[Federal Register Volume 68, Number 95 (Friday, May 16, 2003)]
[Notices]
[Pages 26573-26574]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-12319]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 030429105-3105-01]


Announcing Draft Federal Information Processing Standard (FIPS) 
199 on Standards for Security Categorization of Federal Information and 
Information Systems; and Request for Comments

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; request for comments.

-----------------------------------------------------------------------

SUMMARY: Draft FIPS 199 defines requirements to be used by Federal 
agencies to categorize information and information systems, and to 
provide appropriate levels of information security according to a range 
of risk levels. This draft standard establishes three potential levels 
of risk (low, moderate, and high) for each of the security objectives 
of confidentiality, integrity, and availability. The levels of risk are 
based on what is known about the potential impact or harm. Harmful 
events can impact agency operations (including mission, functions, 
image or reputation), agency assets, or individuals (including 
privacy). The levels of risk consider both impact and threat, but are 
more heavily weighted toward impact. Federal information systems, which 
are often interconnected and interdependent, are vulnerable to a 
variety of threats (both malicious and unintentional) that could 
compromise the security of information and information systems.
    NIST invites public comments on the Draft FIPS on Standards for 
Security Categorization of Federal Information

[[Page 26574]]

and Information Systems. After the comment period closes, NIST will 
analyze the comments, make appropriate changes to the document, and 
then propose the draft standard to the Secretary of Commerce for 
approval as FIPS PUB 199.

DATES: Comments on the Draft FIPS on Standards for Security 
Categorization of Federal Information and Information Systems must be 
received on or before August 14, 2003.

ADDRESSES: Written comments concerning the Draft FIPS on Standards for 
Security Categorization of Federal Information and Information Systems 
may be sent by regular mail to: Information Technology Laboratory, 
ATTN: Draft FIPS 199, Mail Stop 8930, 100 Bureau Drive, Stop 8930, 
National Institute of Standards and Technology, Gaithersburg, MD 20899-
8930. Electronic comments should be sent to: [email protected].
    Comments received in response to this notice will be published 
electronically at: http://csrc.nist.gov/publications/.
    Specifications: Specifications for the Draft FIPS on Standards for 
Security Categorization of Federal Information and Information Systems 
are available through the Computer Security Resource Center: http://csrc.nist.gov/publications/.

FOR FURTHER INFORMATION CONTACT: Dr. Ron S. Ross (301) 975-5390, 
National Institute of Standards and Technology, Attn: Computer Security 
Division 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-
8930, Email: [email protected].

SUPPLEMENTARY INFORMATION: Under section 5131 of the Information 
Technology Management Reform Act of 1996 and sections 302-3 of the 
Federal Information Security Management Act of 2002 (Pub. L. 107-347), 
the Secretary of Commerce is authorized to approve standards and 
guidelines for Federal information systems and to make standards 
compulsory and binding for Federal agencies as necessary to improve the 
efficiency or security of Federal information systems. The National 
Institute of Standards and Technology is authorized to develop 
standards, guidelines, and associated methods and techniques for 
information systems, other than national security systems, to provide 
for adequate information security for agency operations and assets.
    The Federal Information Security Management Act (FISMA) requires 
each Federal agency to develop, document, and implement an agency-wide 
information security program that will provide information security for 
the information and information systems supporting the operations and 
assets of the agency, including those provided or managed by another 
agency, contractor, or other source.
    To enable agencies to carry out this responsibility, the FISMA 
specifically tasked NIST to develop a standard to categorize 
information and information systems. In addition, NIST was tasked to 
develop guidelines recommending the types of information to be included 
in each category, and to develop minimum information security 
requirements (i.e., management, operational, and technical security 
controls) for the information and information systems in each category.
    In response to the mandate, NIST developed FIPS 199. Draft FIPS 199 
defines requirements to be used by Federal agencies to categorize 
information and information systems, and to provide appropriate levels 
of information security according to a range of risk levels. This draft 
standard establishes three potential levels of risk (low, moderate, and 
high) for each of the security objectives of confidentiality, 
integrity, and availability. The levels of risk are based on what is 
known about the potential impact or harm. Harmful events can impact 
agency operations (including mission, functions, image or reputation), 
agency assets, or individuals (including privacy). The levels of risk 
consider both impact and threat, but are more heavily weighted toward 
impact. Federal information systems, which are often interconnected and 
interdependent, are vulnerable to a variety of threats (both malicious 
and unintentional) that could compromise the security of information 
and information systems.
    This standard for categorizing information and information systems 
supports the implementation of a common framework that will promote the 
effective government-wide management and oversight of Federal agency 
information security programs. The common framework will facilitate the 
coordination of information security efforts throughout the civilian, 
national, security, and law enforcement communities, and will enable 
consistent reporting by agencies to the Office of Management and Budget 
(OMB) and Congress on the adequacy and effectiveness of information 
security policies, procedures, and practices.
    NIST is in the process of developing guidance documents for the 
second and third tasks mandated by the FISMA and will make these 
documents available for public comment when they are finalized. For the 
second assigned task, NIST plans guidelines to help agencies identify, 
in a consistent manner, the types of information and information 
systems, (e.g., privacy, medical, proprietary, financial, contractor 
sensitive, mission critical) appropriate for each category of 
information and information system. For the third task, NIST plans to 
develop standards that will describe the minimum sets of security 
controls for each defined category of information and information 
system.
    Authority: Federal Information Processing Standards Publications 
(FIPS PUBS) are issued by the National Institute of Standards and 
Technology after approval by the Secretary of Commerce, pursuant to 
section 5131 of the Information Technology Management Reform Act of 
1996 (Pub. L. 104-106), the Federal Information Security Management Act 
of 2002 (Pub. L. 107-347), and Appendix III to Office of Management and 
Budget Circular A-130.
    Executive Order 12866: This notice has been determined to be not 
significant under Executive Order 12866.

    Dated: May 9, 2003.
Karen H. Brown,
Deputy Director, NIST.
[FR Doc. 03-12319 Filed 5-15-03; 8:45 am]
BILLING CODE 3510-13-P