Comments Sought on Draft Federal IT Security Standard

To help federal agencies improve their information technology security and comply with the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) recently released for public comment the draft of Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

FISMA requires all federal agencies to develop, document and implement agency-wide information security programs and to provide security for the information and information systems that support the operations and assets of the agency. The act called upon NIST to develop the standards and guidelines needed for successful FISMA compliance.

The draft FIPS Publication 200 is the third NIST publication of a three-part series for this purpose. FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, issued in February 2004, requires agencies to categorize their information and information systems as low impact, moderate impact or high impact regarding confidentiality, integrity and availability. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, issued in February 2005, provides guidance on selecting the appropriate controls for 17 key security focus areas.

FIPS Publication 200 provides: (1) a specification for minimum security requirements for federal information and information systems; (2) a standardized, risk-based approach (as described in FIPS Publication 199) for selecting security controls in a cost-effective manner; and (3) links to NIST Special Publication 800-53.

NIST invites public comments on the draft standard until 5 p.m. Eastern Daylight Time on Sept. 13, 2005. The document may be downloaded at http://csrc.nist.gov/publications/drafts.html.