800-53 Impact Levels

FIPS 199 is a public law which requires federal agencies to use three impact levels to describe risk associated with information systems: HIGH, MODERATE, and LOW. These impact levels are determined by an analysis of the potential impact of a security incident on the ability of the organization to accomplish its mission.

The analysis considers three areas:

  • Confidentiality –

    A loss of confidentiality is the unauthorized disclosure of information.

  • Integrity –

    A loss of integrity is the unauthorized modification or destruction of information.

  • Availability –

    A loss of availability is the disruption of access to or use of information or an information system.

FIPS 199 defines how to assign one of the three impact levels for each of the “CIA” areas and requires the overall impact level to be set to the highest of the three impact levels assigned across the three CIA areas. It requires impact levels to be set for BOTH the information AND the information system.

Categorization and Baseline Selection

Comments are closed.