Skip to content


The Categorize step remains largely the same, but is the first opportunity to show that RMF tasks (C-1, C-2, & C-3) can be done more quickly with a cross-functional team (people aspect). As mentioned in previous sections, it’s essential to have technical assessors in place, along with highly competent infrastructure, platform, and pilot application teams.

Security categorization is the most important step in the Risk Management Framework (RMF) since it ties the information system’s security activities to the organization’s mission/business priorities. FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, defines requirements for categorizing information and information systems. FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, specifies a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, is a four-step process for categorizing the information and information system level of risk:

  1. Identify information types
  2. Select provisional impact levels for the information types
  3. Review provisional impact levels and adjust/finalize information impact levels for the information types
  4. Assign a system security category, and overall impact level

Types of Information and Information Systems to Security Categories, provides guidance in assessing the criticality and sensitivity of the information and associated information system to determine the system’s security category (i.e., potential worst case impact from loss of confidentiality, integrity, and availability) and overall impact level.

The system’s impact level is used to select a baseline set of security controls for the information system from NIST SP 800-53, Revision 5, Recommended Security Controls for Federal Information Systems, that is then tailored to better reflect the information system’s unique circumstances. In addition, the system’s impact level determines the rigor applied to the remaining steps in the Risk Management Framework, including the assessment of security controls.

System Security Plan (SSP)

Start SSP development utilizing guidance from NIST Special Publication 800-18, Revision 1. See note in Implementation & Assessment about SSP digitization and automation. Typical SSP templates will include the following:

  1. Information System Name
  2. Risk Categorization (following FIPS 199 & 200 guidance)
  3. Information System Owner
  4. Authorizing Official
  5. Additional Key Personnel for the Information System
  6. General description and purpose of the Information System
  7. General description of the technical stack details
  8. List of external system integration details (i.e. system name, organization ownership, agreement (ISA, MOU or MOA), risk categorization, authorization status, and authorizing official)
  9. Unique laws, regulations or policies
  10. In-scope security and privacy controls
  11. Date of completion/update
  12. Date of approval with evidence