National Institute of Standards and Technology (NIST), Commerce.
Notice; request for comments.
Draft FIPS 199 defines requirements to be used by Federal agencies to categorize information and information systems, and to provide appropriate levels of information security according to a range of risk levels. This draft standard establishes three potential levels of risk (low, moderate, and high) for each of the security objectives of confidentiality, integrity, and availability. The levels of risk are based on what is known about the potential impact or harm. Harmful events can impact agency operations (including mission, functions, image or reputation), agency assets, or individuals (including privacy). The levels of risk consider both impact and threat, but are more heavily weighted toward impact. Federal information systems, which are often interconnected and interdependent, are vulnerable to a variety of threats (both malicious and unintentional) that could compromise the security of information and information systems.
NIST invites public comments on the Draft FIPS on Standards for Security Categorization of Federal Information
Comments on the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems must be received on or before August 14, 2003.
Written comments concerning the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems may be sent by regular mail to: Information Technology Laboratory, ATTN: Draft FIPS 199, Mail Stop 8930, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899–8930. Electronic comments should be sent to:
Comments received in response to this notice will be published electronically at:
Dr. Ron S. Ross (301) 975–5390, National Institute of Standards and Technology, Attn: Computer Security Division 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899–8930, Email:
Under section 5131 of the Information Technology Management Reform Act of 1996 and sections 302–3 of the Federal Information Security Management Act of 2002 (Pub. L. 107–347), the Secretary of Commerce is authorized to approve standards and guidelines for Federal information systems and to make standards compulsory and binding for Federal agencies as necessary to improve the efficiency or security of Federal information systems. The National Institute of Standards and Technology is authorized to develop standards, guidelines, and associated methods and techniques for information systems, other than national security systems, to provide for adequate information security for agency operations and assets.
The Federal Information Security Management Act (FISMA) requires each Federal agency to develop, document, and implement an agency-wide information security program that will provide information security for the information and information systems supporting the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
To enable agencies to carry out this responsibility, the FISMA specifically tasked NIST to develop a standard to categorize information and information systems. In addition, NIST was tasked to develop guidelines recommending the types of information to be included in each category, and to develop minimum information security requirements (
In response to the mandate, NIST developed FIPS 199. Draft FIPS 199 defines requirements to be used by Federal agencies to categorize information and information systems, and to provide appropriate levels of information security according to a range of risk levels. This draft standard establishes three potential levels of risk (low, moderate, and high) for each of the security objectives of confidentiality, integrity, and availability. The levels of risk are based on what is known about the potential impact or harm. Harmful events can impact agency operations (including mission, functions, image or reputation), agency assets, or individuals (including privacy). The levels of risk consider both impact and threat, but are more heavily weighted toward impact. Federal information systems, which are often interconnected and interdependent, are vulnerable to a variety of threats (both malicious and unintentional) that could compromise the security of information and information systems.
This standard for categorizing information and information systems supports the implementation of a common framework that will promote the effective government-wide management and oversight of Federal agency information security programs. The common framework will facilitate the coordination of information security efforts throughout the civilian, national, security, and law enforcement communities, and will enable consistent reporting by agencies to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.
NIST is in the process of developing guidance documents for the second and third tasks mandated by the FISMA and will make these documents available for public comment when they are finalized. For the second assigned task, NIST plans guidelines to help agencies identify, in a consistent manner, the types of information and information systems, (
Executive Order 12866: This notice has been determined to be not significant under Executive Order 12866.