Start Preamble

AGENCY:

National Institute of Standards and Technology (NIST), Commerce.

ACTION:

Notice.

SUMMARY:

This notice announces the Secretary of Commerce's approval of Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems. The use of FIPS 200 is compulsory and binding on federal agencies for: (i) All information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2). FIPS 200 was developed to complement similar standards for national security systems.

DATES:

This standard is effective March 31, 2006.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Dr. Ron Ross, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301) 975-5390, e-mail: ron.ross@nist.gov.

A copy of FIPS 200 is available electronically from the NIST Web site at: http://csrc.nist.gov/​publications/​.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

The Federal Information Security Management Act (FISMA) requires all federal agencies to develop, document and implement agency-wide information security programs and to provide information security for the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source.

To support agencies conducting their information security program, the FISMA called for NIST to develop federal standards for the security categorization of federal information and information systems according to risk levels, and four minimum security requirements for information and information systems in each security category. FIPS 199, Standards for the Security Categorization of Federal Information and Information Systems, issued in February 2004, was the first standard that was specified by the FISMA. FIPS 199 requires agencies to categorize their information and information systems as low-impact, moderate-impact, or high impact for the security objectives of confidentiality, integrity, and availability.

FIPS 200, which is the second standard that was specified by the FISMA, is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing appropriate levels of information security based on levels of risk. In applying the provisions of FIPS 200, agencies will categorize their systems as required by FIPS 199, and then select an appropriate set of security controls from NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, to satisfy their minimum security requirements.

On July 15, 2005, a notice was published in the Federal Register (Volume 70, Number 135, 40983-40984) announcing proposed FIPS 200 and soliciting comments on the proposed standard from the public, research communities, manufacturers, voluntary standards organizations, and federal, state, and local government organizations. In addition to being published in the Federal Register, the notice was posted on the NIST web pages. Information was provided about the submission of electronic comments.

Comments, responses, and questions were received from 13 private sector organizations, groups, or individuals and from 14 federal government organizations.

Most of the comments that were received recommended editorial changes; suggested the addition of references; provided general comments concerning the standard and its implementation; and asked questions concerning the implementation of the standard and the use of waivers. Some of the comments expressed concurrence with the standard as proposed, supported the intent, goals, and Start Printed Page 16289presentation of the standard, and complimented NIST on the document. No comments opposed the adoption of the standard.

The primary interests and issues that were raised in the comments included: Time needed for implementation; inclusion of waiver provisions; inclusion of additional references; rearrangement and indexing of the text; addition of text and implementation details already available in other NIST publications; and expansion of definitions.

All of the editorial suggestions and recommendations were carefully reviewed, and changes were made to the standard where appropriate. The text of the standard, the terms and definitions listed in the standard, the references and the footnotes were modified as needed.

Following is an analysis of the major editorial, implementation and related comments that were received.

Comment: Some comments recommended changing the requirement that federal agencies must be in compliance with the standard not later than one year from its effective date. The recommendations received suggested both lengthening the time for compliance because of concerns about the cost of implementing the standard within budget constraints, and shortening the time for compliance to achieve improved security.

Response: NIST believes that the requirement for compliance not later than one year from effective date of the standard is reasonable, and that no changes are needed to either prolong or shorten the time for compliance with the standard.

Comment: A federal agency recommended that a provision be added to the standard to enable federal agencies to waive the standard when they lack sufficient resources to comply by the deadline.

Response: The Federal Information Security Management Act contains no provisions for agency waivers to standards. The FISMA states that information security standards, which provide minimum information security requirements and which are needed to improve the security of federal information and information systems, are required mandatory standards. The Secretary of Commerce is authorized to make information security standards compulsory and binding, and these standards may not be waived.

Comment: Comments were received about regrouping or indexing the seventeen security areas covered by the standard. FIPS 200 specifies minimum security requirements for federal information and information systems in seventeen security-related areas.

Response: NIST believes that indexing would be confusing and would add unnecessary complexity to the standard. The seventeen areas that are defined in the standard represent a broad-based, balanced information security program. The areas, which address the management, operational, and technical aspects of protecting federal information and information systems, are concise and do not require indexing.

Comment: One federal agency recommended that the standard specify a time period for retaining audit records.

Response: NIST believes that requirements about retention of audit records should be defined by agencies, and should not be specified in the standard.

Comment: Several comments suggested additions and changes to the standard concerning risk management procedures, audit controls, baseline security controls, and risks introduced by new technologies.

Response: A section of the proposed FIPS 200 covering these topics has been removed from the final version of the standard, and these comments will be considered when NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems, is updated. FIPS 200 specifies that federal agencies use SP 800-53 to select security controls that meet the minimum security requirements in the seventeen security-related areas. The security controls in SP 800-53 represent the current state-of-the-practice safeguards and countermeasures for information systems. NIST plans to review these security controls at least annually and to propose any changes needed to respond to experience gained from using the controls, changing security requirements within federal agencies, and new security technologies. Any changes or additions to the minimum security controls and the security control baselines described in SP 800-53 will be made available for public review before any modifications are made. Federal agencies will have up to one year from the date of the final publication to comply with the changes.

Comment: Some comments suggested the inclusion of expanded definitions for terms such as systems, major applications, and general support systems.

Response: NIST is adhering to the definition of system used in the Federal Information Security Management Act, and believes that attempts to further define these terms and to make distinctions between systems and applications may be confusing.

Comment: One federal agency asked about the security issues related to the use of computerized medical devices. Another commenter asked about inclusion of information on training and certification of information technology professionals.

Response: The issue of computerized medical devices may need to be addressed, but FIPS 200 is not the appropriate document. The issues of training information and the certification of information technology professionals are also outside the scope of FIPS 200.

Start Authority

Authority: Federal Information Processing Standards (FIPS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Pub. L. 104-106) and the Federal Information Security Management Act (FISMA) of 2002 (Pub. L. 107-347).

End Authority

E.O. 12866: This notice has been determined to be not significant for the purposes of E.O. 12866.

Start SignatureEnd Signature End Supplemental Information