NIST sets FISMA standards for federal IT systems
- By William Jackson
- Mar 15, 2006
The National Institute of Standards and Technology has released the final standard for securing agency computer systems under the Federal Information Security Management Act.Federal Information Processing Standard 200
sets minimum security requirements for federal systems in 17 security areas. It is the third of three publications required from NIST under FISMA, which requires executive branch agencies to establish consistent, manageable IT security programs for non-national security systems. The intent of FISMA is to implement risk-based processes for selecting and implementing security controls.FIPS 199
, released two years ago, establishes standards for categorizing IT systems as low, moderate or high-impact, depending on the effect of a breach of confidentiality, integrity or availability of the system. Special Publication 800-53
''Recommended Security Controls for Federal Information Systems', lays out the tools to be used under FIPS 200 to secure IT systems.
Agencies must be in compliance with FIPS 200 by March 2007.
Requirements are spelled out for:
- Access control
- Awareness and training
- Audit and accountability
- Certification, accreditation and security assessments
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Media protection
- Physical and environmental protection planning
- Personnel security
- Risk assessment
- System and services acquisition
- System and communications protection
- System and information integrity.
Agencies must employ on each system the proper security controls in each of these areas depending on whether it is a low, moderate or high-impact system.
NIST also is updating its standards for digital signatures. A draft of FIPS 186-3
, which would replace the current FIPS 186-2, has been released for comment.
The original digital signature standard was released in 1994 and has been updated twice, in 1998 and 1999. The current version authorizes the use of key sizes of 512 and 1024 bits with approved algorithms. Key sizes of 1024 now are considered the minimum acceptable level for security of digital signatures.
'With advances in technology, it is prudent to consider larger key sizes,' NIST said. 'Draft FIPS 186-3 allows the use of 1024, 2048 and 3072-bit keys.'
Comments on the proposed standard should be made by June 12 to firstname.lastname@example.org
, or mailed to the Chief, Computer Security Division, Information Technology Laboratory, Attention: Comments on Draft FIPS 186-3, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930.
William Jackson is freelance writer and the author of the CyberEye blog.