Feds finalize standards for rating security risk
- By William Jackson
- Feb 10, 2004
The Commerce Department has approved a new Federal Information Processing Standard for categorizing security risks to government information and systems.
The National Institute of Standards and Technology developed FIPS 199 as required by the Federal Information Security Management Act.
FISMA mandates that agencies evaluate and provide security programs for IT. The new standard spells out how agencies will categorize information and systems based on a range of risk levels. It also provides a common framework for discussing security issues.
The standard takes effect today and is compulsory for evaluation of unclassified information and for information systems not designated for national security.
NIST in May published a draft of FIPS 199 for public comment. During the three-month comment period, the agency received 13 comments from the private sector, 18 from federal organizations and one from the Canadian government. The agency changed several terms in the final document as a result of the comments, NIST officials said.
According to NIST, most of the comments concerned issues of risk assessment and threats. The draft described three levels of risk each in of the areas of confidentiality, integrity and availability. The final version instead identifies three levels of impact if the confidentiality, integrity or availability of a system is compromised.
The final version also clarifies the issue of privacy, making it explicit that privacy is an element of confidentiality.
NIST plans to post the final version of FIPS Publication 199 soon at csrc.nist.gov/publications
William Jackson is a Maryland-based freelance writer.