Information Categories

Category
Number Name Explanation and Examples
1 Information about Information related to personnel, medical, and similar data. Includes all
persons information covered by the Privacy Act of 1974 (e.g., salary data, social
security information, passwords, user identifiers (IDs), EEO, personnel
profile (including home address and phone number), medical history,
employment history (general and security clearance information), and
arrest/criminal investigation history).
2 Financial, budgetary, Information related to financial information and applications, commercial
commercial, proprietary information received in confidence, or trade secrets (i.e., proprietary,
and trade secret contract bidding information, sensitive information about patents, and
information information protected by the Cooperative Research and Development
Agreement). Also included is information about payroll, automated
decision making, procurement, inventory, other financially-related
systems, and site operating and security expenditures.
3 Internal administration Information related to the internal administration of an agency. Includes
personnel rules, bargaining positions, and advance information concerning
procurement actions.
4 Investigation, Information related to investigations for law enforcement purposes;
intelligence-related, and intelligence-related information that cannot be classified, but is subject to
security information (14 confidentiality and extra security controls. Includes security plans,
CFR PART 191.5(D)) contingency plans, emergency operations plans, incident reports, reports
of investigations, risk or vulnerability assessments certification reports;
does not include general plans, policies, or requirements.
5 Other Federal agency Information, the protection of which is required by statute, or which has
information come from another Federal agency and requires release approval by the
originating agency.
6 New technology or Information related to new technology; scientific information that is
controlled scientific prohibited from disclosure to certain foreign governments or that may
information require an export license from the Department of State and/or the
Department of Commerce.
7 Mission-critical Information designated as critical to an agency mission, includes vital
information statistics information for emergency operations.
8 Operational information Information that requires protection during operations; usually time-critical
information.
9 Life-critical information Information critical to life-support systems (i.e., information where
inaccuracy, loss, or alteration could result in loss of life).
10 Other sensitive Any information for which there is a management concern about its
information adequate protection, but which does not logically fall into any of the above
categories. Use of this category should be rare.
11 System configuration Any information pertaining to the internal operations of a network or
management computer system, including but not limited to network and device
information addresses; system and protocol addressing schemes implemented at an
agency; network management information protocols, community strings,
network information packets, etc.; device and system passwords; device
and system configuration information.
12 Public information Any information that is declared for public consumption by official
authorities. This includes information contained in press releases
approved by the Office of Public Affairs or other official sources. It also
includes Information placed on public access world-wide-web (WWW)
servers.
 Security Levels for Information Systems
Security Impact
Level Description Explanation
Low Moderately • Noticeable impact on an agency’s missions, functions, image, or reputation.
serious A breach of this security level would result in a negative outcome; or
• Would result in DAMAGE, requiring repairs, to an asset or resource.
Medium Very serious • Severe impairment to an agency’s missions, functions, image, and
reputation. The impact would place an agency at a significant disadvantage;
or
• Would result in MAJOR damage, requiring extensive repairs to assets or
resources.
High Catastrophic • Complete loss of mission capability for an extended period; or
• Would result in the loss of MAJOR assets or resources and could pose a
threat to human life.

Relationship Between Information Categories

and Minimum Security Levels for IS

Information Minimum Security Level

Category
# Low Medium High
1 Information about persons X

2 Financial, budgetary, commercial, and trade secret X

information
3 An agency internal administration X
4 Investigation, intelligence-related, and security X
information
5 Other Federal agency information X
6 New technology or controlled scientific information X
7 Mission-critical information X
8 Operational information X
9 Life-critical information X
10 Other information X
11 System configuration management information X
12 Public information X