"Draft FIPS 199 defines requirements to be used by Federal agencies to categorize information and information systems, and to provide appropriate levels of information security according to a range of risk levels. This draft standard establishes three potential levels of risk (low, moderate, and high) for each of the security objectives of confidentiality, integrity, and availability. The levels of risk are based on what is known about the potential impact or harm. Harmful events can impact agency operations (including mission, functions, image or reputation), agency assets, or individuals (including privacy). The levels of risk consider both impact and threat, but are more heavily weighted toward impact. Federal information systems, which are often interconnected and interdependent, are vulnerable to a variety of threats (both malicious and unintentional) that could compromise the security of information and information systems.

NIST invites public comments on the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems. After the comment period closes, NIST will analyze the comments, make appropriate changes to the document, and then propose the draft standard to the Secretary of Commerce for approval as FIPS PUB 199."