[Federal Register Volume 69, Number 27 (Tuesday, February 10, 2004)]
[Notices]
[Pages 6264-6266]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-2885]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 030429105-3270-02]


Announcing Approval of Federal Information Processing Standard 
(FIPS) Publication 199, Standards for Security Categorization of 
Federal Information and Information Systems

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Commerce has approved FIPS Publication 199, 
Standards for Security Categorization of Federal Information and 
Information Systems, and has made it compulsory and binding on Federal 
agencies for the protection of: (i) All information within the Federal 
government other than that information that has been determined 
pursuant to Executive Order 12958, as amended by Executive Order 13292, 
or any predecessor order, or by the Atomic Energy Act of 1954, as 
amended, to require protection against unauthorized disclosure and is 
marked to indicate its classified status; and (ii) all Federal 
information systems other than those information systems designated as 
national security systems as defined in the United States Code.
    The Federal Information Security Management Act (FISMA) requires 
all Federal agencies to develop, document, and implement agency-wide 
information security programs to provide information security for the 
information and information systems that support the operations and 
assets of the agency, including those provided or managed by another 
agency, contractor, or other source. FIPS Publication 199 addresses one 
of the requirements specified in the FISMA. It provides security 
categorization standards for information and information systems.
    The purpose of security categorization standards is to provide a 
common framework and method for expressing security and to promote 
effective management and oversight of information security programs, 
including the coordination of information security efforts throughout 
the civilian, national security, emergency preparedness, homeland 
security, and law enforcement communities; and consistent reporting to 
the Office of Management and Budget (OMB) and Congress on the adequacy 
and effectiveness of information security policies, procedures, and 
practices.

DATES: This standard is effective February 10, 2004.

FOR FURTHER INFORMATION CONTACT: Dr. Ron Ross, (301) 975-5390, National 
Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, 
Gaithersburg, MD 20899-8930.
    A copy of FIPS Publication 199 is available electronically from the 
NIST Web site at: http://csrc.nist.gov/publications/.

SUPPLEMENTARY INFORMATION: A notice was published in the Federal 
Register (68 FR 26573) on May 16, 2003, announcing the proposed FIPS 
Publication 199 on Standards for

[[Page 6265]]

Security Categorization of Federal Information and Information Systems 
for public review and comment. The Federal Register notice solicited 
comments from the public, academic and research communities, 
manufacturers, voluntary standards organizations, and Federal, state, 
and local government organizations. In addition to being published in 
the Federal Register, the notice was posted on the NIST Web pages; 
information was provided about the submission of electronic comments. 
Comments and responses were received from thirteen private sector 
organizations, individuals and groups of individuals, from eighteen 
federal government organizations, and from one Canadian government 
organization.
    Many of the comments received recommended editorial changes, 
expressed concerns about the discussion of risk, risk assessment, 
threats, and security controls, and asked for clarification about the 
requirements of the FISMA. None of the comments opposed the adoption of 
this Federal Information Processing Standard. Many comments supported 
the concept of categorization of information and information systems 
and commended the clear, well-written presentation of the standard. All 
of the editorial and related comments were carefully reviewed, and 
changes were made to the standard where appropriate. Specifically, 
certain terminology in FIPS 199 was modified to be consistent with 
other NIST publications. All future publications will reflect 
consistent terminology.
    Following is an analysis of the comments dealing with technical and 
implementation issues.
    Comment: The major issue raised by a majority of the comments was 
concern about perceived errors and inconsistencies in the initial 
draft's discussion of risk, risk assessment, threats, and the 
determination of security controls. Some of the comments suggested that 
NIST consider using the term ``level of impact'' instead of ``level of 
risk'' to apply to the categorization process.
    Response: NIST recognizes that some of the initial discussion about 
risk, risk assessment, threats and the determination of security 
controls was abbreviated and concise, and that the discussion could 
have been misinterpreted. The original discussion described three 
potential levels of risk (low, moderate and high) for each of three 
security objectives (confidentiality, integrity and availability of 
information and information systems, which were defined in the FISMA). 
The levels of risk considered both impact of adverse events and threats 
to systems, but were more heavily weighted toward impact. The 
categorization process involves matching the agency's assessment of 
levels of potential risk to each security objective, considering the 
occurrence of events that could jeopardize the information and 
information systems of the agency.
    As some of the comments pointed out, risk assessment is part of a 
well-defined management process conducted by agencies to identify and 
evaluate risks and risk impacts, and to recommend risk-reducing 
measures that balance costs and organizational requirements. NIST 
agrees that the issues of determining levels of risk and conducting 
risk assessments are part of a structured management process. These 
issues are covered comprehensively in other NIST publications. 
Therefore, the focus of the categorization process should be on ``level 
of impact'' that undesired events could have on information and 
information systems.
    The text of FIPS Publication 199 was changed to describe three 
levels of potential impact (low, moderate and high) on organizations or 
individuals if any of the security objectives of confidentiality, 
integrity and availability of information and information systems were 
compromised. The security categories are to be used in conjunction with 
vulnerability and threat information in assessing the risk to the 
agency. This change responds to the many comments received on this 
issue, and clarifies the text for agency users. Terms and definitions 
relating to risk and risk assessments that had been included in the 
initial draft were removed from the final standard.
    Comment: Some comments expressed confusion about the information 
included in the initial draft about the Federal Information Security 
Management Act (FISMA) and its requirements, particularly those 
requirements that are addressed by FIPS Publication 199.
    Response: NIST agrees that some of the original discussion in draft 
FIPS Publication 199 could have been misinterpreted. Therefore, the 
text was revised to delete extraneous material and to clarify the 
purpose of FIPS Publication 199. FIPS Publication 199 now clearly 
defines the impact levels to be used in categorizing information and 
information systems, and indicates that the standard addresses one of 
the tasks assigned to NIST by the FISMA. That task is the development 
of standards to be used by all Federal agencies to categorize 
information and information systems collected or maintained by or on 
behalf of each agency based on the objectives of providing appropriate 
levels of information security according to a range of risk levels. 
Other requirements of the FISMA, such as determination of the types of 
information and information to be included in each category, will be 
addressed in future NIST standards and guidelines.
    Comment: Some comments suggested changes to Table 1 in the original 
draft, and asked for an explanation of the use of the table. Examples 
of impacts for each impact definition were requested.
    Response: FIPS Publication 199 was revised to clarify the text and 
to provide examples of impacts for each definition of impact for each 
security objective.
    Comment: There are no provisions for the use of new technologies or 
updating of legacy systems.
    Response: The provisions of FIPS Publication 199 are independent of 
the technology used, and can be applied to electronic and non-
electronic information.
    Comment: An objective for privacy should be added to the objectives 
of confidentiality, integrity and availability. The loss of privacy and 
identity theft should be added to the impact definitions.
    Response: FIPS Publication 199 was revised to clarify the issue of 
privacy by specifying that loss of privacy and identify theft are 
examples of impacts on individuals. The objective of confidentiality, 
as defined in the FISMA (44 USC, Sec. 3542), encompasses privacy: 
Preserving authorized restrictions on information access and 
disclosure, including means for protecting personal privacy and 
proprietary information.
    Comment: The definition of availability should be modified. Other 
security objectives (non-repudiation and authentication) should be 
added
    Response: The definition of availability is taken directly from the 
FISMA legislation and thus, cannot be modified. However, the security 
objectives mentioned in the public comment, namely nonrepudiation and 
authenticity are specifically covered in FIPS Publication 199 under the 
definition of integrity. FISMA's definition of integrity includes the 
security objectives of nonrepudiation and authenticity so there is no 
need to modify the definition of availability to include those 
objectives. Adding additional security objectives independently would 
make the simple three by three matrix more complex for federal agencies 
during implementation and not add any appreciable value in

[[Page 6266]]

helping to assess the potential impact of loss of information systems 
supporting those agencies.
    Comment: An impact level of ``none'' should be added to the levels 
of low, moderate and high.
    Response: A note was added that an impact level of ``none'' was 
appropriate only for confidentiality of some information (such as 
public information). Impact levels of ``none'' are not appropriate for 
the security objectives of availability and integrity since all agency 
information and information systems should be protected for 
availability and integrity.
    Comment: The category of information designation should be separate 
from the category of system designation.
    Response: FIPS Publication 199 treats systems categorization 
separately from information categorization.
    Comment: The security objectives of confidentiality, integrity, and 
availability could be expanded.
    Response: FIPS Publication 199 allows agencies to develop and use 
additional security designators.
    Comment: Only two impact levels are needed for non-national 
security information and systems.
    Response: NIST believes that three levels of impact are needed for 
non-national security systems. Two levels of impact do not provide 
sufficient granularity to describe the range of potential impacts on 
federal agency missions resulting from the loss of confidentiality, 
integrity, or availability of information and information systems. 
Three impact levels are necessary to adequately describe the potential 
impact of loss to agency operations and assets ranging from routine 
administrative support systems at the low end to the most critical 
systems that are a part of the nation's critical information 
infrastructure at the high end. The moderate impact level provides 
another important category to address those systems that are deemed 
significantly more important than routine support systems, but not 
critical to the operations of the U.S. government. Three impact levels 
strike an adequate balance between providing too many categories and 
making the categorization process too complex and providing too few 
categories which forces agencies to either undervalue or overvalue the 
potential impact of loss to their operations and assets.
    Comment: FIPS Publication 199 could define what level of risk is to 
be associated with a security objective required by law. More explicit 
information is needed to categorize systems. FIPS Publication 199 
should present definitive guidance on vulnerabilities, impact and risk 
management methodology.
    Response: These issues are discussed in current NIST publications, 
or will be addressed in future NIST publications.
    E.O. 12866: This notice has been determined to be not significant 
for the purposes of E.O. 12866.

    Dated: February 4, 2004.
Arden L. Bement, Jr.,
Director.
[FR Doc. 04-2885 Filed 2-9-04; 8:45 am]
BILLING CODE 3510-13-P