Definition and purpose

FIPS 199 defines the criteria for categorizing information systems based on the impact level associated with the potential loss of confidentiality, integrity, or availability of those information systems or the information that it processes, stores, or transmits. This categorization is then used as a starting point for federal agencies to determine the appropriate security measures and controls for their information systems. 

FIPS 199 is designed to help federal agencies meet the requirements of FISMA and provide a common framework and understanding for expressing security. This promotes effective management and oversight of information security programs and consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.

Governing Body

FIPS 199 was issued by the National Institute of Standards and Technology (NIST), which is an agency of the U.S. Department of Commerce. Under FISMA, NIST was tasked with developing and maintaining standards and guidelines for information security, including the FIPS publications.

Last updated

FIPS 199 was published in February 2004 and has not had any major updates.

Applies to

FIPS 199 applies to federal agencies that need to protect information and information systems that support their operations and assets.

Controls and requirements

FIPS 199 itself does not provide a specific list of security controls or requirements. Instead, it helps organizations categorize information systems based on the potential impact a loss of confidentiality, integrity, and/or availability would have on the organization’s operations, assets, or individuals. The three impact levels are: Low, Moderate, and High. Based on the impact level, organizations can then apply the appropriate set of baseline security controls in NIST Special Publication 800-53.

Please refer to the official FIPS 199 documentation for more information.

Audit type, frequency, and duration

Federal agencies subject to FIPS 199 are also subject to FISMA, which requires the inspector general or independent external auditor for each federal agency to perform an independent evaluation to determine the effectiveness of the information security policies, procedures, and practices supporting their agency’s information security programs annually.

Agencies are required to include the results of these evaluations in annual reports and submit them to OMB. OMB is then required to summarize the results in annual reports to Congress.