Federal information systems are categorized base on the information the systems process, store, or transmit.
Information processed, stored and transmitted by a system is classified based on the impact level (Low, Moderate or High) assigned to the security objectives-Confidentiality, Integrity and Availability (CIA)
The highest impact level (Low, Moderate and High) of the CIA becomes the overall classification of the system-High water mark
Systems are categorized based on information type
Two NIST publications are used to guide in this process
The categorization process starts with a kick off meeting involving the following people:
Sample Kick off meeting email/Agenda
First deliverable/Artifact -FIPS 199/System categorization