Ace the 2025 Certified Governance Risk & Compliance (CGRC) Challenge – Navigate the Governance Maze with Confidence!

The formula reflecting the categorization of an information type as developed by FIPS 199 emphasizes the specific impacts on confidentiality, integrity, and availability. FIPS 199 provides a framework for agency information and information systems in the federal government to determine the appropriate level of security to safeguard sensitive data by evaluating the potential impact resulting from the loss of those security components.

In this context, the correct option outlines a structure that uses "impact" as the critical metric to characterize each aspect of security: confidentiality, integrity, and availability. Each of these components is assessed based on the potential impacts—low, moderate, or high—thus categorizing the information type effectively to set the right controls and protective measures.

The other options incorporate elements that are not as aligned with the framework laid out in FIPS 199. For instance, involving "controls" or "risk" does not capture the impact measurement inherent in FIPS 199's approach to information categorization, which is centered precisely around the outcomes of potential breaches or losses in those defined areas. This focus on impact is vital for establishing the appropriate classification and subsequent security posture.