  • Availability: Data must be accessible to the individuals that need to use it without sacrificing integrity or confidentiality. This includes accessibility for users via online interfaces and access capabilities for employees and third parties authorized to use it as part of their jobs. 

Organizations and individuals can use FIPS 199 to assess their security at any given time by evaluating potential threats in these four categories. Organizations can more accurately gauge their current security state by understanding what constitutes each category and how they differ in risk assessment. Additionally, this knowledge can help inform decisions regarding which measures should be taken when responding to specific cybersecurity incidents or events.


The Three Impact Levels in FIPS 199

fips 199

FIPS 199 outlines three categories of impact levels used for assessing cybersecurity risk. These categories range from low to very high, each determined by the extent of harm that a potential cybersecurity threat could cause. Understanding these definitions is essential for organizations and individuals to assess their security posture accurately.

These impact levels are:

  • Low Impact: A threat with the potential for limited damage or adverse effect on organizational operations, assets, or individuals
  • Moderate Impact: A threat with a potential for widespread damage or adverse effect on organizational operations, assets, or individuals
  • High Impact: A threat with a potential for severe damage or adverse effect on organizational operations, assets, or individuals

These levels play across several frameworks, including critical federal regulations like FISMA and FedRAMP. Additionally, derivative security frameworks like StateRAMP will adopt these impact levels, slightly modified for their specific contexts. 

Each impact level exists through its relationship to the CIA triad. If a breach of confidentiality, integrity, or accessibility would have a significant impact in line with these three categories, then the IT system is categorized this way. 


How Are Impact Levels Determined?

FIPS 199 defines specific criteria for determining the impact level of a control or control system utilizing the CIA triad and, in many cases, the judgment of experts analyzing the system.

The “generalized” format for determining the security category of an IT system is:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

This looks like a math equation, but it’s really just a rubric for assessing a given system using specific values:

  • SC information system is the “security category” of the IT system assessed.
  • Confidentiality, integrity, and availability refer to their CIA triad designations.
  • Impact is the assessed impact level of that particular component. So, for example, you may have (confidentiality, high) or (availability, moderate).

Each component of the CIA triad can have a designation of High, Moderate, or Low based on how the loss of that particular component will (pun intended) impact the functioning of that system and the pursuit of its mission.

The process of assessing each category includes some basic and rather broad steps, including:

  • Definition of Information Types: Information types refer to specific categories or classifications of information an organization manages, processes, stores, or transmits. These types can be associated with user information (financial data, medical records) and system-specific information (system logs, configuration data).
  • Determining Potential Impact: The potential impact values for the three security objectives (Confidentiality, Integrity, and Availability) are assessed for each information type. The potential impact is defined as the magnitude of harm expected to result from the consequences of unauthorized disclosure, modification, or destruction of information.
  • Importance of Categorization: Organizations can prioritize their security efforts by categorizing information types based on their security needs. For instance, information types with a high impact on confidentiality might require more robust encryption methods. In contrast, those with a high impact on availability might need robust backup and recovery solutions.

    Depending on the data and context, this rubric will change. Consider these examples:

    • Medical Records: Threats to these records will likely impact confidentiality because unauthorized disclosure could violate privacy laws and harm individuals. They might also significantly impact integrity because altering medical data can have life-threatening consequences. Availability might be moderate if the records are essential but only needed after some time.
    • Content on the Web: Challenges for user-facing web content might have a low impact on confidentiality since it’s publicly accessible but a moderate impact on integrity to ensure the information presented is accurate. Availability might be high if it’s crucial for the organization’s operations or reputation.

    Note that these categories typically will not apply to SECRET information used in operations within the Department of Defense or agencies within the federal government’s executive branch. In these cases, such information follows its classification with its own set of technologies, regulations, and requirements.


    Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

    • FedRAMP
    • StateRAMP
    • GDPR
    • NIST 800-53
    • FARS NIST 800-171
    • CMMC
    • SOC 1, SOC 2
    • HIPAA
    • PCI DSS 4.0
    • IRS 1075
    • COSO SOX
    • ISO 27000 Series
    • ISO 9000 Series

    And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

    Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

    Download our company brochure.

    Continuum GRC