FedRAMP and FIPS 199: Categorizing Your System
Before you pick a FedRAMP impact level, you categorize your system using FIPS 199. It is a short analysis with outsized consequences — it sets your entire control baseline.
The three security objectives
- Confidentiality — the impact of unauthorized disclosure of the data.
- Integrity — the impact of unauthorized modification or destruction.
- Availability — the impact of disruption to access or use.
High-water mark
Rate each objective Low, Moderate, or High based on the worst-case impact to your information types. The overall categorization is the highest rating across the three — the “high-water mark.” One High objective makes the system High.
Tie it to data, not feelings
Use NIST SP 800-60 information types to ground the ratings in the actual data you handle, rather than guessing. A defensible, documented categorization is the foundation reviewers expect — and the anchor for every control decision that follows.
The Verdict Forum publishes educational guidance, not legal or compliance advice. Confirm requirements against the authoritative sources and your assessor before acting.
Read next
Scoping Your CMMC Assessment: Drawing the Right Boundary
Asset categories, the scoping guide, and how to keep out-of-scope systems genuinely out of scope.
Building an SSP for CMMC Level 2 That Holds Up
Structure, implementation statements, and the evidence trail assessors expect to see behind each of the 110 controls.
The 110 Controls: Turning NIST 800-171 Into an Action Plan
Group the requirements by effort and owner, then sequence the work so you’re assessment-ready without boiling the ocean.