FIPS 199

FIPS 199 (Federal Information Processing Standard 199) establishes the categories for classifying federal information and information systems based on the potential impact of a security breach. It defines three impact levels — Low, Moderate, and High — across three security objectives: confidentiality, integrity, and availability.

The categorization from FIPS 199 drives everything downstream in the RMF process — it determines which security controls apply to your system, how rigorously they must be implemented, and how thoroughly they'll be assessed. A system categorized as High impact gets significantly more security scrutiny than one categorized as Low.