FIPS 200 Main-Improved
The E-Government Act of 2002 (Public Law 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST with the responsibility of developing security standards and guidelines for the federal government including the development of:
- Standards for categorizing information and information systems1 collected or maintained by or on behalf of each federal agency based on the objectives of providing appropriate levels of information security according to a range of risk levels;
- Guidelines recommending the types of information and information systems to be included in each category; and
- Minimum information security requirements for information and information systems in each such category.
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems, approved by the Secretary of Commerce in February 2004, is the first of two mandatory security standards required by the FISMA legislation.2 FIPS Publication 200, the second of the mandatory security standards, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. This standard will promote the development, implementation, and operation of more secure information systems within the federal government by establishing minimum levels of due diligence for information security and facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet minimum security requirements.
2 INFORMATION SYSTEM IMPACT LEVELS
FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential impact values assigned to the respective security objectives are the highest values (i.e., high water mark3) from among the security categories that have been determined for each type of information resident on those information systems.4 The generalized format for expressing the security category (SC) of an information system is:
Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark concept must be used to determine the overall impact level of the information system. Thus, a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high. The determination of information system impact levels must be accomplished prior to the consideration of minimum security requirements and the selection of appropriate security controls for those information systems.
3 MINIMUM SECURITY REQUIREMENTS
The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The security-related areas include:
- (i) access control;
- (ii) awareness and training;
- (iii) audit and accountability;
- (iv) certification, accreditation, and security assessments;
- (v) configuration management;
- (vi) contingency planning;
- (vii) identification and authentication;
- (viii) incident response;
- (ix) maintenance;
- (x) media protection;
- (xi) physical and environmental protection;
- (xii) planning;
- (xiii) personnel security;
- (xiv) risk assessment;
- (xv) systems and services acquisition;
- (xvi) system and communications protection; and
- (xvii) system and information integrity.
The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems.
Policies and procedures play an important role in the effective implementation of enterprise-wide information security programs within the federal government and the success of the resulting security measures employed to protect federal information and information systems. Thus, organizations must develop and promulgate formal, documented policies and procedures governing the minimum security requirements set forth in this standard and must ensure their effective implementation.
Specifications for Minimum Security Requirements
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Awareness and Training (AT): Organizations must:
- (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and
- (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Audit and Accountability (AU): Organizations must:
- (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and
- (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Certification, Accreditation, and Security Assessments (CA): Organizations must:
- (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application;
- (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems;
- (iii) authorize the operation of organizational information systems and any associated information system connections; and
- (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Configuration Management (CM): Organizations must:
- (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and
- (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Incident Response (IR): Organizations must:
- (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and
- (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
Maintenance (MA): Organizations must:
- (i) perform periodic and timely maintenance on organizational information systems; and
- (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Media Protection (MP): Organizations must:
Physical and Environmental Protection (PE): Organizations must:
- (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals;
- (ii) protect the physical plant and support infrastructure for information systems;
- (iii) provide supporting utilities for information systems;
- (iv) protect information systems against environmental hazards; and
- (v) provide appropriate environmental controls in facilities containing information systems.
Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
Personnel Security (PS): Organizations must:
- (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions;
- (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and
- (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
System and Services Acquisition (SA): Organizations must:
- (i) allocate sufficient resources to adequately protect organizational information systems;
- (ii) employ system development life cycle processes that incorporate information security considerations;
- (iii) employ software usage and installation restrictions; and
- (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
System and Communications Protection (SC): Organizations must:
- (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and
- (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
System and Information Integrity (SI): Organizations must:
- (i) identify, report, and correct information and information system flaws in a timely manner;
- (ii) provide protection from malicious code at appropriate locations within organizational information systems; and
- (iii) monitor information system security alerts and advisories and take appropriate actions in response.
4 SECURITY CONTROL SELECTION
Organizations must meet the minimum security requirements in this standard by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems.5 The process of selecting the appropriate security controls and assurance requirements for organizational information systems to achieve adequate security6 is a multifaceted, risk-based activity involving management and operational personnel within the organization. Security categorization of federal information and information systems, as required by FIPS Publication 199, is the first step in the risk management process.7 Subsequent to the security categorization process, organizations must select an appropriate set of security controls for their information systems that satisfy the minimum security requirements set forth in this standard. The selected set of security controls must include one of three, appropriately tailored8 security control baselines from NIST Special Publication 800-53 that are associated with the designated impact levels of the organizational information systems as determined during the security categorization process.
- For low-impact information systems, organizations must, as a minimum, employ appropriately tailored security controls from the low baseline of security controls defined in NIST Special Publication 800-53 and must ensure that the minimum assurance requirements associated with the low baseline are satisfied.
- For moderate-impact information systems, organizations must, as a minimum, employ appropriately tailored security controls from the moderate baseline of security controls defined in NIST Special Publication 800-53 and must ensure that the minimum assurance requirements associated with the moderate baseline are satisfied.
- For high-impact information systems, organizations must, as a minimum, employ appropriately tailored security controls from the high baseline of security controls defined in NIST Special Publication 800-53 and must ensure that the minimum assurance requirements associated with the high baseline are satisfied.
Organizations must employ all security controls in the respective security control baselines unless specific exceptions are allowed based on the tailoring guidance provided in NIST Special Publication 800-53.
To ensure a cost-effective, risk-based approach to achieving adequate security across the organization, security control baseline tailoring activities must be coordinated with and approved by appropriate organizational officials (e.g., chief information officers, senior agency information security officers, authorizing officials, or authorizing officials designated representatives). The resulting set of security controls must be documented in the security plan for the information system.