FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. It should be pointed out that 800-53 is only a temporary guide for selecting the minimum security control. NIST launches the FIPS 200 “Federal Information System Minimum Security Control” standard in December 2005 to improve information systems’ security control.
Risk assessment is the process of evaluating the confidentiality/confidentiality, integrity, availability, and other security attributes of the information system and the information processed, transmitted, and stored. It evaluates the threats faced by assets and threats to exploit vulnerabilities to cause security incidents. The possibility of security incidents and the value of assets designed by security incidents are used to determine the impact of security incidents on the organization once they occur. After risk assessment, the enterprise can see the level is a low, moderate, or high threat. Then, they can decide which minimum security control needs to be performed in order to deal with the risk they face.
There are seventeen minimum security requirements in order to protect the confidentiality, integrity, and availability of federal information systems. One of the minimum security requirements that I would like to mention is access control. Organizations must limit information system access to authorized users. The risk associated with access management is unauthorized access. The control ensures that each staff has the right level of access. Under incident response, an organization can be at risk of security breaches resulting from an unusual event. The control of having an incident response plan in place helps an organization to manage the security incident and remediate the impact to operations. The main steps taken are detection, assessment and response. Organizations must also ensure that managers and users of organizational information systems are aware of the security risks. There is a risk of all other processes being ineffective without an effective awareness and education program. This control helps organizations understand the importance of security.
Hi, Priyanka. I agree with your point of view about access control. It is very significant to have strong access control. I think access control is the first line of defense the hackers to attack the organizational system. If the admin forgets to revoke the former employee’s access, this is a big risk that the hacker may use this account to log in to the system. Or if the former employee, who was fire by the violation of policy, may steal the company’s information to sell it.
What I’ve learned from this document is that FIPS publication 200 points out a risk-based process for selecting safety controls to meet minimum safety requirements. FIPS 200 defines 17 security areas, which are related to the management, operation and technology aspects of protecting federal information systems, as well as the confidentiality, integrity and availability of processing information.
Hi Wenyao,
I agree with you. FIPS 200 focuses on the minimum requirements for information and information security. It is designed to help develop, implement and protect information systems. FIPS 200 considers policies and procedures necessary for effective implementation, but never mentions governance. We know that policies and procedures are key components of governance. Although it is explicitly stated that governance will add an extra layer, I believe its importance relative to fips200 ensures its inclusion.
I agree with you that FIPS 200 defines the minimum requirements for federal information systems. I would like to add that NIST SP 800-53 is used to determine, which set of safeguards must be implemented to meet the minimum requirements. Overall, we are starting to see the connection between FIPS 199, FIPS 200, and NIST SP 800-53.
Since I have not done any safety-related work, I can only summarize what I have learned from this mission. In addition to the first 199, 17 important areas have been used to establish minimum federal information requirements.
(i) Access control; (II) awareness and training; (III) audit and accountability; (IV) certification, accreditation, and security assessment; (V) configuration management; (VI) contingency planning; (VII) identification and certification; (VIII) accident response; (IX) maintenance; (x) media protection; (XI) physical and environmental protection; (XII) planning; (XIII) personnel security; (XIV) risk assessment Evaluation; (XV) system and service acquisition; (XVI) system and communication protection; (XVI) system and information integrity.
In general, I think these 17 aspects are very comprehensive. It provides an overview of security planning. From the perspective of people, from the perspective of technology, such as software and hardware, and the perspective of its government, make a continuous plan. It is also very helpful for an organization to check whether its security plan is adequate.
FIPS Publication 199 requires agencies to categorize information system as low, moderate, high by the impact level. After the security categorization process, organizations need to select the appropriate security controls to meet requirements. FIPS 200 establishing minimum levels to help to meet minimum security requirements, and the minimum security requirements cover seventeen security-related areas. Besides, organizations need to select the appropriate security controls to meet requirements. To select most appropriate control method, organization need to consider multiple aspects, risk-based activity involving management and operational personnel within the organization.
Hi Xinyi,
These categorizations provide a much needed guideline to ensure each type of information is secured, regardless of the use or importance to the overall key operations of the organization.
Chapter 8 outlines the process of security planning and its importance for managing the risk of information systems. It goes on to discuss the usage of FIPS 199 to categorize an organization’s information systems based off of impact levels low, moderate, and high. Based off of the security categorization of Federal Information and Information Systems, there are minimum security requirements the system must meet in order to be compliant. The minimum security requirements are composed for seventeen different control families and can be found in FIPS 200. After this, NIST SP 800-53 can be used to determine what controls and safeguards can be implemented to meet the security requirements. The process of security planning is important to complete because the goal is to minimize risk and improve on the overall protection of the information system.
The FIPS 200 document clearly outlines the minimum security requirements for seventeen security related areas. The document states the organization must use an impact-based approach when categorizing their security levels. They also clearly define the impact levels. It says, “a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high.”
When using FIPS 200, an organization is given clear outlines on expectations for security management. They can use this to create and organize their organization policies and procedures. The main goal of FIPS 200 is to keep the confidentiality, availability, and integrity for the system and the data within the system. While the FIPS 200 says what is expected of the organization, it also gives them the flexibility to develop their own procedures.
Hi, Jonathan, I agree with your points at three different impact level. The FIPS 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems , is the first of two mandatory security standards required by the FISMA legislation. And requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
FIPS Publication 200, the second of the mandatory security standards, which specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. And the minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems.
There are many elements that need to meet the security requirements. I think access control, awareness and training, and identification and authentication are very significant for the organization as the first step defense. The organization must set up appropriate access for internal and external users. Many data breach cases are that not having effective access control, especially, the third-party access control. If it is one entrance has vulnerability from one user’s access, the admin should disable it immediately to mitigate the risk. However, the lack of awareness and training employees can be a big problem to occur the loss of confidentiality, integrity, and availability. If the employees cannot recognize how the importance of the security information, they may ignore any suspicious attack, such as phishing email. In doing so, the admin needs to identify and authenticate the users. When an employee resigns or transfers the position, the admin must terminate the user’s access. Or the admin needs to check the user’s access regularly, so he or she can revoke any inactivate user. These specifications make the security requirement more effectively.
Hi Cami…
I agree with your assessment that access controls and training / awareness are important controls in the FIPS framework. Access controls are heavily relied on to mitigate the risks of associated with authentication which primarily supports confidentiality as well as authorizations which supports confidentiality and integrity. Training and awareness controls are a first line of defense for most organizations in that these controls enable a broader set of workers to be security mindful. And the point around these controls being important is very valid and these “front end controls” are used by auditors to determine testing scope and effectiveness of downstream controls. For federal agencies all of the controls are treated the same and the entirety of the FIPS framework is mandated to be documented in the security plan.
My take from this reading is ensuring an organization has adequate security, which is defined as security commensurate with the risk and the magnitude of harm resulting from an information security breach. Organizations are required to select appropriate security controls that meet the minimum-security requirements. This process requires the involvement of both management and operational personnel. The overall tailoring of information security control baselines must be coordinated and approved by appropriate authorized officials within the organization. Organizations are also required to match the security objective categorization with the highest security impact level of any part of information being categorized. This guarantees some adequacy in security of the information.
You make a great point when you say that this process requires not only management but operational personnel. That personnel group is going to be the group that can help identify what needs to be accounted for based on what they use as well as being able to describe the relationship between assets, systems and applications.
A takeaway from this reading is the density of the controls. There are 17 different areas with their own minimum requirements. This means that whoever is constructing the plan has to thoroughly and with detail go through each to make sure nothing is missed, as one hole in the armor can bring the entire system down. Once the areas are addressed for high, moderate, and low impact, the designer must refer to NIST SP 800-53 to determine what controls should be applied where in relation to the level previously determined.
Hi Anthony,
It does seem like a very tedious process having to go through all the sections in one publication the check them off again in a second for relations. However, there is no easy way to guarantee information security.
The FIPS 200: Minimum Security requirements for federal government and information systems is the required federal standard that is developed by NIST in response to FISMA. This document includes the minimum security requirements that covers 17 security related areas with the CIA Triad information security goals in mind. These areas provide a balanced information security program that addresses the management, operational and technical aspects of protecting federal information and information systems. The federal organizations and agencies must develop and implement formal and documented security policies and procedures that govern around minimum information security requirements and make sure they are effectively implemented.
FIPS 200 details three key points in regards to developing security standards. The standards for categorizing information and information systems are maintained by each federal agency and is variable based on different risk levels. The guidelines are to be included in each category based on the types of information and information systems. For each category, there also will be minimum information security requirements for different types of information and information security. Much like FIPS 199, the CIA triad is used as well as an impact assessment detailing low, moderate, and high impact levels. Having these practices in place provide necessary data in how important each information and information system are, as well as what security controls should be in place for each of the low, moderate, and high impact assessments.
FIPS 200 states the minimum security requirement for federal information and information systems, and is a mandatory federal standard formulated by NIST in response to FISMA. In order to comply with federal standards, the organization first determines the security category of its information system according to FIPS Publication 199 “Federal Information and Information System Security Classification Standard”, obtains the information system impact level from the security category according to FIPS 200, and in the NIST Special Publication 800-53 , The security and privacy control of federal information systems and organizations apply appropriately customized baseline security control sets. The combination of FIPS 200 and NIST Special Publication 800-53 ensures that applicable security requirements and security controls apply to all information and information systems.
FIPS created a method of categorization the risk impact of an information system based on low, medium, and high impact. The potential impact for confidentiality, integrity, and availability is different for all information systems so the categorization is helpful when selecting which security controls should be in place. Security-related areas are “(i) access
control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and
security assessments; (v) configuration management; (vi) contingency planning; (vii) identification
and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and
environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems
and services acquisition; (xvi) system and communications protection; and (xvii) system and
information integrity”. These security areas are used to represent an information security program that can address the management, operational, and technical aspects of protecting federal information and their information systems.
Not only does the information security program have to be in place, but formal and documented policies/procedures should also be created and implemented across the organization to adequately protect these information systems.
The E-Government Act of 2002
recognized the importance of information security to the economic and national security interests of the United States. The purpose of this act was to develop security standards and guidelines for the federal government. FIPS 199 is the first of two mandatory security standards required by the FISMA legislation. FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
FIPS 200 covers the minimum control requirements for federal agencies and is the next step after information and information systems are classified. The process of determining minimum control requirements is highly dependent on information and information system classifications to determine the minimum controls for each type of data. The organization must have access control (AC)awareness and training (AT)audit and accountability (AU), certification, accreditation, and security assessments (CA), configuration management (CM), contingency planning (CP), identification and authentication (IA), incident response (IR), maintenance (MA), media protection (MP), physical and environmental protection (PE), planning (PL), personnel security (PS), risk assessment (RA), system and services acquisition (SA), system and communications protection (SC), system and information integrity (SI) controls to be compliant with FIPS standards. The comprehensiveness of the FIPs procedures leaves no question as to the areas that controls must be in place for information and information security.
This article went into the FIPS 199 standard in depth. It discussed things such as the requirement of federal agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. One major take-away from this reading was the minimum security requirements outlined by FIPS 199. The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.
Much like FIPS 199 and any information security protocol, an important emphasis is used on impact analysis and the CIA triad. I quite enjoy that you included all the security related areas in your analysis. It goes to show the nitty-gritty of this FIPS 200 standard in categorizing information to mitigate risk to the highest degree.
This document does a multitude of things:
– References FIPS 199 enhancing the requirement that categorization of the information systems is required.
– Defines the 17 security related areas that federal agencies must meet at minimum.
– Provides reference to NIST SP 800-53 to guide in the process of selecting controls and assurance requirements.
– Gives definitions for common terms .
These represent a broad based, balanced security policy.
Hi Vanessa!
Thank you for clear and crisp response! I really liked your response as it is straight to the point about what FIPS 199 is all about. I agree that categorization of the information and the information systems is critical for a successful information security program. FIPS 199 establishes the federal agencies to meet at minimum and include all 17 security related areas. The document also defines some do the lingo and terms that may be foreign for some of the readers. It is necessary to establish information security minimums when dealing with sensitive data as it forces organizations to follow proper information security procedures.
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is a mandatory federal standard developed by NIST in response to FISMA. It should be pointed out that 800-53 is only a temporary guide for selecting the minimum security control. NIST launches the FIPS 200 “Federal Information System Minimum Security Control” standard in December 2005 to improve information systems’ security control.
Risk assessment is the process of evaluating the confidentiality/confidentiality, integrity, availability, and other security attributes of the information system and the information processed, transmitted, and stored. It evaluates the threats faced by assets and threats to exploit vulnerabilities to cause security incidents. The possibility of security incidents and the value of assets designed by security incidents are used to determine the impact of security incidents on the organization once they occur. After risk assessment, the enterprise can see the level is a low, moderate, or high threat. Then, they can decide which minimum security control needs to be performed in order to deal with the risk they face.
There are seventeen minimum security requirements in order to protect the confidentiality, integrity, and availability of federal information systems. One of the minimum security requirements that I would like to mention is access control. Organizations must limit information system access to authorized users. The risk associated with access management is unauthorized access. The control ensures that each staff has the right level of access. Under incident response, an organization can be at risk of security breaches resulting from an unusual event. The control of having an incident response plan in place helps an organization to manage the security incident and remediate the impact to operations. The main steps taken are detection, assessment and response. Organizations must also ensure that managers and users of organizational information systems are aware of the security risks. There is a risk of all other processes being ineffective without an effective awareness and education program. This control helps organizations understand the importance of security.
Hi, Priyanka. I agree with your point of view about access control. It is very significant to have strong access control. I think access control is the first line of defense the hackers to attack the organizational system. If the admin forgets to revoke the former employee’s access, this is a big risk that the hacker may use this account to log in to the system. Or if the former employee, who was fire by the violation of policy, may steal the company’s information to sell it.
What I’ve learned from this document is that FIPS publication 200 points out a risk-based process for selecting safety controls to meet minimum safety requirements. FIPS 200 defines 17 security areas, which are related to the management, operation and technology aspects of protecting federal information systems, as well as the confidentiality, integrity and availability of processing information.
Hi Wenyao,
I agree with you. FIPS 200 focuses on the minimum requirements for information and information security. It is designed to help develop, implement and protect information systems. FIPS 200 considers policies and procedures necessary for effective implementation, but never mentions governance. We know that policies and procedures are key components of governance. Although it is explicitly stated that governance will add an extra layer, I believe its importance relative to fips200 ensures its inclusion.
Hi Wenyao,
I agree with you that FIPS 200 defines the minimum requirements for federal information systems. I would like to add that NIST SP 800-53 is used to determine, which set of safeguards must be implemented to meet the minimum requirements. Overall, we are starting to see the connection between FIPS 199, FIPS 200, and NIST SP 800-53.
Since I have not done any safety-related work, I can only summarize what I have learned from this mission. In addition to the first 199, 17 important areas have been used to establish minimum federal information requirements.
(i) Access control; (II) awareness and training; (III) audit and accountability; (IV) certification, accreditation, and security assessment; (V) configuration management; (VI) contingency planning; (VII) identification and certification; (VIII) accident response; (IX) maintenance; (x) media protection; (XI) physical and environmental protection; (XII) planning; (XIII) personnel security; (XIV) risk assessment Evaluation; (XV) system and service acquisition; (XVI) system and communication protection; (XVI) system and information integrity.
In general, I think these 17 aspects are very comprehensive. It provides an overview of security planning. From the perspective of people, from the perspective of technology, such as software and hardware, and the perspective of its government, make a continuous plan. It is also very helpful for an organization to check whether its security plan is adequate.
FIPS Publication 199 requires agencies to categorize information system as low, moderate, high by the impact level. After the security categorization process, organizations need to select the appropriate security controls to meet requirements. FIPS 200 establishing minimum levels to help to meet minimum security requirements, and the minimum security requirements cover seventeen security-related areas. Besides, organizations need to select the appropriate security controls to meet requirements. To select most appropriate control method, organization need to consider multiple aspects, risk-based activity involving management and operational personnel within the organization.
Hi Xinyi,
These categorizations provide a much needed guideline to ensure each type of information is secured, regardless of the use or importance to the overall key operations of the organization.
Chapter 8 outlines the process of security planning and its importance for managing the risk of information systems. It goes on to discuss the usage of FIPS 199 to categorize an organization’s information systems based off of impact levels low, moderate, and high. Based off of the security categorization of Federal Information and Information Systems, there are minimum security requirements the system must meet in order to be compliant. The minimum security requirements are composed for seventeen different control families and can be found in FIPS 200. After this, NIST SP 800-53 can be used to determine what controls and safeguards can be implemented to meet the security requirements. The process of security planning is important to complete because the goal is to minimize risk and improve on the overall protection of the information system.
The FIPS 200 document clearly outlines the minimum security requirements for seventeen security related areas. The document states the organization must use an impact-based approach when categorizing their security levels. They also clearly define the impact levels. It says, “a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high.”
When using FIPS 200, an organization is given clear outlines on expectations for security management. They can use this to create and organize their organization policies and procedures. The main goal of FIPS 200 is to keep the confidentiality, availability, and integrity for the system and the data within the system. While the FIPS 200 says what is expected of the organization, it also gives them the flexibility to develop their own procedures.
Hi, Jonathan, I agree with your points at three different impact level. The FIPS 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems , is the first of two mandatory security standards required by the FISMA legislation. And requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
FIPS Publication 200, the second of the mandatory security standards, which specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. And the minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems.
There are many elements that need to meet the security requirements. I think access control, awareness and training, and identification and authentication are very significant for the organization as the first step defense. The organization must set up appropriate access for internal and external users. Many data breach cases are that not having effective access control, especially, the third-party access control. If it is one entrance has vulnerability from one user’s access, the admin should disable it immediately to mitigate the risk. However, the lack of awareness and training employees can be a big problem to occur the loss of confidentiality, integrity, and availability. If the employees cannot recognize how the importance of the security information, they may ignore any suspicious attack, such as phishing email. In doing so, the admin needs to identify and authenticate the users. When an employee resigns or transfers the position, the admin must terminate the user’s access. Or the admin needs to check the user’s access regularly, so he or she can revoke any inactivate user. These specifications make the security requirement more effectively.
Hi Cami…
I agree with your assessment that access controls and training / awareness are important controls in the FIPS framework. Access controls are heavily relied on to mitigate the risks of associated with authentication which primarily supports confidentiality as well as authorizations which supports confidentiality and integrity. Training and awareness controls are a first line of defense for most organizations in that these controls enable a broader set of workers to be security mindful. And the point around these controls being important is very valid and these “front end controls” are used by auditors to determine testing scope and effectiveness of downstream controls. For federal agencies all of the controls are treated the same and the entirety of the FIPS framework is mandated to be documented in the security plan.
My take from this reading is ensuring an organization has adequate security, which is defined as security commensurate with the risk and the magnitude of harm resulting from an information security breach. Organizations are required to select appropriate security controls that meet the minimum-security requirements. This process requires the involvement of both management and operational personnel. The overall tailoring of information security control baselines must be coordinated and approved by appropriate authorized officials within the organization. Organizations are also required to match the security objective categorization with the highest security impact level of any part of information being categorized. This guarantees some adequacy in security of the information.
You make a great point when you say that this process requires not only management but operational personnel. That personnel group is going to be the group that can help identify what needs to be accounted for based on what they use as well as being able to describe the relationship between assets, systems and applications.
A takeaway from this reading is the density of the controls. There are 17 different areas with their own minimum requirements. This means that whoever is constructing the plan has to thoroughly and with detail go through each to make sure nothing is missed, as one hole in the armor can bring the entire system down. Once the areas are addressed for high, moderate, and low impact, the designer must refer to NIST SP 800-53 to determine what controls should be applied where in relation to the level previously determined.
Hi Anthony,
It does seem like a very tedious process having to go through all the sections in one publication the check them off again in a second for relations. However, there is no easy way to guarantee information security.
The FIPS 200: Minimum Security requirements for federal government and information systems is the required federal standard that is developed by NIST in response to FISMA. This document includes the minimum security requirements that covers 17 security related areas with the CIA Triad information security goals in mind. These areas provide a balanced information security program that addresses the management, operational and technical aspects of protecting federal information and information systems. The federal organizations and agencies must develop and implement formal and documented security policies and procedures that govern around minimum information security requirements and make sure they are effectively implemented.
FIPS 200 details three key points in regards to developing security standards. The standards for categorizing information and information systems are maintained by each federal agency and is variable based on different risk levels. The guidelines are to be included in each category based on the types of information and information systems. For each category, there also will be minimum information security requirements for different types of information and information security. Much like FIPS 199, the CIA triad is used as well as an impact assessment detailing low, moderate, and high impact levels. Having these practices in place provide necessary data in how important each information and information system are, as well as what security controls should be in place for each of the low, moderate, and high impact assessments.
FIPS 200 states the minimum security requirement for federal information and information systems, and is a mandatory federal standard formulated by NIST in response to FISMA. In order to comply with federal standards, the organization first determines the security category of its information system according to FIPS Publication 199 “Federal Information and Information System Security Classification Standard”, obtains the information system impact level from the security category according to FIPS 200, and in the NIST Special Publication 800-53 , The security and privacy control of federal information systems and organizations apply appropriately customized baseline security control sets. The combination of FIPS 200 and NIST Special Publication 800-53 ensures that applicable security requirements and security controls apply to all information and information systems.
FIPS created a method of categorization the risk impact of an information system based on low, medium, and high impact. The potential impact for confidentiality, integrity, and availability is different for all information systems so the categorization is helpful when selecting which security controls should be in place. Security-related areas are “(i) access
control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and
security assessments; (v) configuration management; (vi) contingency planning; (vii) identification
and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and
environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems
and services acquisition; (xvi) system and communications protection; and (xvii) system and
information integrity”. These security areas are used to represent an information security program that can address the management, operational, and technical aspects of protecting federal information and their information systems.
Not only does the information security program have to be in place, but formal and documented policies/procedures should also be created and implemented across the organization to adequately protect these information systems.
The E-Government Act of 2002
recognized the importance of information security to the economic and national security interests of the United States. The purpose of this act was to develop security standards and guidelines for the federal government. FIPS 199 is the first of two mandatory security standards required by the FISMA legislation. FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability.
FIPS 200 covers the minimum control requirements for federal agencies and is the next step after information and information systems are classified. The process of determining minimum control requirements is highly dependent on information and information system classifications to determine the minimum controls for each type of data. The organization must have access control (AC)awareness and training (AT)audit and accountability (AU), certification, accreditation, and security assessments (CA), configuration management (CM), contingency planning (CP), identification and authentication (IA), incident response (IR), maintenance (MA), media protection (MP), physical and environmental protection (PE), planning (PL), personnel security (PS), risk assessment (RA), system and services acquisition (SA), system and communications protection (SC), system and information integrity (SI) controls to be compliant with FIPS standards. The comprehensiveness of the FIPs procedures leaves no question as to the areas that controls must be in place for information and information security.
This article went into the FIPS 199 standard in depth. It discussed things such as the requirement of federal agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. One major take-away from this reading was the minimum security requirements outlined by FIPS 199. The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.
Hi Anthony,
Much like FIPS 199 and any information security protocol, an important emphasis is used on impact analysis and the CIA triad. I quite enjoy that you included all the security related areas in your analysis. It goes to show the nitty-gritty of this FIPS 200 standard in categorizing information to mitigate risk to the highest degree.
This document does a multitude of things:
– References FIPS 199 enhancing the requirement that categorization of the information systems is required.
– Defines the 17 security related areas that federal agencies must meet at minimum.
– Provides reference to NIST SP 800-53 to guide in the process of selecting controls and assurance requirements.
– Gives definitions for common terms .
These represent a broad based, balanced security policy.
Hi Vanessa!
Thank you for clear and crisp response! I really liked your response as it is straight to the point about what FIPS 199 is all about. I agree that categorization of the information and the information systems is critical for a successful information security program. FIPS 199 establishes the federal agencies to meet at minimum and include all 17 security related areas. The document also defines some do the lingo and terms that may be foreign for some of the readers. It is necessary to establish information security minimums when dealing with sensitive data as it forces organizations to follow proper information security procedures.