Consider decision points based on FIPS-199

[ahouseholder]

Is your feature request related to a problem? Please describe.

SSVC has no native decision points to support categorization of systems by security requirement levels.

Describe the solution you'd like

Consider adding decision points to reflect the system security categories listed in FIPS 199

https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.199.pdf

This publication establishes security categories for both information and information systems. The
security categories are based on the potential impact on an organization should certain events occur
which jeopardize the information and information systems needed by the organization to accomplish
its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day
functions, and protect individuals. Security categories are to be used in conjunction with vulnerability
and threat information in assessing the risk to an organization.

Note

Although similarly named, these are not the same as the C, I, A impacts in CVSS vectors. However, they are semantically related to CVSS v4's CR, IR, AR vector elements https://www.first.org/cvss/v4.0/specification-document#Confidentiality-Integrity-and-Availability-Requirements-CR-IR-AR

[j---]

If anything is done here, I agree the mapping to CVSS CR, IR, and AR should be documented.
This seems like possibly something that would function in place of mission impact?