WASHINGTON, D.C.—Commerce Secretary Carlos Gutierrez today announced a new standard to help federal agencies improve their information technology security and comply with the Federal Information Security Management Act (FISMA) of 2002.
"Protecting federal information and information systems is of vital importance to our nation's economic and national security," said Gutierrez. "This new standard is one of a series of critical standards and guidelines developed by the Commerce Department's National Institute of Standards and Technology (NIST) that will help ensure that federal agencies implement appropriate, cost-effective security measures."
Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems,is the second of two mandatory security standards required by the FISMA legislation. FISMA requires all federal agencies to develop, document and implement agency-wide information security programs and to provide security for the information and information systems that support the operations and assets of the agency. The act called upon NIST to develop standards and guidelines needed for successful FISMA compliance by all federal agencies.
FIPS 200 specifies minimum-security requirements for federal information and information systems that are not national security systems and a risk-based process for selecting security controls necessary to satisfy these requirements.
Security controls are the management, operational and technical safeguards and countermeasures needed to protect the confidentiality, integrity and availability of a computer system and its information. Management safeguards range from risk assessments to security planning. Operational safeguards include factors such as personnel security and basic hardware/software maintenance. Technical safeguards include items such as audit trails and communications protection.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, the first of the two mandatory security standards, was issued in February 2004. FIPS 199 requires agencies to categorize their information and information systems as low-impact, moderate-impact or high-impact for the security objectives of confidentiality, integrity and availability.
A third publication, developed by NIST to be used in conjunction with FIPS 200 and FIPS 199, is Recommended Security Controls for Federal Information Systems (NIST Special Publication 800-53). Issued in February 2005, this publication specifies minimum sets of security controls for information systems according to the system's FIPS 199 impact level and provides guidance on selecting the appropriate controls for 17 security-related areas, including risk assessment, contingency planning, incident response, access control, and identification and authentication.
These and other NIST computer security publications are available at http://csrc.nist.gov/publications/fips/#fips200.
As a non-regulatory agency of the Commerce Department's Technology Administration, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.