Changes: FIPS 200

Latest revision as of 11:03, 8 October 2013

Citation[]

National Institute of Standards and Technology, Minimum Security Requirements for Federal Information and Information Systems (FIPS 200) (Mar. 9, 2006) (full-text).

Overview[]

FIPS 200 is a mandatory federal standard developed by NIST in response to FISMA. To comply with the federal standard, organizations must first determine the security category of their information system in accordance with FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems," and then apply the appropriately tailored set of baseline security controls in NIST Special Publication 800-53.

These baseline control recommendations are:

Access control: limit information system access to authorized users and to the types of transactions and functions that authorized users are permitted to exercise.
Certification, accreditation, and security assessments: periodically assess security controls, develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities, authorize operation of systems and any associated system connections, and monitor system security controls on an ongoing basis.
Risk assessment: periodically assess the risk to operations, assets, and individuals, resulting from the operation of systems and the associated processing, storage, or transmission of information.

FIPS 200 and NIST Special Publication 800-53[]

Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in NIST Special Publication 800-53. This allows organizations to select security controls that more closely align with their mission and business requirements and environments of operation.

In applying the provisions of FIPS 200, agencies first categorize their information and systems as required by FIPS 199, and then typically select an appropriate set of security controls from NIST Special Publication 800-53 to satisfy their minimum security requirements. This helps to ensure that appropriate security requirements and security controls are applied to all federal information and information systems including cloud computing.

FIPS 200 and NIST Special Publication 800-53, in combination, help ensure that appropriate security requirements and security controls are applied to all federal information and information systems. An organizational assessment of risk validates the initial security control selection and determines if any additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the United States. The resulting set of agreed-upon security controls establishes a level of security due diligence for the organization.

@@ Line 1: / Line 1: @@
+== Citation ==
-'''FIPS 200,''' '''Minimum Security Requirements for Federal Information and Information Systems,''' is a mandatory federal standard developed by [[NIST]] in response to [[FISMA]]. To comply with the federal standard, organizations must first determine the [[security]] category of their [[information system]] in accordance with [[FIPS 199]], [[Standards for Security Categorization of Federal Information and Information Systems]], and then apply the appropriately tailored set of [[baseline security]] controls in [[NIST]] [[Special Publication 800-53]], [[Security Controls for Federal Information Systems and Organizations]].
+[[National Institute of Standards and Technology]], Minimum Security Requirements for Federal Information and Information Systems ('''FIPS 200''') (Mar. 9, 2006) ([http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf full-text]).
-Organizations have flexibility in applying the [[baseline security]] controls in accordance with the guidance provided in [[Special Publication 800-53]]. This allows organizations to select [[security controls]] that more closely align with their mission and business requirements and environments of operation.
+== Overview ==
-[[FIPS 200]] and [[NIST]] [[Special Publication 800-53]], in combination, help ensure that appropriate [[security requirement]]s and [[security controls]] are applied to all federal [[information]] and [information system]]s. An organizational [[assessment of risk]] validates the initial [[security control]] selection and determines if any additional controls are needed to protect organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation. The resulting set of agreed-upon [[security controls]] establishes a level of [[security]] [[due diligence]] for the organization.
-[[Category:security]]
+FIPS 200 is a mandatory federal standard developed by [[NIST]] in response to [[FISMA]]. To comply with the federal standard, organizations must first determine the [[security]] category of their [[information system]] in accordance with [[FIPS 199]], "Standards for Security Categorization of Federal Information and Information Systems," and then apply the appropriately tailored set of [[baseline security]] controls in [[NIST Special Publication 800-53]].
+These baseline control recommendations are:
+* '''Access control:''' limit [[information system]] [[access]] to [[authorized user]]s and to the types of transactions and functions that [[authorized user]]s are permitted to exercise.
+* '''Certification, accreditation, and security assessments:''' periodically assess [[security control]]s, develop and [[implement]] plans of action designed to correct deficiencies and reduce or eliminate [[vulnerabilities]], authorize operation of systems and any associated system connections, and [[monitor]] [[system]] [[security control]]s on an ongoing basis.
+* '''Risk assessment:''' periodically assess the [[risk]] to operations, assets, and individuals, resulting from the operation of systems and the associated [[data processing|processing]], [[storage]], or [[transmission]] of [[information]].
+== FIPS 200 and NIST Special Publication 800-53 ==
+Organizations have flexibility in applying the [[baseline security]] controls in accordance with the guidance provided in [[NIST Special Publication 800-53]]. This allows organizations to select [[security controls]] that more closely align with their mission and business requirements and environments of operation.
+In applying the provisions of FIPS 200, agencies first categorize their [[information]] and systems as required by [[FIPS 199]], and then typically select an appropriate set of [[security controls]] from [[NIST Special Publication 800-53]] to satisfy their minimum [[security]] requirements. This helps to ensure that appropriate [[security]] requirements and [[security controls]] are applied to all federal [[information]] and [[information system]]s including [[cloud computing]].
+FIPS 200 and [[NIST Special Publication 800-53]], in combination, help ensure that appropriate [[security requirement]]s and [[security controls]] are applied to all federal [[information]] and [[information system]]s. An organizational [[assessment of risk]] validates the initial [[security control]] selection and determines if any additional controls are needed to protect organizational operations (including mission, functions, image, or [[reputation]]), organizational assets, individuals, other organizations, or the United States. The resulting set of agreed-upon [[security controls]] establishes a level of [[security]] [[due diligence]] for the organization.
+[[Category:Security]]
+[[Category:Publication]]
+[[Category:2006]]