FIPS publication 199 establishes security categories for both information (data) and information systems. The security categories are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals.

Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.