Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

FIPS 200

FIPS 200 specifies the minimum security requirements for non-military federal information systems. It implements the authority given to NIST (US National Institute of Science and Technology) by the Federal Information Security Management Act of 2014.

The FISMA Law

The FISMA law mandated the created of federal standards for: (i) the security categorization of federal information and information systems based their risk levels in order to provide the appropriate level of security for each system; and (ii) the minimum security requirements for each such category.

FIPS 200 addresses the specification of minimum security requirements for federal information and information systems. FIPS 199 addresses the classification divides systems. It divides the systems into high, moderate, and low impact systems based on their impact on individuals and organizations.

Federal Information Processing Standards (FIPS)

The Federal Information Processing Standards (FIPS) are standards published by NIST for use by the United States federal government and government contractors in relation to computer systems. Generally compliance with the FIPS standards is mandatory, but waivers are sometimes available.

Relation to FedRAMP

FedRAMP is a government-wide program that builds on the FIPS requirements to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The objective is to save government costs by implementing once, and then reusing the implementation and security assessments in many government agencies.

Scope of Applicability

FIPS 200 generally applies to all Federal Government information and information systems, except national security systems and certain classified information.

Essence of FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems

FIPS 200 itself is very brief. It basically says that there are 17 security-related areas where federal agencies must meet certain minimum requirements. For the actual requirements, it refers to NIST Special Publication 800-53 and says that federal agencies must meet its requirements.

The seventeen areas are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Certification, Accreditation, and Security Assessments
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity

Further Information

FIPS 200 Minimum Security for Federal Information Systems