[Federal Register Volume 70, Number 135 (Friday, July 15, 2005)]
[Notices]
[Pages 40983-40984]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-13994]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 060601149-5149-01]


Announcing Draft Federal Information Processing Standard (FIPS) 
Publication 200, Minimum Security Requirements for Federal Information 
and Information Systems

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice; request for comments.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
announces the release of draft Federal Information Processing Standards 
(FIPS) Publication 200, Minimum Security Requirements for Federal 
Information and Information Systems for public comment. Draft FIPS 
Publication 200 is one of a series of security standards and guidelines 
that NIST is developing to help federal agencies implement their 
responsibilities under the Federal Information Security Management Act 
(FISMA). The FISMA requires that all federal agencies develop, document 
and implement agency-wide information security programs to protect 
federal information and information systems. Draft FIPS Publication 
200, which will be used with other publications already issued by NIST, 
specifies minimum security requirements for federal information and 
information systems and a risk-based process for selecting

[[Page 40984]]

the security controls necessary to satisfy the minimum requirements.
    Prior to the submission of this proposed standard to the Secretary 
of Commerce for review and approval, it is essential that consideration 
be given to the needs and views of the general public, the information 
technology industry, and federal, state, and local government 
organizations. The purpose of this notice is to solicit such views.

DATES: Comments must be received on or before 5 p.m., September 13, 
2005.

ADDRESSES: Written comments may be sent to: Chief, Computer Security 
Division, Information Technology Laboratory, Attention: Comments on 
Draft FIPS Publication 200, 100 Bureau Drive (Stop 8930), National 
Institute of Standards and Technology, Gaithersburg, MD 20899-8930. 
Comments may also be sent via electronic mail to: 
[email protected].
    A copy of draft FIPS Publication 200 is available from the NIST Web 
site at: http://csrc.nist.gov/publications/fips/index.html.
    Comments received in response to this notice will be published at 
http://csrc.nist.gov.

FOR FURTHER INFORMATION CONTACT: Dr. Ron Ross, Computer Security 
Division, National Institute of Standards and Technology, Gaithersburg, 
MD 20899-8930, telephone (301) 975-5390, e-mail: [email protected].

SUPPLEMENTARY INFORMATION: The Federal Information Security Management 
Act (FISMA) requires all federal agencies to develop, document, and 
implement agency-wide information security programs and to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
systems provided or managed by another agency, contractor, or other 
source.
    To support agencies in conducting their information security 
programs, the FISMA called for NIST to develop federal standards for 
the security categorization of federal information and information 
systems according to risk levels, and for minimum security requirements 
for information and information systems in each security category. FIPS 
Publication 199, Standards for Security Categorization of Federal 
Information and Information Systems, issued in February 2004, is the 
first standard that was specified by the FISMA. FIPS Publication 199 
requires agencies to categorize their information and information 
systems as low-impact, moderate-impact, or high-impact for the security 
objectives of confidentiality, integrity, and availability.
    Draft FIPS Publication 200, the second standard that was specified 
by the FISMA, is an integral part of the risk management framework that 
NIST has developed to assist federal agencies in providing appropriate 
levels of information security. FIPS Publication 200 specifies minimum 
security requirements for federal information and information systems 
and a risk-based process for selecting the security controls necessary 
to satisfy the minimum requirements. In applying the provisions of FIPS 
Publication 200, agencies will categorize their information systems as 
required by FIPS Publication 199, and subsequently select an 
appropriate set of security controls from NIST Special Publication 800-
53, Recommended Security Controls for Federal Information Systems, to 
satisfy the minimum security requirements. Issued in February 2005, 
NIST Special Publication 800-53 defines minimum security controls 
needed to provide cost-effective protection for low-impact, moderate-
impact, and high-impact information systems and the information 
processed, stored, and transmitted by those systems.
    The proposed standard will be applicable to: (i) all information 
within the federal government other than that information that has been 
determined pursuant to Executive Order 12958, as amended by Executive 
Order 13292, or any predecessor order, or by the Atomic Energy Act of 
1954, as amended, to require protection against unauthorized disclosure 
and is marked to indicate its classified status; and (ii) all federal 
information systems other than those information systems designated as 
national security systems as defined in 44 United States Code Section 
3542(b)(2). The standard has been broadly developed from a technical 
perspective to complement similar standards for national security 
systems. In addition to the agencies of the federal government, state, 
local, and tribal governments, and private sector organizations that 
compose the critical infrastructure of the United States are encouraged 
to consider the use of this standard, as appropriate.
    Proposed FIPS Publication 200 specifies minimum security 
requirements for federal information and information systems in 
seventeen security-related areas that represent a broad-based, balanced 
information security program. The seventeen security-related areas 
encompass the management, operational, and technical aspects of 
protecting federal information and information systems, and include: 
access control; audit and accountability; awareness and training; 
certification, accreditation, and security assessments; configuration 
management; contingency planning; identification and authentication; 
incident response; maintenance; media protection; personnel security; 
physical and environmental protection; planning; risk assessment; 
systems and services acquisition; system and communications protection; 
and system and information integrity.
    Authority: Federal Information Processing Standards (FIPS) are 
issued by the National Institute of Standards and Technology after 
approval by the Secretary of Commerce pursuant to Section 5131 of the 
Information Technology Management Reform Act of 1996 and the Federal 
Information Security Management Act of 2002 (Public Law 107-347).
    E.O. 12866: This notice has been determined not to be significant 
for the purposes of E.O. 12866.

    Dated: July 7, 2005.
Hratch G. Semerjian,
Acting Director, NIST.
[FR Doc. 05-13994 Filed 7-14-05; 8:45 am]
BILLING CODE 3510-CN-P