Site icon

How to Determine Cybersecurity Impact Level Using FIPS 199

The Federal Information Processing Standard (FIPS) 199 provides organizations and individuals with the necessary guidance to determine a cybersecurity threat’s impact level accurately. These impact levels define the level of security a system should have to protect the data contained therein adequately. 

This article will take you through an overview of FIPS 199 and how it can help you understand the three categories of impact levels, define terms used in FIPS 199, assess the impact of a cybersecurity threat, and provide best practices for interpreting results and mitigating risk. 

 

What Is FIPS 199?

FIPS 199, titled “Standards for Security Categorization of Federal Information and Information Systems,” is a National Institute of Standards and Technology (NIST) publication providing standards for categorizing information and information systems based on the potential impact on an organization should a security breach.

The foundation of the assessment of information systems is the CIA triad:

Organizations and individuals can use FIPS 199 to assess their security at any given time by evaluating potential threats in these four categories. Organizations can more accurately gauge their current security state by understanding what constitutes each category and how they differ in risk assessment. Additionally, this knowledge can help inform decisions regarding which measures should be taken when responding to specific cybersecurity incidents or events.

 

The Three Impact Levels in FIPS 199

FIPS 199 outlines three categories of impact levels used for assessing cybersecurity risk. These categories range from low to very high, each determined by the extent of harm that a potential cybersecurity threat could cause. Understanding these definitions is essential for organizations and individuals to assess their security posture accurately.

These impact levels are:

These levels play across several frameworks, including critical federal regulations like FISMA and FedRAMP. Additionally, derivative security frameworks like StateRAMP will adopt these impact levels, slightly modified for their specific contexts. 

Each impact level exists through its relationship to the CIA triad. If a breach of confidentiality, integrity, or accessibility would have a significant impact in line with these three categories, then the IT system is categorized this way. 

 

How Are Impact Levels Determined?

FIPS 199 defines specific criteria for determining the impact level of a control or control system utilizing the CIA triad and, in many cases, the judgment of experts analyzing the system.

The “generalized” format for determining the security category of an IT system is:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}

This looks like a math equation, but it’s really just a rubric for assessing a given system using specific values:

Each component of the CIA triad can have a designation of High, Moderate, or Low based on how the loss of that particular component will (pun intended) impact the functioning of that system and the pursuit of its mission.

The process of assessing each category includes some basic and rather broad steps, including:

Depending on the data and context, this rubric will change. Consider these examples:

Note that these categories typically will not apply to SECRET information used in operations within the Department of Defense or agencies within the federal government’s executive branch. In these cases, such information follows its classification with its own set of technologies, regulations, and requirements.

 

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id= “43885”]

Exit mobile version