Feds finalize standards for rating security risk

The Commerce Department has approved a new Federal Information Processing Standard for categorizing security risks to government information and systems.

The National Institute of Standards and Technology developed FIPS 199 as required by the Federal Information Security Management Act.

FISMA mandates that agencies evaluate and provide security programs for IT. The new standard spells out how agencies will categorize information and systems based on a range of risk levels. It also provides a common framework for discussing security issues.

The standard takes effect today and is compulsory for evaluation of unclassified information and for information systems not designated for national security.

NIST in May published a draft of FIPS 199 for public comment. During the three-month comment period, the agency received 13 comments from the private sector, 18 from federal organizations and one from the Canadian government. The agency changed several terms in the final document as a result of the comments, NIST officials said.

According to NIST, most of the comments concerned issues of risk assessment and threats. The draft described three levels of risk each in of the areas of confidentiality, integrity and availability. The final version instead identifies three levels of impact if the confidentiality, integrity or availability of a system is compromised.

The final version also clarifies the issue of privacy, making it explicit that privacy is an element of confidentiality.

NIST plans to post the final version of FIPS Publication 199 soon at csrc.nist.gov/publications.

About the Author

William Jackson is a Maryland-based freelance writer.


  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected