Publication Provides Minimum Security Requirements for Federal Agencies
GAITHERSBURG, Md.—Computer scientists at the U.S. Commerce Department's National Institute of Standards and Technology (NIST) today released for public comment the draft of Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The draft standard is one of a series of key standards and guidelines produced by NIST's Computer Security Division to help federal agencies improve their information technology security and comply with the Federal Information Security Management Act (FISMA) of 2002.
As stated in today's Federal Register, NIST invites public comments on the draft standard until 5 p.m. Eastern Daylight Time on Sept. 13, 2005. The document may be downloaded as an Adobe Acrobat file at http://csrc.nist.gov/publications/drafts.html.
FIPS Publication 200 provides: (1) a specification for minimum security requirements for federal information and information systems; (2) a standardized, risk-based approach (as described in FIPS Publication 199) for selecting security controls in a cost-effective manner; and (3) links to NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, which recommends management, operational and technical controls needed to protect the confidentiality, integrity and availability of all federal information systems that are not national security systems.
Security controls are the management, operational and technical safeguards and countermeasures prescribed for a computer system that, taken together, adequately protect the confidentiality, integrity and availability of a system and its information. Management safeguards range from risk assessment to security planning. Operational safeguards include factors such as personnel security and basic hardware/software maintenance. Technical safeguards include items such as audit trails and communications protection.
FISMA requires all federal agencies to develop, document and implement agency-wide information security programs and to provide security for the information and information systems that support the operations and assets of the agency. The act called upon NIST to develop the standards and guidelines needed for successful FISMA compliance.
The draft FIPS Publication 200 is the third publication of a three-part series developed by NIST to help federal agencies achieve this compliance. FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, was issued in February 2004 and requires agencies to categorize their information and information systems as low-impact, moderate-impact or high-impact for the security objectives of confidentiality, integrity and availability. NIST SP 800-53, issued in February 2005, provides guidance on selecting the appropriate controls for 17 key security focus areas, including risk assessment, contingency planning, incident response, access control, and identification and authentication.
State, local and tribal governments, as well as private-sector organizations comprising the critical infrastructure of the United States, are encouraged to review the draft standard and then consider using it once finalized—along with the guidance of the other two FISMA compliance publications.
Written comments on FIPS Publication 200 may be sent to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft FIPS Publication 200, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930. Comments also may be submitted electronically to draftfips200 [at] nist.gov.
As a non-regulatory agency of the U.S. Department of Commerce's Technology Administration, NIST develops and promotes measurement, standards and technology to enhance productivity, facilitate trade and improve the quality of life.