GAITHERSBURG,
Md.—Computer
scientists at the U.S. Commerce Department’s National
Institute of Standards and Technology (NIST) today released
for public comment the draft of Federal Information Processing
Standard (FIPS) Publication 200, Minimum Security Requirements
for Federal Information and Information Systems. The draft
standard is one of a series of key standards and guidelines
produced by NIST’s Computer Security Division to help
federal agencies improve their information technology security
and comply with the Federal Information Security Management
Act (FISMA) of 2002.
As stated
in today’s Federal Register,
NIST invites public comments on the draft standard until
5 p.m. Eastern
Daylight
Time on Sept. 13, 2005. The document may be downloaded as an
Adobe Acrobat file at http://csrc.nist.gov/publications/drafts.html. FIPS Publication 200 provides: (1) a specification for minimum
security requirements for federal information and information
systems; (2) a standardized, risk-based approach (as described
in FIPS Publication 199) for selecting security controls
in a cost-effective manner; and (3) links to NIST Special
Publication 800-53, Recommended Security Controls for
Federal Information Systems, which recommends management, operational
and technical controls needed to protect the confidentiality,
integrity and availability of all federal information systems
that are not national security systems.
Security controls are the management, operational and technical
safeguards and countermeasures prescribed for a computer
system that, taken together, adequately protect the confidentiality,
integrity and availability of a system and its information.
Management safeguards range from risk assessment to security
planning. Operational safeguards include factors such as
personnel security and basic hardware/software maintenance.
Technical safeguards include items such as audit trails and
communications protection.
FISMA requires all federal agencies to develop, document
and implement agency-wide information security programs and
to provide security for the information and information systems
that support the operations and assets of the agency. The
act called upon NIST to develop the standards and guidelines
needed for successful FISMA compliance.
The draft FIPS Publication 200 is the third publication
of a three-part series developed by NIST to help federal
agencies achieve this compliance. FIPS Publication 199, Standards
for Security Categorization of Federal Information and Information
Systems, was issued in February 2004 and requires agencies
to categorize their information and information systems as
low-impact, moderate-impact or high-impact for the security
objectives of confidentiality, integrity and availability.
NIST SP 800-53, issued in February 2005, provides guidance
on selecting the appropriate controls for 17 key security
focus areas, including risk assessment, contingency planning,
incident response, access control, and identification and
authentication.
State, local and
tribal governments, as well as private-sector organizations
comprising the critical infrastructure of the
United States, are encouraged to review the draft standard
and then consider using it once finalized–-along with
the guidance of the other two FISMA compliance publications.
Written comments on FIPS Publication 200 may be sent to
Chief, Computer Security Division, Information Technology
Laboratory, Attn: Comments on Draft FIPS Publication 200,
NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930.
Comments also may be submitted electronically to draftfips200@nist.gov.
As a non-regulatory
agency of the U.S. Department of Commerce’s
Technology Administration, NIST develops and promotes measurement,
standards and technology to enhance productivity, facilitate
trade and improve the quality of life.
Go
back to NIST News Page
|