31 March 2006


[Federal Register: March 31, 2006 (Volume 71, Number 62)]
[Page 16288-16289]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]



National Institute of Standards and Technology

[Docket No. 050601149-5323-02]

Announcing Approval of Federal Information Processing Standard 
(FIPS) 200, Minimum Security Requirements for Federal Information and 
Information Systems

AGENCY: National Institute of Standards and Technology (NIST), 

ACTION: Notice.


SUMMARY: This notice announces the Secretary of Commerce's approval of 
Federal Information Processing Standard (FIPS) 200, Minimum Security 
Requirements for Federal Information and Information Systems. The use 
of FIPS 200 is compulsory and binding on federal agencies for: (i) All 
information within the federal government other than that information 
that has been determined pursuant to Executive Order 12958, as amended 
by Executive Order 13292, or any predecessor order, or by the Atomic 
Energy Act of 1954, as amended, to require protection against 
unauthorized disclosure and is marked to indicate its classified 
status; and (ii) all federal information systems other than those 
information systems designated as national security systems as defined 
in 44 United States Code Section 3542(b)(2). FIPS 200 was developed to 
complement similar standards for national security systems.

DATES: This standard is effective March 31, 2006.

Division, Information Technology Laboratory, National Institute of 
Standards and Technology, Gaithersburg, MD 20899-8930, telephone (301) 
975-5390, e-mail: ron.ross@nist.gov.
    A copy of FIPS 200 is available electronically from the NIST Web 
site at: http://csrc.nist.gov/publications/.

SUPPLEMENTARY INFORMATION: The Federal Information Security Management 
Act (FISMA) requires all federal agencies to develop, document and 
implement agency-wide information security programs and to provide 
information security for the information and information systems that 
support the operations and assets of the agency, including those 
systems provided or managed by another agency, contractor, or other 
    To support agencies conducting their information security program, 
the FISMA called for NIST to develop federal standards for the security 
categorization of federal information and information systems according 
to risk levels, and four minimum security requirements for information 
and information systems in each security category. FIPS 199, Standards 
for the Security Categorization of Federal Information and Information 
Systems, issued in February 2004, was the first standard that was 
specified by the FISMA. FIPS 199 requires agencies to categorize their 
information and information systems as low-impact, moderate-impact, or 
high impact for the security objectives of confidentiality, integrity, 
and availability.
    FIPS 200, which is the second standard that was specified by the 
FISMA, is an integral part of the risk management framework that NIST 
has developed to assist federal agencies in providing appropriate 
levels of information security based on levels of risk. In applying the 
provisions of FIPS 200, agencies will categorize their systems as 
required by FIPS 199, and then select an appropriate set of security 
controls from NIST Special Publication 800-53, Recommended Security 
Controls for Federal Information Systems, to satisfy their minimum 
security requirements.
    On July 15, 2005, a notice was published in the Federal Register 
(Volume 70, Number 135, 40983-40984) announcing proposed FIPS 200 and 
soliciting comments on the proposed standard from the public, research 
communities, manufacturers, voluntary standards organizations, and 
federal, state, and local government organizations. In addition to 
being published in the Federal Register, the notice was posted on the 
NIST web pages. Information was provided about the submission of 
electronic comments.
    Comments, responses, and questions were received from 13 private 
sector organizations, groups, or individuals and from 14 federal 
government organizations.
    Most of the comments that were received recommended editorial 
changes; suggested the addition of references; provided general 
comments concerning the standard and its implementation; and asked 
questions concerning the implementation of the standard and the use of 
waivers. Some of the comments expressed concurrence with the standard 
as proposed, supported the intent, goals, and

[[Page 16289]]

presentation of the standard, and complimented NIST on the document. No 
comments opposed the adoption of the standard.
    The primary interests and issues that were raised in the comments 
included: Time needed for implementation; inclusion of waiver 
provisions; inclusion of additional references; rearrangement and 
indexing of the text; addition of text and implementation details 
already available in other NIST publications; and expansion of 
    All of the editorial suggestions and recommendations were carefully 
reviewed, and changes were made to the standard where appropriate. The 
text of the standard, the terms and definitions listed in the standard, 
the references and the footnotes were modified as needed.
    Following is an analysis of the major editorial, implementation and 
related comments that were received.
    Comment: Some comments recommended changing the requirement that 
federal agencies must be in compliance with the standard not later than 
one year from its effective date. The recommendations received 
suggested both lengthening the time for compliance because of concerns 
about the cost of implementing the standard within budget constraints, 
and shortening the time for compliance to achieve improved security.
    Response: NIST believes that the requirement for compliance not 
later than one year from effective date of the standard is reasonable, 
and that no changes are needed to either prolong or shorten the time 
for compliance with the standard.
    Comment: A federal agency recommended that a provision be added to 
the standard to enable federal agencies to waive the standard when they 
lack sufficient resources to comply by the deadline.
    Response: The Federal Information Security Management Act contains 
no provisions for agency waivers to standards. The FISMA states that 
information security standards, which provide minimum information 
security requirements and which are needed to improve the security of 
federal information and information systems, are required mandatory 
standards. The Secretary of Commerce is authorized to make information 
security standards compulsory and binding, and these standards may not 
be waived.
    Comment: Comments were received about regrouping or indexing the 
seventeen security areas covered by the standard. FIPS 200 specifies 
minimum security requirements for federal information and information 
systems in seventeen security-related areas.
    Response: NIST believes that indexing would be confusing and would 
add unnecessary complexity to the standard. The seventeen areas that 
are defined in the standard represent a broad-based, balanced 
information security program. The areas, which address the management, 
operational, and technical aspects of protecting federal information 
and information systems, are concise and do not require indexing.
    Comment: One federal agency recommended that the standard specify a 
time period for retaining audit records.
    Response: NIST believes that requirements about retention of audit 
records should be defined by agencies, and should not be specified in 
the standard.
    Comment: Several comments suggested additions and changes to the 
standard concerning risk management procedures, audit controls, 
baseline security controls, and risks introduced by new technologies.
    Response: A section of the proposed FIPS 200 covering these topics 
has been removed from the final version of the standard, and these 
comments will be considered when NIST Special Publication (SP) 800-53, 
Recommended Security Controls for Federal Information Systems, is 
updated. FIPS 200 specifies that federal agencies use SP 800-53 to 
select security controls that meet the minimum security requirements in 
the seventeen security-related areas. The security controls in SP 800-
53 represent the current state-of-the-practice safeguards and 
countermeasures for information systems. NIST plans to review these 
security controls at least annually and to propose any changes needed 
to respond to experience gained from using the controls, changing 
security requirements within federal agencies, and new security 
technologies. Any changes or additions to the minimum security controls 
and the security control baselines described in SP 800-53 will be made 
available for public review before any modifications are made. Federal 
agencies will have up to one year from the date of the final 
publication to comply with the changes.
    Comment: Some comments suggested the inclusion of expanded 
definitions for terms such as systems, major applications, and general 
support systems.
    Response: NIST is adhering to the definition of system used in the 
Federal Information Security Management Act, and believes that attempts 
to further define these terms and to make distinctions between systems 
and applications may be confusing.
    Comment: One federal agency asked about the security issues related 
to the use of computerized medical devices. Another commenter asked 
about inclusion of information on training and certification of 
information technology professionals.
    Response: The issue of computerized medical devices may need to be 
addressed, but FIPS 200 is not the appropriate document. The issues of 
training information and the certification of information technology 
professionals are also outside the scope of FIPS 200.

    Authority: Federal Information Processing Standards (FIPS) are 
issued by the National Institute of Standards and Technology after 
approval by the Secretary of Commerce pursuant to Section 5131 of 
the Information Technology Management Reform Act of 1996 (Pub. L. 
104-106) and the Federal Information Security Management Act (FISMA) 
of 2002 (Pub. L. 107-347).

    E.O. 12866: This notice has been determined to be not significant 
for the purposes of E.O. 12866.

    Dated: March 23, 2006.
William Jeffrey,
[FR Doc. E6-4720 Filed 3-30-06; 8:45 am]