Announcing Draft Federal Information Processing Standard (FIPS) 199 on Standards for Security Categorization of Federal Information and Information Systems; and Request for Comments

AGENCY:

National Institute of Standards and Technology (NIST), Commerce.

ACTION:

Notice; request for comments.

SUMMARY:

Draft FIPS 199 defines requirements to be used by Federal agencies to categorize information and information systems, and to provide appropriate levels of information security according to a range of risk levels. This draft standard establishes three potential levels of risk (low, moderate, and high) for each of the security objectives of confidentiality, integrity, and availability. The levels of risk are based on what is known about the potential impact or harm. Harmful events can impact agency operations (including mission, functions, image or reputation), agency assets, or individuals (including privacy). The levels of risk consider both impact and threat, but are more heavily weighted toward impact. Federal information systems, which are often interconnected and interdependent, are vulnerable to a variety of threats (both malicious and unintentional) that could compromise the security of information and information systems.

NIST invites public comments on the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems. After the comment period closes, NIST will analyze the comments, make appropriate changes to the document, and then propose the draft standard to the Secretary of Commerce for approval as FIPS PUB 199.

DATES:

Comments on the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems must be received on or before August 14, 2003.

ADDRESSES:

Written comments concerning the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems may be sent by regular mail to: Information Technology Laboratory, ATTN: Draft FIPS 199, Mail Stop 8930, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments should be sent to: fips.comments@nist.gov.

Comments received in response to this notice will be published electronically at: http://csrc.nist.gov/publications/.

Specifications: Specifications for the Draft FIPS on Standards for Security Categorization of Federal Information and Information Systems are available through the Computer Security Resource Center: http://csrc.nist.gov/publications/.

FOR FURTHER INFORMATION CONTACT:

Dr. Ron S. Ross (301) 975-5390, National Institute of Standards and Technology, Attn: Computer Security Division 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930, Email: rross@nist.gov.

SUPPLEMENTARY INFORMATION:

Under section 5131 of the Information Technology Management Reform Act of 1996 and sections 302-3 of the Federal Information Security Management Act of 2002 (Pub. L. 107-347), the Secretary of Commerce is authorized to approve standards and guidelines for Federal information systems and to make standards compulsory and binding for Federal agencies as necessary to improve the efficiency or security of Federal information systems. The National Institute of Standards and Technology is authorized to develop standards, guidelines, and associated methods and techniques for information systems, other than national security systems, to provide for adequate information security for agency operations and assets.

The Federal Information Security Management Act (FISMA) requires each Federal agency to develop, document, and implement an agency-wide information security program that will provide information security for the information and information systems supporting the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

To enable agencies to carry out this responsibility, the FISMA specifically tasked NIST to develop a standard to categorize information and information systems. In addition, NIST was tasked to develop guidelines recommending the types of information to be included in each category, and to develop minimum information security requirements (i.e., management, operational, and technical security controls) for the information and information systems in each category.

In response to the mandate, NIST developed FIPS 199. Draft FIPS 199 defines requirements to be used by Federal agencies to categorize information and information systems, and to provide appropriate levels of information security according to a range of risk levels. This draft standard establishes three potential levels of risk (low, moderate, and high) for each of the security objectives of confidentiality, integrity, and availability. The levels of risk are based on what is known about the potential impact or harm. Harmful events can impact agency operations (including mission, functions, image or reputation), agency assets, or individuals (including privacy). The levels of risk consider both impact and threat, but are more heavily weighted toward impact. Federal information systems, which are often interconnected and interdependent, are vulnerable to a variety of threats (both malicious and unintentional) that could compromise the security of information and information systems.

This standard for categorizing information and information systems supports the implementation of a common framework that will promote the effective government-wide management and oversight of Federal agency information security programs. The common framework will facilitate the coordination of information security efforts throughout the civilian, national, security, and law enforcement communities, and will enable consistent reporting by agencies to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.

NIST is in the process of developing guidance documents for the second and third tasks mandated by the FISMA and will make these documents available for public comment when they are finalized. For the second assigned task, NIST plans guidelines to help agencies identify, in a consistent manner, the types of information and information systems, (e.g., privacy, medical, proprietary, financial, contractor sensitive, mission critical) appropriate for each category of information and information system. For the third task, NIST plans to develop standards that will describe the minimum sets of security controls for each defined category of information and information system.

Authority: Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce, pursuant to section 5131 of the Information Technology Management Reform Act of 1996 (Pub. L. 104-106), the Federal Information Security Management Act of 2002 (Pub. L. 107-347), and Appendix III to Office of Management and Budget Circular A-130.

Executive Order 12866: This notice has been determined to be not significant under Executive Order 12866.