Module 4: Impact Levels and Information Types (FIPS 199 & NIST SP 800‑60) - US Government Data Classifications for IT Service Providers

Q: A federal system processes CUI related to routine grant applications (PII, financial info). What is the **lowest reasonable** FIPS 199 confidentiality impact level?

Moderate. Because the system processes **CUI**, confidentiality must be **at least Moderate**. Many grant systems may justify Moderate; High would be reserved for cases where compromise could cause severe or catastrophic harm.

Step 1 – Why Impact Levels Matter (Connecting to CUI & Classification)

In Modules 2 and 3 you saw:

National security classification (Confidential, Secret, Top Secret)
Controlled Unclassified Information (CUI) for sensitive but unclassified data

For federal IT systems, security planning doesn’t start with those labels. It starts with impact levels from FIPS 199 and information types from NIST SP 800‑60.

These two documents answer:

How bad would it be if this information were compromised? → Impact level (Low / Moderate / High) for confidentiality, integrity, availability.
What kind of information is this? → Information type (e.g., “Human Resources,” “Taxation,” “Health Care Services”) from NIST SP 800‑60.

Those answers then drive:

Which NIST SP 800‑53 control baseline (Low, Moderate, High) you start from
What technical safeguards (encryption, logging, redundancy) you must implement
What procedural safeguards (background checks, incident response, training) are required

Key connection to CUI:

Almost all CUI in federal systems is expected to have at least Moderate confidentiality impact under FIPS 199.
That means: if you see CUI, think “this system’s confidentiality rating is at least Moderate.”

In this module, you’ll learn how to:

Read and apply FIPS 199 impact levels
Use NIST SP 800‑60 to map real-world data to impact levels
See how those choices affect security controls and architectures

Step 2 – FIPS 199: The Three Security Objectives

FIPS 199 (Federal Information Processing Standard 199) defines how federal agencies categorize information and information systems. It focuses on three security objectives:

Confidentiality

Protecting information from unauthorized access and disclosure.

Example: Protecting PII in a benefits system from being viewed by outsiders.

Integrity

Guarding against improper modification or destruction of data.

Example: Preventing an attacker from changing tax records or case notes.

Availability

Ensuring timely and reliable access to information and systems.

Example: Keeping a health benefits portal online so patients can access services.

For each objective, you assign an impact level:

Low
Moderate
High

So a system might be:

Confidentiality: Moderate
Integrity: High
Availability: Low

This is often written as: M–H–L (C–I–A).

Step 3 – FIPS 199 Impact Levels (Low, Moderate, High)

FIPS 199 defines impact in terms of harm to an organization, individuals, or the nation if a security objective is compromised.

1. Low Impact

> The loss of C, I, or A could be expected to have a limited adverse effect.

Examples:

Minor inconvenience, limited downtime
Small financial loss, no serious legal issues

Sample system:

Publicly available brochure website for an agency (no PII, no mission-critical services)

2. Moderate Impact

> The loss of C, I, or A could be expected to have a serious adverse effect.

Examples:

Significant operational disruption
Harm to individuals (e.g., identity theft), but not catastrophic
Noticeable financial loss or legal consequences

Sample system:

Case management system with PII and CUI (e.g., veterans’ benefits, student aid)

3. High Impact

> The loss of C, I, or A could be expected to have a severe or catastrophic adverse effect.

Examples:

Major mission failure
Loss of life or serious life-threatening injuries
Massive financial loss, severe legal or diplomatic consequences

Sample system:

System coordinating emergency response resources or critical infrastructure controls

Important nuance (current practice):

The overall system categorization is the highest impact among C, I, and A.
If C = Moderate, I = Moderate, A = High ⇒ System is High.
Many CUI systems end up Moderate overall; some specific mission or safety-critical systems can be High.

Step 4 – Quick CIA Impact Exercise

For each scenario, decide whether the impact on confidentiality would most likely be Low, Moderate, or High if the data were breached.

Public FAQ website for an agency. All content is meant to be public.

What is the confidentiality impact level? Why?

System holding names, addresses, and Social Security Numbers of federal employees.

What is the confidentiality impact level? Why?

System controlling water treatment settings for a large city.

What is the confidentiality impact level if the control interface is exposed? Why?

Take 1–2 minutes and write down your answers. Then compare them to this reasoning:

Scenario 1: Likely Low – data is already public; disclosure has limited impact.
Scenario 2: Likely Moderate (or even High in some cases) – PII exposure can cause serious harm (identity theft, fraud).
Scenario 3: Confidentiality might be High – if attackers see system details, they may manipulate operations and cause severe public health/safety issues.

Step 5 – NIST SP 800‑60: Information Types and Why They Matter

NIST Special Publication 800‑60 (Volumes 1 & 2) provides a catalog of federal information types and suggests typical impact levels for them.

As of late 2025, agencies use the Rev. 1 volumes, plus updated guidance and mappings from OMB and NIST, to:

Identify what kind of information a system processes (e.g., “Human Resources – Employee Records”).
Use NIST’s recommended impact levels (Low/Moderate/High for C, I, A) as a starting point.
Adjust impact levels based on the agency’s specific mission and context.

Examples of information type families in SP 800‑60:

Management and Support (e.g., Budgeting, Human Resources)
Mission-Based (e.g., Health Care Services, Law Enforcement, Emergency Response)
Administrative (e.g., Legal Affairs, Public Affairs)

Each type has a code and description, plus suggested impact levels. For example (simplified):

Human Resources – Employee Records: often Moderate confidentiality because of PII.
Public Affairs – Press Releases: often Low confidentiality, but availability may be Moderate if timely access is important.

Why this matters:

Instead of guessing impact levels from scratch, you map your system to information types in SP 800‑60 and inherit typical impact levels.
This mapping is a key step in the FIPS 199 security categorization process used in federal ATO (Authorization to Operate).

Step 6 – Example: Mapping a CUI System with NIST SP 800‑60

Imagine you are assessing a web-based case management system for a federal benefits program. It stores:

Applicant PII (names, SSNs, addresses)
Benefit eligibility decisions
Some CUI related to program integrity investigations

Step 1 – Identify information types (SP 800‑60):

Human Resources / Personnel Management? No, these are not agency staff.
General Government – Benefits Management? Yes, fits well.
Law Enforcement / Program Integrity? Possibly, for the investigative CUI subset.

You might map to:

“General Government – Benefits Management” information type
“Law Enforcement – Investigative Information” for the CUI investigative data

Step 2 – Use SP 800‑60 suggested impact levels (simplified):

Benefits Management: often Moderate C, Moderate I, Moderate A
Investigative Information: often Moderate or High C, Moderate or High I, Moderate A

Step 3 – Adjust based on CUI and mission:

Because the system stores CUI, confidentiality is at least Moderate.
If exposure of investigative CUI could compromise law enforcement operations or safety, you might justify High confidentiality.
Integrity may be High if incorrect decisions could deny critical benefits to vulnerable populations.
Availability might be Moderate if downtime is serious but not life-threatening.

A possible final categorization:

Confidentiality: High (CUI, investigative data)
Integrity: High (mission-critical decisions)
Availability: Moderate

Overall system impact level: High (because you take the highest of C, I, A).

This directly drives which control baseline you use in NIST SP 800‑53 (High baseline instead of Moderate).

Step 7 – Relationship Between CUI and Impact Levels

From Module 3, you know CUI is sensitive but unclassified information that requires safeguarding and dissemination controls.

Key current practice (as of 2025):

Federal guidance (including NARA CUI guidance and DoD/OMB interpretations) generally treats CUI as requiring at least Moderate confidentiality.
That means:
If your system processes CUI, FIPS 199 Confidentiality = Moderate or High.
It would be incorrect to categorize a CUI system with Low confidentiality.

Examples:

CUI – Controlled Technical Information (CTI) about a weapons component

Likely High confidentiality (serious national security/competitive harm if leaked).

CUI – Sensitive but routine PII (e.g., student loan records)

Typically Moderate confidentiality.

CUI – Law Enforcement Sensitive data

Often High confidentiality if revealing it could endanger people or operations.

Important nuance:

CUI status mainly affects confidentiality.
Integrity and availability are driven more by mission impact (e.g., safety, economic harm, legal obligations), not by the CUI label alone.

So when you see CUI:

Immediately think: Confidentiality ≥ Moderate.
Then analyze Integrity and Availability separately based on the mission and SP 800‑60 information type mappings.

Step 8 – Quick Quiz: CUI and Impact Levels

Apply what you’ve learned about CUI and impact levels.

A federal system processes CUI related to routine grant applications (PII, financial info). What is the **lowest reasonable** FIPS 199 confidentiality impact level?

Low
Moderate
High

Show Answer

Answer: B) Moderate

Because the system processes **CUI**, confidentiality must be **at least Moderate**. Many grant systems may justify Moderate; High would be reserved for cases where compromise could cause severe or catastrophic harm.

Step 9 – From Impact Levels to Control Baselines (NIST SP 800‑53)

Once a system’s impact levels are set using FIPS 199 and NIST SP 800‑60, agencies select a control baseline from NIST SP 800‑53 (currently Rev. 5 in federal use):

Low baseline – For systems with overall Low impact
Moderate baseline – For systems with overall Moderate impact
High baseline – For systems with overall High impact

What changes between baselines?

Number and strength of controls increase from Low → Moderate → High
Examples:
Access Control (AC): High systems require stricter account management, more granular roles, and more frequent reviews.
Audit & Accountability (AU): High systems need more detailed logging, longer retention, and more frequent log review.
Contingency Planning (CP): High systems need more robust backup, redundancy, and tested disaster recovery.

Concrete example:

A Low system might only require basic backups and simple incident reporting.
A High system (e.g., life-safety critical) may require:
Geographically separated data centers
Real-time replication
Strict change control and continuous monitoring

So, your impact level decisions directly determine how much security work, cost, and complexity will be required. Under‑categorizing creates risk; over‑categorizing wastes resources.

Step 10 – Thought Exercise: Categorize and Choose a Baseline

You’re given three systems. For each, estimate the overall impact level and which NIST SP 800‑53 baseline is appropriate.

Public Information Portal

Provides agency press releases, FAQs, and public reports.
No login, no PII, no CUI.

HR System for Federal Employees

Stores PII, salary, performance reviews (CUI), and benefits info.
Wrong data could affect pay and benefits, but not life safety.

Emergency Response Coordination System

Used to coordinate federal response to major disasters.
Downtime or tampering could delay rescue operations and risk lives.

Your task: For each system, write down:

CIA impact levels (Low/Moderate/High)
Overall impact level
Corresponding NIST SP 800‑53 baseline (Low/Moderate/High)

Then compare with this reasoning:

Public Information Portal

C: Low (public data)
I: Low or Moderate (wrong info is bad but not catastrophic)
A: Moderate (public relies on timely info, but not life-critical)
Overall: Moderate → Moderate baseline (some agencies might justify Low if impact is truly limited)

HR System

C: Moderate (CUI, PII)
I: Moderate (pay/benefit errors are serious)
A: Moderate (employees need timely access, but not life-critical)
Overall: Moderate → Moderate baseline

Emergency Response Coordination

C: Moderate or High (some data may be sensitive, but main risk is I/A)
I: High (wrong info could lead to deadly decisions)
A: High (downtime during an event could cost lives)
Overall: High → High baseline

Step 11 – Flashcards: Key Terms and Mappings

Flip the cards to review the key concepts from this module.

FIPS 199: A federal standard that defines how to categorize information and information systems by assigning Low, Moderate, or High impact levels to confidentiality, integrity, and availability.
NIST SP 800‑60: NIST guidance that lists federal information types and provides typical Low/Moderate/High impact level mappings for confidentiality, integrity, and availability.
Confidentiality (FIPS 199): The security objective that protects information from unauthorized disclosure. Loss of confidentiality means someone sees data they should not.
Integrity (FIPS 199): The security objective that protects information from unauthorized or improper modification or destruction. Loss of integrity means data is corrupted, altered, or unreliable.
Availability (FIPS 199): The security objective that ensures timely and reliable access to information and systems. Loss of availability means systems or data are not accessible when needed.
Low Impact: A loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, individuals, or the nation.
Moderate Impact: A loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, individuals, or the nation.
High Impact: A loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, individuals, or the nation.
CUI and Confidentiality: Controlled Unclassified Information (CUI) in federal systems is generally expected to have at least Moderate confidentiality impact; Low confidentiality is not appropriate for CUI systems.
Control Baseline (NIST SP 800‑53): A predefined set of security and privacy controls (Low, Moderate, High) selected based on a system’s overall impact level from the FIPS 199 categorization.

Step 12 – Final Check: Putting It All Together

Test your understanding of how FIPS 199, NIST SP 800‑60, and CUI fit together.

Which of the following best describes the **correct sequence** for categorizing a federal information system and selecting controls?

Identify CUI → Choose NIST SP 800‑53 baseline → Assign FIPS 199 impact levels → Map to NIST SP 800‑60 information types
Assign FIPS 199 impact levels (C/I/A) → Map data to NIST SP 800‑60 information types → Determine overall impact level → Select NIST SP 800‑53 control baseline
Select NIST SP 800‑53 control baseline → Assign FIPS 199 impact levels → Identify whether data is CUI → Map to NIST SP 800‑60 information types

Show Answer

Answer: B) Assign FIPS 199 impact levels (C/I/A) → Map data to NIST SP 800‑60 information types → Determine overall impact level → Select NIST SP 800‑53 control baseline

The typical process is: (1) Analyze and assign **FIPS 199 impact levels** for confidentiality, integrity, and availability, using (2) **NIST SP 800‑60 information type mappings** as a guide; then (3) determine the **overall system impact level** (highest of C/I/A); and finally (4) select the appropriate **NIST SP 800‑53 control baseline**. CUI status is part of the analysis that drives confidentiality impact, not a separate first or last step.

Key Terms

FIPS 199: Federal Information Processing Standard that defines how federal agencies categorize information and information systems as Low, Moderate, or High impact for confidentiality, integrity, and availability.
Integrity: A security objective that ensures information is accurate, complete, and protected from unauthorized modification or destruction.
Availability: A security objective that ensures information and systems are accessible and usable upon demand by an authorized entity.
Impact Level: The degree of harm (Low, Moderate, High) that could result from a loss of confidentiality, integrity, or availability of information or an information system.
NIST SP 800-53: NIST Special Publication that defines security and privacy controls for federal information systems and organizations, organized into Low, Moderate, and High baselines.
NIST SP 800-60: NIST Special Publication that provides a catalog of federal information types and typical impact level mappings to help perform FIPS 199 security categorizations.
Confidentiality: A security objective that protects information from unauthorized disclosure; loss of confidentiality means information is exposed to people who are not authorized to see it.
Control Baseline: A set of baseline security and privacy controls (Low, Moderate, High) from NIST SP 800-53 selected based on a system’s impact level.
Information Type: A specific category of information (e.g., Human Resources, Benefits Management, Law Enforcement) identified in NIST SP 800-60, used to guide impact level assignments.
Security Categorization: The process defined by FIPS 199 and supported by NIST SP 800-60 to determine the appropriate impact levels for a system’s confidentiality, integrity, and availability.
Controlled Unclassified Information (CUI): Unclassified information that requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy; typically requires at least Moderate confidentiality in federal systems.