31 March 2006
-----------------------------------------------------------------------
[Federal Register: March 31, 2006 (Volume 71, Number 62)]
[Notices]
[Page 16288-16289]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr31mr06-45]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 050601149-5323-02]
Announcing Approval of Federal Information Processing Standard
(FIPS) 200, Minimum Security Requirements for Federal Information and
Information Systems
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: This notice announces the Secretary of Commerce's approval of
Federal Information Processing Standard (FIPS) 200, Minimum Security
Requirements for Federal Information and Information Systems. The use
of FIPS 200 is compulsory and binding on federal agencies for: (i) All
information within the federal government other than that information
that has been determined pursuant to Executive Order 12958, as amended
by Executive Order 13292, or any predecessor order, or by the Atomic
Energy Act of 1954, as amended, to require protection against
unauthorized disclosure and is marked to indicate its classified
status; and (ii) all federal information systems other than those
information systems designated as national security systems as defined
in 44 United States Code Section 3542(b)(2). FIPS 200 was developed to
complement similar standards for national security systems.
DATES: This standard is effective March 31, 2006.
FOR FURTHER INFORMATION CONTACT: Dr. Ron Ross, Computer Security
Division, Information Technology Laboratory, National Institute of
Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301)
975-5390, e-mail: ron.ross@nist.gov.
A copy of FIPS 200 is available electronically from the NIST Web
site at: http://csrc.nist.gov/publications/.
SUPPLEMENTARY INFORMATION: The Federal Information Security Management
Act (FISMA) requires all federal agencies to develop, document and
implement agency-wide information security programs and to provide
information security for the information and information systems that
support the operations and assets of the agency, including those
systems provided or managed by another agency, contractor, or other
source.
To support agencies conducting their information security program,
the FISMA called for NIST to develop federal standards for the security
categorization of federal information and information systems according
to risk levels, and four minimum security requirements for information
and information systems in each security category. FIPS 199, Standards
for the Security Categorization of Federal Information and Information
Systems, issued in February 2004, was the first standard that was
specified by the FISMA. FIPS 199 requires agencies to categorize their
information and information systems as low-impact, moderate-impact, or
high impact for the security objectives of confidentiality, integrity,
and availability.
FIPS 200, which is the second standard that was specified by the
FISMA, is an integral part of the risk management framework that NIST
has developed to assist federal agencies in providing appropriate
levels of information security based on levels of risk. In applying the
provisions of FIPS 200, agencies will categorize their systems as
required by FIPS 199, and then select an appropriate set of security
controls from NIST Special Publication 800-53, Recommended Security
Controls for Federal Information Systems, to satisfy their minimum
security requirements.
On July 15, 2005, a notice was published in the Federal Register
(Volume 70, Number 135, 40983-40984) announcing proposed FIPS 200 and
soliciting comments on the proposed standard from the public, research
communities, manufacturers, voluntary standards organizations, and
federal, state, and local government organizations. In addition to
being published in the Federal Register, the notice was posted on the
NIST web pages. Information was provided about the submission of
electronic comments.
Comments, responses, and questions were received from 13 private
sector organizations, groups, or individuals and from 14 federal
government organizations.
Most of the comments that were received recommended editorial
changes; suggested the addition of references; provided general
comments concerning the standard and its implementation; and asked
questions concerning the implementation of the standard and the use of
waivers. Some of the comments expressed concurrence with the standard
as proposed, supported the intent, goals, and
[[Page 16289]]
presentation of the standard, and complimented NIST on the document. No
comments opposed the adoption of the standard.
The primary interests and issues that were raised in the comments
included: Time needed for implementation; inclusion of waiver
provisions; inclusion of additional references; rearrangement and
indexing of the text; addition of text and implementation details
already available in other NIST publications; and expansion of
definitions.
All of the editorial suggestions and recommendations were carefully
reviewed, and changes were made to the standard where appropriate. The
text of the standard, the terms and definitions listed in the standard,
the references and the footnotes were modified as needed.
Following is an analysis of the major editorial, implementation and
related comments that were received.
Comment: Some comments recommended changing the requirement that
federal agencies must be in compliance with the standard not later than
one year from its effective date. The recommendations received
suggested both lengthening the time for compliance because of concerns
about the cost of implementing the standard within budget constraints,
and shortening the time for compliance to achieve improved security.
Response: NIST believes that the requirement for compliance not
later than one year from effective date of the standard is reasonable,
and that no changes are needed to either prolong or shorten the time
for compliance with the standard.
Comment: A federal agency recommended that a provision be added to
the standard to enable federal agencies to waive the standard when they
lack sufficient resources to comply by the deadline.
Response: The Federal Information Security Management Act contains
no provisions for agency waivers to standards. The FISMA states that
information security standards, which provide minimum information
security requirements and which are needed to improve the security of
federal information and information systems, are required mandatory
standards. The Secretary of Commerce is authorized to make information
security standards compulsory and binding, and these standards may not
be waived.
Comment: Comments were received about regrouping or indexing the
seventeen security areas covered by the standard. FIPS 200 specifies
minimum security requirements for federal information and information
systems in seventeen security-related areas.
Response: NIST believes that indexing would be confusing and would
add unnecessary complexity to the standard. The seventeen areas that
are defined in the standard represent a broad-based, balanced
information security program. The areas, which address the management,
operational, and technical aspects of protecting federal information
and information systems, are concise and do not require indexing.
Comment: One federal agency recommended that the standard specify a
time period for retaining audit records.
Response: NIST believes that requirements about retention of audit
records should be defined by agencies, and should not be specified in
the standard.
Comment: Several comments suggested additions and changes to the
standard concerning risk management procedures, audit controls,
baseline security controls, and risks introduced by new technologies.
Response: A section of the proposed FIPS 200 covering these topics
has been removed from the final version of the standard, and these
comments will be considered when NIST Special Publication (SP) 800-53,
Recommended Security Controls for Federal Information Systems, is
updated. FIPS 200 specifies that federal agencies use SP 800-53 to
select security controls that meet the minimum security requirements in
the seventeen security-related areas. The security controls in SP 800-
53 represent the current state-of-the-practice safeguards and
countermeasures for information systems. NIST plans to review these
security controls at least annually and to propose any changes needed
to respond to experience gained from using the controls, changing
security requirements within federal agencies, and new security
technologies. Any changes or additions to the minimum security controls
and the security control baselines described in SP 800-53 will be made
available for public review before any modifications are made. Federal
agencies will have up to one year from the date of the final
publication to comply with the changes.
Comment: Some comments suggested the inclusion of expanded
definitions for terms such as systems, major applications, and general
support systems.
Response: NIST is adhering to the definition of system used in the
Federal Information Security Management Act, and believes that attempts
to further define these terms and to make distinctions between systems
and applications may be confusing.
Comment: One federal agency asked about the security issues related
to the use of computerized medical devices. Another commenter asked
about inclusion of information on training and certification of
information technology professionals.
Response: The issue of computerized medical devices may need to be
addressed, but FIPS 200 is not the appropriate document. The issues of
training information and the certification of information technology
professionals are also outside the scope of FIPS 200.
Authority: Federal Information Processing Standards (FIPS) are
issued by the National Institute of Standards and Technology after
approval by the Secretary of Commerce pursuant to Section 5131 of
the Information Technology Management Reform Act of 1996 (Pub. L.
104-106) and the Federal Information Security Management Act (FISMA)
of 2002 (Pub. L. 107-347).
E.O. 12866: This notice has been determined to be not significant
for the purposes of E.O. 12866.
Dated: March 23, 2006.
William Jeffrey,
Director.
[FR Doc. E6-4720 Filed 3-30-06; 8:45 am]
BILLING CODE 3510-CN-P