11 February 2004 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: February 10, 2004 (Volume 69, Number 27)] [Notices] [Page 6264-6266] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr10fe04-68] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 030429105-3270-02] Announcing Approval of Federal Information Processing Standard (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The Secretary of Commerce has approved FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, and has made it compulsory and binding on Federal agencies for the protection of: (i) All information within the Federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all Federal information systems other than those information systems designated as national security systems as defined in the United States Code. The Federal Information Security Management Act (FISMA) requires all Federal agencies to develop, document, and implement agency-wide information security programs to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FIPS Publication 199 addresses one of the requirements specified in the FISMA. It provides security categorization standards for information and information systems. The purpose of security categorization standards is to provide a common framework and method for expressing security and to promote effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. DATES: This standard is effective February 10, 2004. FOR FURTHER INFORMATION CONTACT: Dr. Ron Ross, (301) 975-5390, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930. A copy of FIPS Publication 199 is available electronically from the NIST Web site at: http://csrc.nist.gov/publications/. SUPPLEMENTARY INFORMATION: A notice was published in the Federal Register (68 FR 26573) on May 16, 2003, announcing the proposed FIPS Publication 199 on Standards for [[Page 6265]] Security Categorization of Federal Information and Information Systems for public review and comment. The Federal Register notice solicited comments from the public, academic and research communities, manufacturers, voluntary standards organizations, and Federal, state, and local government organizations. In addition to being published in the Federal Register, the notice was posted on the NIST Web pages; information was provided about the submission of electronic comments. Comments and responses were received from thirteen private sector organizations, individuals and groups of individuals, from eighteen federal government organizations, and from one Canadian government organization. Many of the comments received recommended editorial changes, expressed concerns about the discussion of risk, risk assessment, threats, and security controls, and asked for clarification about the requirements of the FISMA. None of the comments opposed the adoption of this Federal Information Processing Standard. Many comments supported the concept of categorization of information and information systems and commended the clear, well-written presentation of the standard. All of the editorial and related comments were carefully reviewed, and changes were made to the standard where appropriate. Specifically, certain terminology in FIPS 199 was modified to be consistent with other NIST publications. All future publications will reflect consistent terminology. Following is an analysis of the comments dealing with technical and implementation issues. Comment: The major issue raised by a majority of the comments was concern about perceived errors and inconsistencies in the initial draft's discussion of risk, risk assessment, threats, and the determination of security controls. Some of the comments suggested that NIST consider using the term ``level of impact'' instead of ``level of risk'' to apply to the categorization process. Response: NIST recognizes that some of the initial discussion about risk, risk assessment, threats and the determination of security controls was abbreviated and concise, and that the discussion could have been misinterpreted. The original discussion described three potential levels of risk (low, moderate and high) for each of three security objectives (confidentiality, integrity and availability of information and information systems, which were defined in the FISMA). The levels of risk considered both impact of adverse events and threats to systems, but were more heavily weighted toward impact. The categorization process involves matching the agency's assessment of levels of potential risk to each security objective, considering the occurrence of events that could jeopardize the information and information systems of the agency. As some of the comments pointed out, risk assessment is part of a well-defined management process conducted by agencies to identify and evaluate risks and risk impacts, and to recommend risk-reducing measures that balance costs and organizational requirements. NIST agrees that the issues of determining levels of risk and conducting risk assessments are part of a structured management process. These issues are covered comprehensively in other NIST publications. Therefore, the focus of the categorization process should be on ``level of impact'' that undesired events could have on information and information systems. The text of FIPS Publication 199 was changed to describe three levels of potential impact (low, moderate and high) on organizations or individuals if any of the security objectives of confidentiality, integrity and availability of information and information systems were compromised. The security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to the agency. This change responds to the many comments received on this issue, and clarifies the text for agency users. Terms and definitions relating to risk and risk assessments that had been included in the initial draft were removed from the final standard. Comment: Some comments expressed confusion about the information included in the initial draft about the Federal Information Security Management Act (FISMA) and its requirements, particularly those requirements that are addressed by FIPS Publication 199. Response: NIST agrees that some of the original discussion in draft FIPS Publication 199 could have been misinterpreted. Therefore, the text was revised to delete extraneous material and to clarify the purpose of FIPS Publication 199. FIPS Publication 199 now clearly defines the impact levels to be used in categorizing information and information systems, and indicates that the standard addresses one of the tasks assigned to NIST by the FISMA. That task is the development of standards to be used by all Federal agencies to categorize information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels. Other requirements of the FISMA, such as determination of the types of information and information to be included in each category, will be addressed in future NIST standards and guidelines. Comment: Some comments suggested changes to Table 1 in the original draft, and asked for an explanation of the use of the table. Examples of impacts for each impact definition were requested. Response: FIPS Publication 199 was revised to clarify the text and to provide examples of impacts for each definition of impact for each security objective. Comment: There are no provisions for the use of new technologies or updating of legacy systems. Response: The provisions of FIPS Publication 199 are independent of the technology used, and can be applied to electronic and non- electronic information. Comment: An objective for privacy should be added to the objectives of confidentiality, integrity and availability. The loss of privacy and identity theft should be added to the impact definitions. Response: FIPS Publication 199 was revised to clarify the issue of privacy by specifying that loss of privacy and identify theft are examples of impacts on individuals. The objective of confidentiality, as defined in the FISMA (44 USC, Sec. 3542), encompasses privacy: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Comment: The definition of availability should be modified. Other security objectives (non-repudiation and authentication) should be added Response: The definition of availability is taken directly from the FISMA legislation and thus, cannot be modified. However, the security objectives mentioned in the public comment, namely nonrepudiation and authenticity are specifically covered in FIPS Publication 199 under the definition of integrity. FISMA's definition of integrity includes the security objectives of nonrepudiation and authenticity so there is no need to modify the definition of availability to include those objectives. Adding additional security objectives independently would make the simple three by three matrix more complex for federal agencies during implementation and not add any appreciable value in [[Page 6266]] helping to assess the potential impact of loss of information systems supporting those agencies. Comment: An impact level of ``none'' should be added to the levels of low, moderate and high. Response: A note was added that an impact level of ``none'' was appropriate only for confidentiality of some information (such as public information). Impact levels of ``none'' are not appropriate for the security objectives of availability and integrity since all agency information and information systems should be protected for availability and integrity. Comment: The category of information designation should be separate from the category of system designation. Response: FIPS Publication 199 treats systems categorization separately from information categorization. Comment: The security objectives of confidentiality, integrity, and availability could be expanded. Response: FIPS Publication 199 allows agencies to develop and use additional security designators. Comment: Only two impact levels are needed for non-national security information and systems. Response: NIST believes that three levels of impact are needed for non-national security systems. Two levels of impact do not provide sufficient granularity to describe the range of potential impacts on federal agency missions resulting from the loss of confidentiality, integrity, or availability of information and information systems. Three impact levels are necessary to adequately describe the potential impact of loss to agency operations and assets ranging from routine administrative support systems at the low end to the most critical systems that are a part of the nation's critical information infrastructure at the high end. The moderate impact level provides another important category to address those systems that are deemed significantly more important than routine support systems, but not critical to the operations of the U.S. government. Three impact levels strike an adequate balance between providing too many categories and making the categorization process too complex and providing too few categories which forces agencies to either undervalue or overvalue the potential impact of loss to their operations and assets. Comment: FIPS Publication 199 could define what level of risk is to be associated with a security objective required by law. More explicit information is needed to categorize systems. FIPS Publication 199 should present definitive guidance on vulnerabilities, impact and risk management methodology. Response: These issues are discussed in current NIST publications, or will be addressed in future NIST publications. E.O. 12866: This notice has been determined to be not significant for the purposes of E.O. 12866. Dated: February 4, 2004. Arden L. Bement, Jr., Director. [FR Doc. 04-2885 Filed 2-9-04; 8:45 am] BILLING CODE 3510-13-P