The process of security control must be based on and meet minimum security requirements standards in the NIST Special Publication 800-53. In order to select security controls tailored to a particular to the information systems in order to achieve “adequate security.” This process involves management and operational personnel. A lot of risk analysis considering factors specific to the organization, external threats, internal threats, limitations, state restrictions, federal restrictions, company regulations, etc. The security controls chosen must include 1 of 3 tailored security control baselines from the NIST Special Publication 8–53. The 3 impact information levels are low, moderate, and high. Organizations must employ the designated tailored security controls from the low, moderate or high security controls to ensure that these baselines requirements are met.
The minimum security requirements listed in FIPS 200 covers all areas of a functional organization. Each of the requirements is clearly outlined in this documentation and in conjunction with some additional documentation referenced in FIPS 200 such as NIST 800-53 to ensure the documentations complement each other to form a comprehensive set of requirements for not only the federal information and information systems but all organizations. One can also and should take advantage of such detailed requirements to better protect the confidentiality, availability, and integrity of the data.
The high water mark, which is the highest potential impact value according to FIPS-200, is active because it is significantly dependent on each security objective for each type of information resident on those information systems (confidentiality, integrity, and availability); to which in some cases, a compromise in one will eventually affect another in security objectives. Also, the potential impact values for the security objectives may be different for certain information systems, to which the high water mark is used to determine the total impact of the information system.
Federal government recognized the importance of information security to economic thus require organizations must meet the minimum security standard by selecting the appropriate security controls and assurance requirements as described in NIST SP 800-53. There are three security control baselines, one for each system impact level: low-impact, moderate-impact, and high-impact. Organizations must include one of these three baselines when selecting an appropriate set of security controls for their information system. This document also covers 17 security-related areas, which represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information.
FIPS 200 specifies minimum security requirements for selecting security controls for information and information systems and is the second of two mandatory security standards (FIPS 199 is the first). Before selecting security controls a risk based assessment should be performed using FIPS 199 to categorize the system. Afterwards, security controls may be selected to meet the minimum security requirements which may include access control, audit and accountability, physical environment protection, and many more. There are a total of seventeen security controls that meet the minimum requirements. Lastly, according to this document “the selected security controls must include one of three, appropriately tailored security control baselines from NIST Special Publication 800-53 that are associated with the designated impact level” (FIPS 200). These impact levels include low, moderate, and high and will help ensure that adequate security controls are being implemented all while being cost-effective.
A key takeaway is that information/information systems must be accurately classified, as this would affect the tailored security baseline controls selected – based on their designated impact levels. The fact that organizations must employ all security controls within the selected control baseline further underscores the importance of security categorization. An inappropriate security classification may lead to the selection of a set of control baseline where the organization spends more than necessary or not enough to prioritize and protect information assets. The latter of course leading to the increased opportunities for threat actors to exploit vulnerabilities.
In NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, it indicates organization must meet the minimum requirement by selecting the appropriate security controls and assurance requirement. Depends on the level of impact (low, moderate, or high) information system, the organization must ensure the corresponding level (low, moderate, or high) of the baseline of security controls and ensure the minimum assurance requirements associate corresponding level of the baseline are satisfied. Organizational officials such as chief information officers, authorizing officials should approve the security control baseline tailoring activities. It ensures the cost and risk-based security approach can be applied to the organization.
Determining minimum security requirements is a risk-based activity involving management and
operational personnel within the organization. It starts with categorizing the system in accordance with FIPS 199 and then implementing the controls that line up with the designation in NIST 800-53. The controls must be documented in the system security plan. The controls are broken up into 17 areas: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification
and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and
environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems
and services acquisition; (xvi) system and communications protection; and (xvii) system and
information integrity.
Hi Jonathan. Great point that you bring up here. A system security plan or (SSP) is a document that identifies the functions and features of an IT system. This document should include all its hardware and the software installed on the system. The system security plan should describe the security measures that have been or will be soon put in place to limit access to authorized users, as well as to train managers and systems administrators in the secure use of the IT system. The SSP should also provide detailed information regarding the process of auditing and maintaining the system and how to respond to a data breach within the system in case it occurs.
Something that stood out to me in this text was the consistent, specific language present in the document. For example, the text mentions achieving “adequate security”, and includes a footnote specifically defining what adequate security would be. In a past class, I audited a technology and software usage policy in which the language was often vague and open to interpretation. I believe that vague language reduces both the impact and quality of a security document, as different readers will come to different conclusions. FIPS PUB 200 is of utmost detail and specificity when necessary, which makes the document an extremely useful and effective tool to achieving minimum security requirements. Another example of the specificity in this document that caught my attention was the security control selection. The document calls on specific categories of NIST Special Publication 800-53 baseline security controls for low-impact, moderate-impact, and high-impact information systems. I believe this is effective because it leaves no interpretation for how to handle various information systems.
I like how you point out the specific language and consistency. It is vital in these documents that everyone reading them acknowledges the same standard. Without the consistency and specific language, the measures could get messy if every reader is interpreting on their own.
The minimum baseline requirements as described in FIPS 200 provide guidance related to the minimum considerations for systems in order to ensure the protection of the confidentiality, integrity, and availability of data. The guidance provides 17 security related categories that cover management, operational, and technical aspects of data security. In addition, the importance of polices and procedures is noted as they are critical to the effective implementation of enterprise-wide information security programs. Policies and procedures outline expectations and identify responsibility parties which is a good governance practice.
FIPS 200 works hand-in-hand with NIST 800-53. Together, they set a high floor for the security requirements set for government organizations and the minimum security controls those entities have to implement. They illustrate the high priority the US government has set for information security in recent years. FIPS 200 in particular lists a large number of information security areas and details the relatively high minimum requirements organizations must follow for each and every area. From incident response to media protection to awareness and training, this document aims to ensure functional information security is implemented across the government.
A key point I took away from reading FIPS 200 was that policies and procedures are expected to be a complement to the effectiveness of information security measures. Formal, documented policies and procedures are expected to be in place to govern the minimum security requirements. It is not enough to just stop at selecting and implementing the controls after an analysis of risk. Policies and procedures, which we read about in this week’s reading of Chapter 2 of the textbook, are needed to serve as governing documents and address the what and the how of these security measures.
One takeaway I have from this is the greater understanding I am gaining of the interconnection between many of the documents we read in this class, and previous classes. These documents, like the FIPS 199, help determine security classifications, and then this document, the FIPS 200, provides the minimum security requirements for federal information systems. These documents help piece together how federal agencies should handle their cyber security
Hi Charlie, I agree with you that all these documents are somehow related. For example, FIPS 200 itself is very brief. It basically says that there are 17 security-related areas where federal agencies must meet certain minimum requirements. For the actual requirements, it refers to NIST Special Publication 800-53.
My biggest takeaway from FIPS 200 is how “advanced” these guidelines were for 2002. Considering only 50% of Americans had internet access in their homes, it is surprising to me that the government, let alone the Bush Administration, would prioritize and require such security requirements. These may be all basic and simple concepts today, but I’d imagine in 2002 the only people in the world who knew what Access Control and Identity Management and Authorization meant, in a Cybersecurity sense, were those whose job it was to know. Now in a less optimistic way, it is disappointing to see that this document hasn’t been updated yet nearly 20 years later. In my opinion, this is a document that should be updated annually. All things considered, public policy should be driven by public needs, not the other way around. Some companies are still catching up and cannot afford to update to their information/data policies annually.
A key take away that I learned from this document is that FIPS publication 200 outlines out a risk based process for selecting safety controls to meet minimum safety requirements. FIPS 200 defines many security areas, which are related to the risk management, operation and IT technology aspects of protecting federal information systems, as well as the confidentiality, integrity and availability of processing information. It also fits in well with the categorization of FIPS 199 for the assignment of risk low, moderate or high.
Quynh Nguyen says
The process of security control must be based on and meet minimum security requirements standards in the NIST Special Publication 800-53. In order to select security controls tailored to a particular to the information systems in order to achieve “adequate security.” This process involves management and operational personnel. A lot of risk analysis considering factors specific to the organization, external threats, internal threats, limitations, state restrictions, federal restrictions, company regulations, etc. The security controls chosen must include 1 of 3 tailored security control baselines from the NIST Special Publication 8–53. The 3 impact information levels are low, moderate, and high. Organizations must employ the designated tailored security controls from the low, moderate or high security controls to ensure that these baselines requirements are met.
Xiduo Liu says
The minimum security requirements listed in FIPS 200 covers all areas of a functional organization. Each of the requirements is clearly outlined in this documentation and in conjunction with some additional documentation referenced in FIPS 200 such as NIST 800-53 to ensure the documentations complement each other to form a comprehensive set of requirements for not only the federal information and information systems but all organizations. One can also and should take advantage of such detailed requirements to better protect the confidentiality, availability, and integrity of the data.
Christopher Clayton says
The high water mark, which is the highest potential impact value according to FIPS-200, is active because it is significantly dependent on each security objective for each type of information resident on those information systems (confidentiality, integrity, and availability); to which in some cases, a compromise in one will eventually affect another in security objectives. Also, the potential impact values for the security objectives may be different for certain information systems, to which the high water mark is used to determine the total impact of the information system.
Wei Liu says
Federal government recognized the importance of information security to economic thus require organizations must meet the minimum security standard by selecting the appropriate security controls and assurance requirements as described in NIST SP 800-53. There are three security control baselines, one for each system impact level: low-impact, moderate-impact, and high-impact. Organizations must include one of these three baselines when selecting an appropriate set of security controls for their information system. This document also covers 17 security-related areas, which represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information.
Nicholas Fabrizio says
FIPS 200 specifies minimum security requirements for selecting security controls for information and information systems and is the second of two mandatory security standards (FIPS 199 is the first). Before selecting security controls a risk based assessment should be performed using FIPS 199 to categorize the system. Afterwards, security controls may be selected to meet the minimum security requirements which may include access control, audit and accountability, physical environment protection, and many more. There are a total of seventeen security controls that meet the minimum requirements. Lastly, according to this document “the selected security controls must include one of three, appropriately tailored security control baselines from NIST Special Publication 800-53 that are associated with the designated impact level” (FIPS 200). These impact levels include low, moderate, and high and will help ensure that adequate security controls are being implemented all while being cost-effective.
Lakshmi Surujnauth says
A key takeaway is that information/information systems must be accurately classified, as this would affect the tailored security baseline controls selected – based on their designated impact levels. The fact that organizations must employ all security controls within the selected control baseline further underscores the importance of security categorization. An inappropriate security classification may lead to the selection of a set of control baseline where the organization spends more than necessary or not enough to prioritize and protect information assets. The latter of course leading to the increased opportunities for threat actors to exploit vulnerabilities.
To-Yin Cheng says
In NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, it indicates organization must meet the minimum requirement by selecting the appropriate security controls and assurance requirement. Depends on the level of impact (low, moderate, or high) information system, the organization must ensure the corresponding level (low, moderate, or high) of the baseline of security controls and ensure the minimum assurance requirements associate corresponding level of the baseline are satisfied. Organizational officials such as chief information officers, authorizing officials should approve the security control baseline tailoring activities. It ensures the cost and risk-based security approach can be applied to the organization.
Jonathan Mettus says
Determining minimum security requirements is a risk-based activity involving management and
operational personnel within the organization. It starts with categorizing the system in accordance with FIPS 199 and then implementing the controls that line up with the designation in NIST 800-53. The controls must be documented in the system security plan. The controls are broken up into 17 areas: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification
and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and
environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems
and services acquisition; (xvi) system and communications protection; and (xvii) system and
information integrity.
Elias Harake says
Hi Jonathan. Great point that you bring up here. A system security plan or (SSP) is a document that identifies the functions and features of an IT system. This document should include all its hardware and the software installed on the system. The system security plan should describe the security measures that have been or will be soon put in place to limit access to authorized users, as well as to train managers and systems administrators in the secure use of the IT system. The SSP should also provide detailed information regarding the process of auditing and maintaining the system and how to respond to a data breach within the system in case it occurs.
Taylor Trench says
Something that stood out to me in this text was the consistent, specific language present in the document. For example, the text mentions achieving “adequate security”, and includes a footnote specifically defining what adequate security would be. In a past class, I audited a technology and software usage policy in which the language was often vague and open to interpretation. I believe that vague language reduces both the impact and quality of a security document, as different readers will come to different conclusions. FIPS PUB 200 is of utmost detail and specificity when necessary, which makes the document an extremely useful and effective tool to achieving minimum security requirements. Another example of the specificity in this document that caught my attention was the security control selection. The document calls on specific categories of NIST Special Publication 800-53 baseline security controls for low-impact, moderate-impact, and high-impact information systems. I believe this is effective because it leaves no interpretation for how to handle various information systems.
Panayiotis Laskaridis says
Hi Taylor,
I like how you point out the specific language and consistency. It is vital in these documents that everyone reading them acknowledges the same standard. Without the consistency and specific language, the measures could get messy if every reader is interpreting on their own.
Christa Giordano says
The minimum baseline requirements as described in FIPS 200 provide guidance related to the minimum considerations for systems in order to ensure the protection of the confidentiality, integrity, and availability of data. The guidance provides 17 security related categories that cover management, operational, and technical aspects of data security. In addition, the importance of polices and procedures is noted as they are critical to the effective implementation of enterprise-wide information security programs. Policies and procedures outline expectations and identify responsibility parties which is a good governance practice.
Mitchell Dulaney says
FIPS 200 works hand-in-hand with NIST 800-53. Together, they set a high floor for the security requirements set for government organizations and the minimum security controls those entities have to implement. They illustrate the high priority the US government has set for information security in recent years. FIPS 200 in particular lists a large number of information security areas and details the relatively high minimum requirements organizations must follow for each and every area. From incident response to media protection to awareness and training, this document aims to ensure functional information security is implemented across the government.
Megan Hall says
A key point I took away from reading FIPS 200 was that policies and procedures are expected to be a complement to the effectiveness of information security measures. Formal, documented policies and procedures are expected to be in place to govern the minimum security requirements. It is not enough to just stop at selecting and implementing the controls after an analysis of risk. Policies and procedures, which we read about in this week’s reading of Chapter 2 of the textbook, are needed to serve as governing documents and address the what and the how of these security measures.
Charlie Corrao says
One takeaway I have from this is the greater understanding I am gaining of the interconnection between many of the documents we read in this class, and previous classes. These documents, like the FIPS 199, help determine security classifications, and then this document, the FIPS 200, provides the minimum security requirements for federal information systems. These documents help piece together how federal agencies should handle their cyber security
Wei Liu says
Hi Charlie, I agree with you that all these documents are somehow related. For example, FIPS 200 itself is very brief. It basically says that there are 17 security-related areas where federal agencies must meet certain minimum requirements. For the actual requirements, it refers to NIST Special Publication 800-53.
Panayiotis Laskaridis says
My biggest takeaway from FIPS 200 is how “advanced” these guidelines were for 2002. Considering only 50% of Americans had internet access in their homes, it is surprising to me that the government, let alone the Bush Administration, would prioritize and require such security requirements. These may be all basic and simple concepts today, but I’d imagine in 2002 the only people in the world who knew what Access Control and Identity Management and Authorization meant, in a Cybersecurity sense, were those whose job it was to know. Now in a less optimistic way, it is disappointing to see that this document hasn’t been updated yet nearly 20 years later. In my opinion, this is a document that should be updated annually. All things considered, public policy should be driven by public needs, not the other way around. Some companies are still catching up and cannot afford to update to their information/data policies annually.
Elias Harake says
A key take away that I learned from this document is that FIPS publication 200 outlines out a risk based process for selecting safety controls to meet minimum safety requirements. FIPS 200 defines many security areas, which are related to the risk management, operation and IT technology aspects of protecting federal information systems, as well as the confidentiality, integrity and availability of processing information. It also fits in well with the categorization of FIPS 199 for the assignment of risk low, moderate or high.