Your browser does not allow storing cookies. We recommend enabling them.

FIPS 200

FIPS 200 specifies the minimum security requirements for non-military federal information systems. It implements the authority given to NIST (US National Institute of Science and Technology) by the Federal Information Security Management Act of 2014.


The FISMA law mandated the created of federal standards for: (i) the security categorization of federal information and information systems based their risk levels in order to provide the appropriate level of security for each system; and (ii) the minimum security requirements for each such category.

FIPS 200 addresses the specification of minimum security requirements for federal information and information systems. FIPS 199 addresses the classification divides systems. It divides the systems into high, moderate, and low impact systems based on their impact on individuals and organizations.

Federal Information Processing Standards (FIPS)

The Federal Information Processing Standards (FIPS) are standards published by NIST for use by the United States federal government and government contractors in relation to computer systems. Generally compliance with the FIPS standards is mandatory, but waivers are sometimes available.

Relation to FedRAMP

FedRAMP is a government-wide program that builds on the FIPS requirements to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The objective is to save government costs by implementing once, and then reusing the implementation and security assessments in many government agencies.

Scope of Applicability

FIPS 200 generally applies to all Federal Government information and information systems, except national security systems and certain classified information.

Essence of FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems

FIPS 200 itself is very brief. It basically says that there are 17 security-related areas where federal agencies must meet certain minimum requirements. For the actual requirements, it refers to NIST Special Publication 800-53 and says that federal agencies must meet its requirements.

The seventeen areas are:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Certification, Accreditation, and Security Assessments
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Personnel Security
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity

Further Information

FIPS 200 Minimum Security for Federal Information Systems


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more