NIST completes new security standard

NIST completes new security standard

The National Institute of Standards and Technology has released the final version of a Federal Information Processing Standard for categorizing security risks of federal information and systems.

Congress last year in the Federal Information Security Management Act required that NIST draft the standards. Agencies must use the standards to create 'a common framework and understanding for expressing security' in evaluating unclassified information and the systems that contain such information.

The new standards document, FIPS Publication 199, takes effect in December. Its use must be reflected in the reports that FISMA requires agencies to submit to the Office of Management and Budget.

The categories consider the potential impact of a breach on three security objectives: confidentiality, integrity and availability. There are three levels of impact: low, medium and high.

NIST defines low impact as a limited effect on an agency's mission, finances or individuals if a system or information is compromised. If an agency applies the moderate-impact measure, it assumes a breach will seriously affect performance, finances or individuals. The high-impact label is reserved for potentially severe or catastrophic effects.

Agencies must categorize systems according to the highest level of potential impact for the types of information in the system. For example, a system might contain information that would result in a low impact if confidentiality were breached and other data that would result in a high impact if compromised. The system would then receive a high-impact rating.

NIST also is working on FIPS guidelines for the types of information and information systems to be included in each category and for the minimum security requirements in each category.

The new FIPS publication is available online.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.