Table 1: Security Categorization of Federal Information and Information Systems

 (Rev. 06-01-2009)

Security Objectives
Potential Impact on
Organizations and Individuals

Confidentiality

“Preserving authorized; restrictions on information; access and disclosure, including means for protecting personal privacy and proprietary; information…”

[44 U.S.C., Sec. 3542]

A loss of confidentiality is the; unauthorized disclosure of; information.

Integrity

“Guarding against improper; information modification or; destruction, and includes; ensuring information non-repudiation and authenticity…”

[44 U.S.C., Sec. 3542]

A loss of integrity is the; unauthorized modification or; destruction of information.

Availability

“Ensuring timely and reliable access to and use of information…”

[44 U.S.C., Sec. 3542]

A loss of availability is the disruption of access to or use of information or an information system.

Low Impact

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect1 on organizational operations, organizational assets, or individuals. Adverse effects on individuals may include, but are not limited to, loss of the privacy to which individuals are entitled under law.

Limited adverse effect

Limited adverse effect

Limited adverse effect

Moderate Impact

The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect2 on organizational operations, organizational assets, or individuals.

Serious adverse effect

Serious adverse effect

Serious adverse effect

High Impact

The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect3 on organizational operations, organizational assets, or individuals.

Severe or catastrophic adverse effect

Severe or catastrophic adverse effect

Severe or catastrophic adverse effect

Endnotes

  1. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might:(i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

  2. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

  3. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

References

  1. Federal Information Processing Standards Publication (FIPS PUB) 199, Standards for Security Categorization of Federal Information and Information Systems, December 2003.
    [http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf].

  2. National Institute of Standards and Technology (NIST) Publication 800-60 (Version 2.0), Information Security. Volume II: Appendixes to Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008; Appendices C and D.
    [http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf].

Up to top
This page last reviewed: March 27, 2017

OCIO Home  |  FOIA  |  Disclaimer  |  Contact Us  |  Accessibility  |  Privacy Notice  |  HHS Vulnerability Disclosure  |  Site Map  |  Viewers and Players
U.S. Department of Health and Human Services  |  National Institutes of Health (NIH)  |  USA.gov

Department of Health and Human ServicesNational Institutes of HealthUSA.gov