• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.951 ■ Spring 2023 ■ Jose Gomez
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Course
      • Unit 0a – Introduction
      • Unit 0b – The Threat Environment
      • Unit 1a – System Security Plan
      • Unit 1b – Planning and Policy
      • Unit 2a – Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Unit 2b – Cryptography
      • Unit 3a – Secure Networks
      • Unit 3b – Firewalls, Intrusion Detection and Protection Systems
    • Second Half of the Course
      • Unit 4b – Case Study 2 Data Breach at Equifax
      • Unit 5a – Access Control
      • Unit 5b Host Hardening
      • Unit 6a Application Security
      • Unit 6b Data Protection
      • Unit 7a – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Data Breach at Equifax
    • Team Project Instructions
  • Harvard Coursepack

FIPS Pub 199 Standards for Security Categorization for Federal Information and Information Systems

January 1, 2022 by Jose Gomez 2 Comments

Filed Under: 1a - System Security Plan Tagged With:

Reader Interactions

Comments

  1. Chenhao Zhang says

    March 1, 2024 at 10:12 am

    FIPS Pub 199, also known as the Federal Information Processing Standards Publication 199, is a standard published by the National Institute of Standards and Technology (NIST). Used to guide the U.S. federal government on how to securely classify its information systems. The standard was released in 2004 to provide a unified approach to assessing and managing security risks to federal information systems.
    The core concept of FIPS Pub 199 is the Security category, which is based on three key security attributes: Confidentiality, Integrity, and Availability. Each attribute has three possible impact levels: Low, Moderate, and High. Through the combination of these attributes and levels, a unique security category can be identified for each information system.
    Specifically, FIPS Pub 199 requires organizations to first identify all types of information processed within their information systems, such as private information, contractor sensitive information, proprietary information, etc. Each information type is then assessed for its potential impact in terms of confidentiality, integrity, and availability. Then, according to the “take high” principle, the highest impact level of each attribute is selected as the overall security category of the information system.
    Finally, FIPS Pub 199 provides a generic expression for a security category (SC), namely SC={(confidentiality, impact level), (integrity, impact level), (availability, impact level)}. This expression can be used to describe the security requirements of an information system or information type.
    By following the guidelines of FIPS Pub 199, organizations can develop more specific and consistent security policies and management measures for their information systems, thereby improving the security of their systems and reducing potential risks.

    Log in to Reply
  2. Yi Liu says

    March 4, 2024 at 11:59 am

    Security plans for their information systems should be the necessity for agencies to adopt a set of minimum security controls, as mandated. These controls are essential for safeguarding the confidentiality, integrity, and availability of federal information systems against potential security threats.
    System security planning is underscored as a critical activity aligned with the system development life cycle (SDLC). Security plans should be revisited and updated in response to system events to ensure they accurately represent the current state of the system. The system security plan should outline the security requirements of the information system and detail the security controls that are in place or planned to meet these requirements. Additionally, the plan may include references to other vital security-related documents, such as risk assessments, plans of action and milestones, accreditation decision letters, privacy impact assessments, contingency plans, configuration management plans, security configuration checklists, and system interconnection agreements​

    Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

READINGS & CASE STUDY QUESTIONS

  • 0a – Introduction (1)
  • 0b – The Threat Environment (5)
  • 1a – System Security Plan (4)
  • 1b – Planning and Policy (4)
  • 2a – Case Study 1 (4)
  • 2b – Cryptography (4)
  • 3a – Secure Networks (5)
  • 3b – Firewalls and IDS and IPS (3)
  • 4b – Case Study 2 (4)
  • 5a – Access Control (5)
  • 5b – Host Hardening (3)
  • 6a – Application Security (4)
  • 6b – Data Protection (2)
  • 7a – Incident and Disaster Response (3)
Fox School of Business

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in