Which publication defines standards for security categorization of federal information systems, requiring assessment in the CIA categories (Confidentiality, Integrity, and Availability)?

The concept being tested is how federal information systems are categorized based on the impact to confidentiality, integrity, and availability. This standard is defined in FIPS 199, which requires evaluating each CIA dimension and assigning an impact level—low, moderate, or high—for each one. The resulting security category determines which security controls are appropriate and helps drive risk management decisions in the Federal RMF process. Understanding this helps you see why FIPS 199 is the right choice: it explicitly defines the CIA-based impact levels and how they translate into a system’s overall security category. In contrast, NIST SP 800-53 is a catalog of controls (not the categorization method), ISO/IEC 27001 is a general international ISMS standard, and CIS Controls are a practical set of security actions rather than a formal federal categorization framework.