From arckit-us
Generates a FIPS 199 security categorization for a US federal civilian information system, mapping information types to NIST SP 800-60 Vol 2 and outputting the CIA impact matrix with high-water mark.
How this command is triggered — by the user, by Claude, or both
Slash command
/arckit-us:us-fisma-categorization <project ID or system, e.g. '001', 'Agency Citizen Services Portal'>The summary Claude sees in its command listing — used to decide when to auto-load this command
> ⚠️ **Community-contributed command** — not part of the officially-maintained ArcKit baseline. > Output should be reviewed by qualified US federal counsel, your agency's Senior Agency Official > for Privacy (SAOP), CISO, Chief AI Officer (CAIO), and (for FedRAMP matters) the agency PMO > and 3PAO before reliance. > > **Statutory currency**: EO 14110 was **revoked January 2025**; the active AI assurance mandates > are **OMB M-24-10** (use of AI) and **OMB M-25-21** (acquisition of AI). FedRAMP completed the > transition to NIST 800-53 **Rev 5** baselines in 2024 — Rev 4 references are depre...
⚠️ Community-contributed command — not part of the officially-maintained ArcKit baseline. Output should be reviewed by qualified US federal counsel, your agency's Senior Agency Official for Privacy (SAOP), CISO, Chief AI Officer (CAIO), and (for FedRAMP matters) the agency PMO and 3PAO before reliance.
Statutory currency: EO 14110 was revoked January 2025; the active AI assurance mandates are OMB M-24-10 (use of AI) and OMB M-25-21 (acquisition of AI). FedRAMP completed the transition to NIST 800-53 Rev 5 baselines in 2024 — Rev 4 references are deprecated. Verify all citations against the current Federal Register, OMB Circulars page, NIST publications, and FedRAMP.gov before relying on this output.
You are an enterprise architect generating a FIPS 199 Security Categorization for a US federal civilian agency information system under FISMA (Federal Information Security Modernization Act of 2014).
$ARGUMENTS
FIPS Publication 199 is the mandatory federal standard for categorizing information and information systems by impact level. Every federal civilian system must be categorized as Low, Moderate, or High across the three security objectives — Confidentiality, Integrity, and Availability — before any NIST SP 800-53 Rev 5 baseline can be selected or a FedRAMP authorization pursued. The categorization is the foundational artefact of the Risk Management Framework (RMF) Step 1 (Categorize) per NIST SP 800-37 Rev 2.
The methodology decomposes the system into its constituent information types (using NIST SP 800-60 Vol 2 Rev 1 as the authoritative catalogue of federal information types), scores each information type across CIA at L/M/H, and derives the system high-water mark by taking the maximum impact across all information types and all three objectives. Provisional impact values from SP 800-60 may be adjusted upward (rarely downward) based on agency mission context, aggregation effects, and special factors.
Authoritative anchors:
Read prerequisites:
projects/000-global/ARC-000-PRIN-*.md (architecture principles, if present)DR-* (data requirements), NFR-SEC-* (security NFRs), INT-* (integration requirements)${CLAUDE_PLUGIN_ROOT}/templates/_partials/RENDERING.mdRead the template:
.arckit/templates-custom/us-fisma-categorization-template.md (user override).arckit/templates/us-fisma-categorization-template.md${CLAUDE_PLUGIN_ROOT}/templates/us-fisma-categorization-template.mdUse scripts/bash/create-project.sh --json <project-name> if the project does not yet exist; otherwise locate it.
Use scripts/bash/generate-document-id.sh <PROJECT_ID> FIPS199 --filename for the artefact filename. The type code for this command is FIPS199.
Generate the following sections:
C.2.8.12 Personal Identity and Authentication, D.3.1 Customer Services, C.3.5.1 Income Information). For each type record: information type ID + name, SP 800-60 reference, brief description, source/origin.SC_system = {(confidentiality, MAX), (integrity, MAX), (availability, MAX)} across all information types. Show the calculation explicitly.Use the Write tool to save the artefact at the path returned by create-project.sh + generate-document-id.sh.
Emit a short summary to the user — system name, derived water-mark (e.g. MODERATE / MODERATE / LOW → MODERATE), count of information types, and any open issues. Do not echo the full artefact.
The categorization output directly feeds /arckit:us-nist-800-53 (the water-mark selects the Low / Moderate / High baseline). If any information type contains PII, run /arckit:us-privacy-pia next to discharge the E-Government Act §208 PIA obligation. Any ambiguous or upgraded categorizations should be logged into the project risk register via /arckit:risk for AO visibility.
npx claudepluginhub lllc-lllc/arc-kit --plugin arckit-us/impact-selectDetermines appropriate StateRAMP impact level (Low or Moderate) based on system type, data sensitivity, and security objectives.
/ca-itsg-33Generates an ITSG-33 Statement of Applicability with TBS security categorization, control profile selection, and continuous monitoring plan for a federal information system.
/overlay-applyApplies NIST 800-53 overlays (FedRAMP, DoD, Privacy, CMMC, etc.) to baselines (low, moderate, high), producing summaries of added/removed controls, parameter changes, and implementation guidance.
/au-ism-controlsGenerates an ASD Information Security Manual (ISM) control applicability statement for Australian Government projects, scoped to system classification and supporting DISP attestation.
/profile-selectDetermines Canadian government security classification level (U/PA/PB/PC) for provided data description using decision tree and outputs control profile recommendations.
/secureGenerates a Secure by Design assessment for UK Government civilian projects, evaluating security controls against NCSC Cyber Assessment Framework (CAF) and producing a compliance document.