This document has been originally released in template format. Once populated with content, this document will include detailed information about service provider information security controls.
Who should use this document?
This document is intended to be used by service providers who are applying for a Provisional Authorization through the U.S. federal government FedRAMP program.
This template provides a sample format for preparing a FIPS 199 Categorization Report for the Cloud Service Provider (CSP) information systems. The template follows guidance as set forth in NIST Special Publication 800-60 Volume 2 Revision 1, and is intended to be used as a guide. Modify the format as necessary to comply with your internal policies and Federal Risk and Authorization Management Program (FedRAMP) requirements.
Conventions used in this document
This document uses the following typographical conventions:
Italic blue text in a blue box indicates instructions to the individual filling out the template.
Instruction: This is an instruction to the individual filling out of the template.
Bold text indicates a parameter or an additional requirement.
Constant width text is used for text that is representative of characters that would show up on a computer screen.
Text in brackets indicates a generic default name or word that should be replaced with a specific name. Once replaced, the brackets should be removed.
Notes are found between parallel lines and include additional information that may be helpful to the users of this template.
Note: This is a note.
Sans Serif text is used for tables, table captions, figure captions, and table of contents.
Sans Serif Gray
Sans Serif gray text is used for examples.
How to contact us
If you have questions about something in this document, or how to fill it out, please write to:
firstname.lastname@example.org For more information about the FedRAMP project, please see the website at:
The Federal Information Processing Standard 199 (FIPS-199) Categorization (Security Categorization) report is a key document in the security authorization package developed for submission to the Federal Risk and Authorization Management Program (FedRAMP) authorizing officials. The FIPS-199 Categorization report includes the determination of the security impact level for the cloud environment that may host any or all of the service models (Information as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The ultimate goal of the security categorization is for the cloud service provider (CSP) to be able to select and implement the FedRAMP security controls applicable to its environment.
The purpose of the FIPS-199 Categorization template is for the CSP to assess and complete the categorization of their cloud environment, to provide the categorization to the System Owner/Certifier and the FedRAMP Joint Authorization Board (JAB) and in helping them to make a determination of the CSP’s ability to host systems at that level. The completed security categorization template will aid the CSP in selection and implementation of FedRAMP security controls at the determined categorization level.
The scope of the FIPS-199 Categorization template includes the assessment of the information type categories as defined in the NIST Special Publication 800-60 Volume 2 Revision 1 document.
Instruction: Insert a brief high-level description of the system, the system environment and the purpose of the system. The description should be consistent with the description found in the System Security Plan (SSP).
Instruction: The CSP should review the NIST Special Publication 800-60 Volume 2 Revision 1 Appendix C Management and Support Information and Information System Impact Levels and Appendix D Impact Determination for Mission-Based Information and Information Systems to assess the recommended impact level for each of the information types. For more information, CSP should also consult Appendix D.2. After reviewing the NIST guidance on Information Types, the CSP should fill out Table 1.
Impact levels are determined for each information type based on the security objectives (confidentiality, integrity, availability). The confidentiality, integrity, and availability impact levels define the security sensitivity category of each information type. The FIPS-199 Categorization is the high watermark for the impact level of all the applicable information types.
The FIPS 199 analysis represents the information type and sensitivity levels of the CSP’s cloud service offering (and is not intended to include sensitivity levels of agency data). Customer agencies will be expected to perform a separate FIPS 199 analysis for their own data hosted on the CSP’s cloud environment. Customers using the CSP cloud environment must ensure that the security categorization of information types collected, processed, or stored on the CSP cloud environment does not exceed the high-water mark of Moderate for confidentiality, integrity, and availability. The analysis must be added as an appendix to the SSP and drive the results for the Categorization section.
The FedRAMP system CSP categorization is expected to resolve to Moderate or Low.
Instruction: In the first three columns, put the NIST SP-60 V2 R1 recommended impact level. In the next three columns, put in the CSP determined recommended impact level. If the CSP determined recommended impact level does not match the level recommended by NIST, put in an explanation in the last column as to why this decision was made.
Table 1: CSP Applicable Information Types with Security Impact Levels Using NIST SP 800-60 V2 R1