16 July 2005 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: July 15, 2005 (Volume 70, Number 135)] [Notices] [Page 40983-40984] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr15jy05-44] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 060601149-5149-01] Announcing Draft Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice; request for comments. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) announces the release of draft Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems for public comment. Draft FIPS Publication 200 is one of a series of security standards and guidelines that NIST is developing to help federal agencies implement their responsibilities under the Federal Information Security Management Act (FISMA). The FISMA requires that all federal agencies develop, document and implement agency-wide information security programs to protect federal information and information systems. Draft FIPS Publication 200, which will be used with other publications already issued by NIST, specifies minimum security requirements for federal information and information systems and a risk-based process for selecting [[Page 40984]] the security controls necessary to satisfy the minimum requirements. Prior to the submission of this proposed standard to the Secretary of Commerce for review and approval, it is essential that consideration be given to the needs and views of the general public, the information technology industry, and federal, state, and local government organizations. The purpose of this notice is to solicit such views. DATES: Comments must be received on or before 5 p.m., September 13, 2005. ADDRESSES: Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Comments on Draft FIPS Publication 200, 100 Bureau Drive (Stop 8930), National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Comments may also be sent via electronic mail to: draftfips200@nist.gov . A copy of draft FIPS Publication 200 is available from the NIST Web site at: http://csrc.nist.gov/publications/fips/index.html . Comments received in response to this notice will be published at http://csrc.nist.gov . FOR FURTHER INFORMATION CONTACT: Dr. Ron Ross, Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301) 975-5390, e-mail: ron.ross@nist.gov . SUPPLEMENTARY INFORMATION: The Federal Information Security Management Act (FISMA) requires all federal agencies to develop, document, and implement agency-wide information security programs and to provide information security for the information and information systems that support the operations and assets of the agency, including those systems provided or managed by another agency, contractor, or other source. To support agencies in conducting their information security programs, the FISMA called for NIST to develop federal standards for the security categorization of federal information and information systems according to risk levels, and for minimum security requirements for information and information systems in each security category. FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, issued in February 2004, is the first standard that was specified by the FISMA. FIPS Publication 199 requires agencies to categorize their information and information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. Draft FIPS Publication 200, the second standard that was specified by the FISMA, is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing appropriate levels of information security. FIPS Publication 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. In applying the provisions of FIPS Publication 200, agencies will categorize their information systems as required by FIPS Publication 199, and subsequently select an appropriate set of security controls from NIST Special Publication 800- 53, Recommended Security Controls for Federal Information Systems, to satisfy the minimum security requirements. Issued in February 2005, NIST Special Publication 800-53 defines minimum security controls needed to provide cost-effective protection for low-impact, moderate- impact, and high-impact information systems and the information processed, stored, and transmitted by those systems. The proposed standard will be applicable to: (i) all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2). The standard has been broadly developed from a technical perspective to complement similar standards for national security systems. In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States are encouraged to consider the use of this standard, as appropriate. Proposed FIPS Publication 200 specifies minimum security requirements for federal information and information systems in seventeen security-related areas that represent a broad-based, balanced information security program. The seventeen security-related areas encompass the management, operational, and technical aspects of protecting federal information and information systems, and include: access control; audit and accountability; awareness and training; certification, accreditation, and security assessments; configuration management; contingency planning; identification and authentication; incident response; maintenance; media protection; personnel security; physical and environmental protection; planning; risk assessment; systems and services acquisition; system and communications protection; and system and information integrity. Authority: Federal Information Processing Standards (FIPS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 and the Federal Information Security Management Act of 2002 (Public Law 107-347). E.O. 12866: This notice has been determined not to be significant for the purposes of E.O. 12866. Dated: July 7, 2005. Hratch G. Semerjian, Acting Director, NIST. [FR Doc. 05-13994 Filed 7-14-05; 8:45 am]