FISMA & NIST RMF

Josef Kamara, CPA, CISSP, CISA · Updated May 2, 2026 · 1 minute read

Categorize Step (RMF Step 1)

The first operational step of the Risk Management Framework, in which the system owner uses FIPS 199 to classify the information system as Low, Moderate, or High impact based on the worst-case effect of a loss of confidentiality, integrity, or availability. The categorization determines which NIST SP 800-53 control baseline applies and is the most consequential single decision in the entire authorization process.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.