New FISMA standard advances toward finalization

The second of a series of Federal Information Processing Standards intended to guide agencies in complying with the Federal Information Security Management Act has been released for public comment.

FIPS-200 establishes minimum security requirements for federal information systems. It is being developed by the National Institute of Standards and Technology and is slated to become a mandatory standard for all government IT systems, except for those designated national-security systems, by the end of the year.

Once minimum requirements for an IT system have been determined using FIPS-200, agencies will select the appropriate set of security controls from NIST Special Publication 800-53, titled "Recommended Security Controls for Federal Information Systems."

The main body of SP 800-53 was finalized in February, but NIST recently released a draft addendum, SP 800-53A, titled "Guide for Assessing the Security Controls in Federal Information Systems." This publication sets out the initial framework for conducting mandatory assessment of security controls required under FISMA. The publication is expected to be finalized by year's end.

NIST has been charged under FISMA with developing standards for creating and managing information security programs. The first of these standards was FIPS-199, Standards for Security Categorization of Federal Information and Information Systems. This standard is used to categorize systems as low, moderate or high-impact. FIPS-200, along with SP 800-53, will guide administrators through the next step of applying appropriate security controls for each category.

FIPS-200 specifies minimum security requirements in 17 security areas:

  • Access control

  • Audit and accountability

  • Awareness and training

  • Certification, accreditation and security assessments

  • Configuration management

  • Contingency planning

  • Identification and authentication

  • Incident response

  • Maintenance

  • Media protection

  • Personnel security

  • Physical and environmental protection

  • Planning

  • Risk assessment

  • Systems and services acquisition

  • System and communications protection

  • System and information integrity.

Ongoing assessment of all security measures is an integral part of FISMA requirements. The initial public draft of SP 800-53A has assessment methods and procedures for the first five of the security control areas addressed in FIPS-200. The final document will contain guidance for the remaining 12 as well.

Comments on FIPS-200 are being accepted through Sept. 13 at Chief, Computer Security Division, IT Laboratory, Attention: Comments on Draft FIPS Publication 200, 100 Bureau Dr. (Stop 8930), NIST, Gaithersburg, MD 20899-8930, or by email to [email protected]

Comments on SP 800-53A are being accepted through Aug. 31 at the Computer Security Division of NIST's IT Lab, or e-mailed to [email protected]

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.