NIST releases FIPS 200

Published 16 March 2006

The National Institute of Standards and Technology (NIST) has released the final standard for securing agency computer systems under the Federal Information Security Management Act (FISMA). Federal Information Processing Standard 200 (FIPS-200) sets minimum security requirements for federal systems in seventeen security areas. It is the third of three publications required from NIST under FISMA, which mandates that executive branch agencies establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls.

FIPS 199, released two years ago, establishes standards for categorizing IT systems as low, moderate, or high-impact, depending on the effect of a breach of confidentiality, integrity, or availability of the system. Special Publication 800-53 — “Recommended Security Controls for Federal Information Systems” — lays out the tools to be used under FIPS 200 to secure IT systems. Agencies must be in compliance with FIPS 200 by March 2007.

Requirements are spelled out for:

-read more in this William Jackson’s GCN report; and see FIPS 200 | FIPS 199 | Special Publication 800-53 |FIPS 186-3