Which SP maps information types to security categories and is used with FIPS 199?

The main idea here is how to determine the appropriate security category for different kinds of information by using a dedicated mapping guide that works with FIPS 199. FIPS 199 defines three impact levels (Low, Moderate, High) for confidentiality, integrity, and availability. To apply those levels to specific information types, you need a reference that maps each information type to its expected impact category. NIST SP 800-60 provides exactly that mapping between information types (like financial data, medical records, PII, etc.) and the corresponding security categories. This mapping is used together with FIPS 199 to assign a system’s overall security category. The other publications referenced here cover different topics: SP 800-18 focuses on security plans, SP 800-34 on contingency planning, and SP 800-37 on applying the Risk Management Framework. None of them serve as the mapping guide between information types and security categories used with FIPS 199, which is why SP 800-60 is the correct choice.