The minimum-security requirement for Awareness and Training (AT) is an excellent dovetail into this week’s assigned reading focused on policy and planning. As FIPS 200 states and as many other publications, for a security program to be successful policies and procedures must be effectively implemented throughout the organization. We must understand that the human element will always be the weakest point in our security architecture. To that end, I find mandating that awareness and training as a minimum-security requirement as a more than reasonable security control.
Hi Kelly, thanks for your post. The emphasis on policy is key; an organization will never be able to improve/implement a fruitful security program without them. What policy in specific do you think is most important?
FIPS 200, also known as NIST (sp) 800-53 rev 5, applies to all Federal Government information and information systems, apart from national security systems and certain classified information. FIPS are standards published by NIST for use by the United States federal government and its contractors about computer systems. Generally, compliance with the FIPS standards is mandatory, but waivers are sometimes available.
FIPS 200; a summary of NIST 800-53 r5 makes mention of 20 control families that may be implemented for any entity to claim that it has met the minimum-security requirements within their operations. The under-listed are the 20 control families:
Access Control; Awareness and Training; Audit and Accountability; Certification, Accreditation, and Security Assessments; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Program Management; Personnel Security; Personally Identifiable Information Processing and transparency; Risk Assessment; System and Services Acquisition; System Communications Protection; System and Information Integrity and Supply Chain Risk Management
Each control contributes to the table to ensure security, i.e., Confidentiality, Integrity, and Availability. I don’t believe any control area is of more importance or is the foundation upon which the others could be established. For example, access Control is useless if personnel are not adequately trained on the User Acceptance policy; likewise, Security Awareness and Training is of no use if access, authentication, and identification within the organization is not correctly provision, reviewed, and managed.
The most important portion of this reading, in my opinion, is the connection between FIPS 199 impact assessments and FIPS 200 security control baselines. In order to implement the best security measures to secure information, that information needs to be appropriately classified in accordance to FIPS 199. Once that side is completed, FIPS 200 designates which security baseline should be followed (ie low baseline of NIST 800-53 controls for a low impact system). The connection between these documents are key to accurately protecting an information system.
Excellent point, Lauren; I had a similar takeaway from reading FIPS 200. Actually protecting federal information systems is contingent upon the cross-section of applying all of FIPS 199, FIPS 200, and NIST 800-53 in order to define the impact ratings and categorize an information system, adhere to the minimum security requirements, and then finally selecting controls to implement.
Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC)
DAC is a type of access control system that assigns access rights based on rules specified by users. The principle behind DAC is that subjects can determine who has access to their object.
RBAC, also known as a non-discretionary access control, is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization. It presents an opportunity for the organization to address the principle of ‘least privilege’.
MAC is Considered the strictest of all levels of access control systems. The design and implementation of MAC is commonly used by the government. It uses a hierarchical approach to control access to files/resources.
FIPS 200 addresses minimum security requirements for federal information and information systems. Federal Information Processing Standards (FIPS) are standards issued by NIST for use by the U.S. federal government and government contractors related to computer systems. Generally, compliance with FIPS standards is mandatory, but sometimes exemptions are available.
I agree with you that FIPS 200 addresses the minimum security requirements for federal information and information systems and that organizations must adopt all security controls in their respective security control baselines. For disparately impacted information systems, organizations must, at a minimum, adopt security controls that are appropriately tailored from a baseline of defined security controls for the response.
FIPS 200 provides guidelines on the minimum security requirements for federal information and information systems by categorizing managerial, operational, and technical elements of them into seventeen different categories which must be part of the planning and policy aspect of security. Implementing these effectively will heavily affect the success of the security posture of the information systems in question. This document is a logical followup to FIPS 199, which addresses categorizing information systems. FIPS 200 can only be implemented properly and effectively once a given information type / system has been categorized and impact ratings have been assigned.
Nice call out on the top three levels of categorization, for some reason I can remember the 17 underlying categories but forget they roll-up into either managerial, operational or technical. I believe having these 3 overarching categories makes sense as security is truly a composite of people, processes and tools.
FIPS 200 points out the minimum security requirements for federal information and information systems. It is a mandatory federal standard developed by NIST in response to FISMA.
There are 17 minimum security requirements in order to protect the CIA triad of federal information systems & the information being stored, processed, and transmitted by those systems. As the reading mentions, A few of the 17 security requirements are access control, awareness & training, audit.& accountability, contingency planning, maintenance, physical & environment protection, and a risk assessment. All 17 of these controls must be tested in order to have the proper controls in place to decrease risks associated to the organization.
FIPS 199 ties in with FIPS 200 because FIPS 199 rates the systems into low, moderate, or high based on the impact on individuals and companies.
FIPS 200 specifies the recommended security controls for federal information systems that organizations must adopt by selecting the minimum security requirements that meet this standard. For differentially impacted information systems, the organization must, at a minimum, adopt security controls that are appropriately tailored from a different baseline of defined security controls. Low impact security controls corresponding to a low baseline are appropriately tailored to NIST Special Publication 800-53 and must ensure that minimum assurance requirements are met to the satisfaction of those associated with the low baseline. Organizations must adopt all security controls in their respective security control baselines, except in accordance with the customization guidance provided in the NIST Special Publication.
This publication introduces the concept of identifying the overall impact of a breach of confidentiality, integrity, and availability on a given system. It provides this equation: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}. This means that the total impact of a breach of a system is equal to the highest impact of either integrity, availability, or confidentiality. For example, if a given system is a low impact for both integrity and confidentiality but a high impact for availability, then the overall impact of a breach of the system is high.
The FIPS 200 talks about minimum-security requirements that entails seventeen security-related areas in connection to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The seventeen areas fundamentally demonstrate a broad-based, balanced information security program that will help to solve the management, operational, and technical aspects of protecting federal information and information systems. The FIPS 200 went on by saying that FIPS 200 categorize minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to meet the minimum requirements.
Finally, FIPS 200 is the second standard that was specified by the Information Technology Management Reform Act of 1996 (FISMA) that was meant to reduce security threats in an organizational environment.
FIPS 200 made me think about the idea that (in theory) even information systems with unimportant data and low level security requirements should still have some level of security. One example of this is shown by the rapid spread of ransomware – even if an organization does not need their information systems every day, or even every week, not being able to access computers would be a large enough hindrance to most small businesses that they would may a small ransom (or even more) for the hope of getting these systems back. Nobody wants to start from the ground up again when they thought they had a good information system already implemented.
FIPS 200 specifies the minimum information security requirements for information systems and a risk-based approach for selecting the necessary security controls to match the minimum standards. In addition, FIPS 200 recommends the under-listed in every Information Security program.
Standards for categorizing information systems to provide appropriate levels of information security.
Guidelines recommending the types of information and information systems to be included in each category; and
Minimum information security requirements for data and information systems in each such category.
FIPS 200 was created to promote the development, implementation, and operation of more secure information systems by establishing minimum levels of due diligence for information security. Also, by facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet minimum security requirements.
FIPS 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. The FIPS 200 document defines the minimum security requirements for Federal Information systems (in conjunction with NIST 800-53). FIPS 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements.
The minimum-security requirement for Awareness and Training (AT) is an excellent dovetail into this week’s assigned reading focused on policy and planning. As FIPS 200 states and as many other publications, for a security program to be successful policies and procedures must be effectively implemented throughout the organization. We must understand that the human element will always be the weakest point in our security architecture. To that end, I find mandating that awareness and training as a minimum-security requirement as a more than reasonable security control.
Hi Kelly, thanks for your post. The emphasis on policy is key; an organization will never be able to improve/implement a fruitful security program without them. What policy in specific do you think is most important?
FIPS 200, also known as NIST (sp) 800-53 rev 5, applies to all Federal Government information and information systems, apart from national security systems and certain classified information. FIPS are standards published by NIST for use by the United States federal government and its contractors about computer systems. Generally, compliance with the FIPS standards is mandatory, but waivers are sometimes available.
FIPS 200; a summary of NIST 800-53 r5 makes mention of 20 control families that may be implemented for any entity to claim that it has met the minimum-security requirements within their operations. The under-listed are the 20 control families:
Access Control; Awareness and Training; Audit and Accountability; Certification, Accreditation, and Security Assessments; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environmental Protection; Planning; Program Management; Personnel Security; Personally Identifiable Information Processing and transparency; Risk Assessment; System and Services Acquisition; System Communications Protection; System and Information Integrity and Supply Chain Risk Management
Each control contributes to the table to ensure security, i.e., Confidentiality, Integrity, and Availability. I don’t believe any control area is of more importance or is the foundation upon which the others could be established. For example, access Control is useless if personnel are not adequately trained on the User Acceptance policy; likewise, Security Awareness and Training is of no use if access, authentication, and identification within the organization is not correctly provision, reviewed, and managed.
The most important portion of this reading, in my opinion, is the connection between FIPS 199 impact assessments and FIPS 200 security control baselines. In order to implement the best security measures to secure information, that information needs to be appropriately classified in accordance to FIPS 199. Once that side is completed, FIPS 200 designates which security baseline should be followed (ie low baseline of NIST 800-53 controls for a low impact system). The connection between these documents are key to accurately protecting an information system.
Excellent point, Lauren; I had a similar takeaway from reading FIPS 200. Actually protecting federal information systems is contingent upon the cross-section of applying all of FIPS 199, FIPS 200, and NIST 800-53 in order to define the impact ratings and categorize an information system, adhere to the minimum security requirements, and then finally selecting controls to implement.
Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC)
DAC is a type of access control system that assigns access rights based on rules specified by users. The principle behind DAC is that subjects can determine who has access to their object.
RBAC, also known as a non-discretionary access control, is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization. It presents an opportunity for the organization to address the principle of ‘least privilege’.
MAC is Considered the strictest of all levels of access control systems. The design and implementation of MAC is commonly used by the government. It uses a hierarchical approach to control access to files/resources.
FIPS 200 addresses minimum security requirements for federal information and information systems. Federal Information Processing Standards (FIPS) are standards issued by NIST for use by the U.S. federal government and government contractors related to computer systems. Generally, compliance with FIPS standards is mandatory, but sometimes exemptions are available.
Hi Zijian,
I agree with you that FIPS 200 addresses the minimum security requirements for federal information and information systems and that organizations must adopt all security controls in their respective security control baselines. For disparately impacted information systems, organizations must, at a minimum, adopt security controls that are appropriately tailored from a baseline of defined security controls for the response.
FIPS 200 provides guidelines on the minimum security requirements for federal information and information systems by categorizing managerial, operational, and technical elements of them into seventeen different categories which must be part of the planning and policy aspect of security. Implementing these effectively will heavily affect the success of the security posture of the information systems in question. This document is a logical followup to FIPS 199, which addresses categorizing information systems. FIPS 200 can only be implemented properly and effectively once a given information type / system has been categorized and impact ratings have been assigned.
Hi Antonio,
Nice call out on the top three levels of categorization, for some reason I can remember the 17 underlying categories but forget they roll-up into either managerial, operational or technical. I believe having these 3 overarching categories makes sense as security is truly a composite of people, processes and tools.
Kelly
FIPS 200 points out the minimum security requirements for federal information and information systems. It is a mandatory federal standard developed by NIST in response to FISMA.
There are 17 minimum security requirements in order to protect the CIA triad of federal information systems & the information being stored, processed, and transmitted by those systems. As the reading mentions, A few of the 17 security requirements are access control, awareness & training, audit.& accountability, contingency planning, maintenance, physical & environment protection, and a risk assessment. All 17 of these controls must be tested in order to have the proper controls in place to decrease risks associated to the organization.
FIPS 199 ties in with FIPS 200 because FIPS 199 rates the systems into low, moderate, or high based on the impact on individuals and companies.
FIPS 200 specifies the recommended security controls for federal information systems that organizations must adopt by selecting the minimum security requirements that meet this standard. For differentially impacted information systems, the organization must, at a minimum, adopt security controls that are appropriately tailored from a different baseline of defined security controls. Low impact security controls corresponding to a low baseline are appropriately tailored to NIST Special Publication 800-53 and must ensure that minimum assurance requirements are met to the satisfaction of those associated with the low baseline. Organizations must adopt all security controls in their respective security control baselines, except in accordance with the customization guidance provided in the NIST Special Publication.
This publication introduces the concept of identifying the overall impact of a breach of confidentiality, integrity, and availability on a given system. It provides this equation: SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)}. This means that the total impact of a breach of a system is equal to the highest impact of either integrity, availability, or confidentiality. For example, if a given system is a low impact for both integrity and confidentiality but a high impact for availability, then the overall impact of a breach of the system is high.
The FIPS 200 talks about minimum-security requirements that entails seventeen security-related areas in connection to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The seventeen areas fundamentally demonstrate a broad-based, balanced information security program that will help to solve the management, operational, and technical aspects of protecting federal information and information systems. The FIPS 200 went on by saying that FIPS 200 categorize minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to meet the minimum requirements.
Finally, FIPS 200 is the second standard that was specified by the Information Technology Management Reform Act of 1996 (FISMA) that was meant to reduce security threats in an organizational environment.
FIPS 200 made me think about the idea that (in theory) even information systems with unimportant data and low level security requirements should still have some level of security. One example of this is shown by the rapid spread of ransomware – even if an organization does not need their information systems every day, or even every week, not being able to access computers would be a large enough hindrance to most small businesses that they would may a small ransom (or even more) for the hope of getting these systems back. Nobody wants to start from the ground up again when they thought they had a good information system already implemented.
FIPS 200 specifies the minimum information security requirements for information systems and a risk-based approach for selecting the necessary security controls to match the minimum standards. In addition, FIPS 200 recommends the under-listed in every Information Security program.
Standards for categorizing information systems to provide appropriate levels of information security.
Guidelines recommending the types of information and information systems to be included in each category; and
Minimum information security requirements for data and information systems in each such category.
FIPS 200 was created to promote the development, implementation, and operation of more secure information systems by establishing minimum levels of due diligence for information security. Also, by facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet minimum security requirements.
FIPS 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. The FIPS 200 document defines the minimum security requirements for Federal Information systems (in conjunction with NIST 800-53). FIPS 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements.