FIPS 199

FIPS 199 is a U.S. Federal Information Processing Standard that defines how to categorize information and information systems based on the potential impact of a security breach. It provides a common way to assign security impact levels (low, moderate, or high) for confidentiality, integrity, and availability.

FIPS 199 applies to federal information and information systems, including systems operated for or on behalf of U.S. federal agencies. In manufacturing and industrial environments, it is most relevant when plants, OT systems, MES, or related IT infrastructure process or store federal information or data derived from federal programs.

Key concepts in FIPS 199

FIPS 199 defines three security objectives and three impact levels:

• Security objectives:
  • Confidentiality: protecting information from unauthorized disclosure.
  • Integrity: guarding against improper modification or destruction and ensuring accuracy and completeness.
  • Availability: ensuring timely and reliable access to and use of information.
• Impact levels for each objective:
  • Low impact: limited adverse effect if compromised.
  • Moderate impact: serious adverse effect if compromised.
  • High impact: severe or catastrophic adverse effect if compromised.

The overall system impact level is typically set to the highest of the three objective ratings. This categorization is then used to select and tailor security and privacy controls from other frameworks such as NIST SP 800-53 or overlay profiles.

Use in industrial and regulated environments

In industrial operations, FIPS 199 commonly appears when:

• Manufacturing systems handle federal information, controlled unclassified information (CUI), or data under federal contracts.
• Organizations are mapping OT and IT systems to NIST-based cybersecurity programs and must determine which control baselines apply.
• MES, ERP, or quality systems are part of a broader federal information system boundary defined by an agency or prime contractor.

Operationally, a FIPS 199 impact level can drive how extensively cybersecurity controls are implemented across plants, networks, and applications. For example, a production system categorized as “moderate” would typically be aligned with a moderate-impact control baseline, which may be more stringent than a low-impact baseline but less stringent than one for high-impact systems.

Relationship to NIST SP 800-53 and other standards

FIPS 199 is closely related to NIST SP 800-60 and NIST SP 800-53:

• NIST SP 800-60 provides guidance on mapping information types to FIPS 199 impact levels.
• NIST SP 800-53 provides security and privacy controls, with baselines (low, moderate, high) that correspond to the FIPS 199 impact levels.

In practice, organizations typically perform a FIPS 199 categorization first, then select and tailor the appropriate NIST SP 800-53 control baseline for the categorized systems. This process may apply to both traditional IT and OT systems when they are within a federal system boundary.

Common confusion

• FIPS 199 vs FIPS 200: FIPS 199 defines the categorization of information and systems by impact level. FIPS 200 specifies the minimum security requirements for federal information systems and references NIST SP 800-53 controls. FIPS 199 answers “how critical is this system?” while FIPS 200 and 800-53 address “what controls are needed?”
• FIPS 199 vs NIST SP 800-171/800-53: FIPS 199 is a categorization standard, not a control catalog. NIST SP 800-171 and 800-53 define specific cybersecurity controls that may be selected based on the impact level determined using FIPS 199.

Context for aerospace and defense manufacturing

In aerospace and defense manufacturing, FIPS 199 categorization is often performed by the federal agency or prime contractor responsible for a system. However, manufacturers may need to understand the assigned FIPS 199 impact level to align their cybersecurity programs, especially when implementing NIST SP 800-53 controls within plants, engineering networks, or manufacturing systems that handle federal data or CUI.