The objective of this activity is to determine the security categories of departmental business activities. A
security category expresses the highest levels of expected injuries from threat compromise with respect to
the security objectives of confidentiality, integrity, and availability. Business activities are categorized by
first determining the expected injuries from IT-related threat compromise to the national and non-national
interests that the business activities serve, and then determining the level of these expected injuries.
Departments can categorize their business activities following the process specified in Section 6.
The output of this activity is a security categorization report for departmental business activities.