NIST Seeks Comment on FIPS 200 Security Guidelines

Today, computer scientists from the National Institute of Science and Technology (NIST) released a draft of the Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems. NIST will be accepting comments on the standard until 5 PM Eastern Daylight Time on September 13, 2005.

Beginning in 2006, all new computer systems built by federal agencies will be required to comply with the standard. In addition to being required under the Federal Information Security Management Act of 2002, compliance with FIPS 200 is also recommended for state and local government agencies as well as companies in the private sector due to the data-sharing requirements of government agencies and the fact that the majority of the nation's critical infrastructure is owned by the private sector.

FIPS 200 provides both a specified minimum of security for computer systems as well as a way for agencies to implement sensible risk-based security policies and links to NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, which recommends management, operational and technical controls needed to protect sensitive information and maintain the availability of information systems.

FISMA requires all federal agencies to develop, document and implement agency-wide information security programs and to provide security for the information and information systems that support the operations and assets of the agency. The act called upon NIST to develop the standards and guidelines needed for successful FISMA compliance.

The draft FIPS Publication 200 is the third publication of a three-part series developed by NIST to help federal agencies achieve this compliance. FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, was issued in February 2004 and requires agencies to categorize their information and information systems as low-impact, moderate-impact or high-impact for the security objectives of confidentiality, integrity and availability. NIST SP 800-53, issued in February 2005, provides guidance on selecting the appropriate controls for 17 key security focus areas, including risk assessment, contingency planning, incident response, access control, and identification and authentication.

Written comments on FIPS Publication 200 may be sent to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft FIPS Publication 200, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930. Comments may also be submitted electronically.