Federal Information Processing Standard (FIPS) 199, "Standards for Security Categorization of Federal Information and Information Systems," is used to determine a system's security category (e.g., Low, Moderate, or High) based on the potential impact of a loss of confidentiality, integrity, and availability. This security categorization is a foundational component and a direct input to the System Security Plan (SSP). The SSP must document this categorization, as it dictates the selection of the initial baseline of security controls from NIST SP 800-53 that are required for the system. The SSP then describes how these selected controls are implemented.

A. The Security Assessment Report (SAR) documents the results of testing security controls. The FIPS 199 category influences the assessment scope but is not a direct input to the report itself.

C. The Plan of Actions and Milestones (POA&M) is created from the findings in the SAR to track the remediation of identified weaknesses. It is a downstream artifact.

D. The Authorization Decision Document is the final output from the Authorizing Official after reviewing the entire authorization package (SSP, SAR, POA&M), not a direct recipient of FIPS 199 data.

1. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, December 2006.

Section 2.2, "System Security Plan Content," Page 4: "The FIPS 199 security categorization of the information system is a key element of the system security plan."

2. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018.

Chapter 2, Section 2.3, Task P-1 "System Security and Privacy Plans," Page 30: This task, part of the "Prepare" step, involves developing, reviewing, and approving plans to manage security and privacy risk. The SSP is the primary output, and its development relies on the outputs of the "Categorize" step, which uses FIPS 199.

3. Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.

Section 4, "SPECIFICATION OF SECURITY CATEGORIES," Page 5: "The security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization... The security category of an information system will be used to guide the selection of the appropriate set of minimum security controls..." This selection and documentation process occurs within the SSP.