What is NIST SP 800-60 used for?

The main idea being tested is how to categorize information and information systems to determine the level of security controls they need. NIST SP 800-60 provides the guidance for mapping information types and system types to security category levels, using FIPS 199 as the basis for impact levels (low, moderate, high) across confidentiality, integrity, and availability. This mapping helps organizations select appropriate controls by aligning the potential impact of a loss of CIA with a defined security category, ensuring protections match risk. The other options point to different activities—security plans involve documenting security controls, contingency planning covers backup and recovery planning, and testing/evaluation focuses on assessing controls—none of which are about mapping information types and systems to security categories.