About Security Technical Implementation : Understanding Vulnerability Severity Category Code Definitions
  
Understanding Vulnerability Severity Category Code Definitions
Severity Category Codes (referred to as CAT) are a measure of vulnerabilities used to assess a facility or system security posture. Each security policy specified in this document is assigned a Severity Category Code of CAT I, II, or III.
Severity
DISA category code guidelines
CAT I
Any vulnerability that will directly and immediately result in loss of confidentiality, availability, and integrity when exploited.
CAT II
Any vulnerability that has a potential to result in loss of confidentiality, availability, and integrity when exploited.
CAT III
Any vulnerability that degrades measures to protect against loss of confidentiality, availability, and integrity when exploited.