FIPS 200 specifies the minimum security requirements for non-military federal information systems. It implements the authority given to NIST (US National Institute of Science and Technology) by the Federal Information Security Management Act of 2014.
The FISMA Law
The FISMA law mandated the created of federal standards for: (i) the security categorization of federal information and information systems based their risk levels in order to provide the appropriate level of security for each system; and (ii) the minimum security requirements for each such category.
FIPS 200 addresses the specification of minimum security requirements for federal information and information systems. FIPS 199 addresses the classification divides systems. It divides the systems into high, moderate, and low impact systems based on their impact on individuals and organizations.
Federal Information Processing Standards (FIPS)
The Federal Information Processing Standards (FIPS) are standards published by NIST for use by the United States federal government and government contractors in relation to computer systems. Generally compliance with the FIPS standards is mandatory, but waivers are sometimes available.
Relation to FedRAMP
FedRAMP is a government-wide program that builds on the FIPS requirements to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The objective is to save government costs by implementing once, and then reusing the implementation and security assessments in many government agencies.
Scope of Applicability
FIPS 200 generally applies to all Federal Government information and information systems, except national security systems and certain classified information.
Essence of FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems
FIPS 200 itself is very brief. It basically says that there are 17 security-related areas where federal agencies must meet certain minimum requirements. For the actual requirements, it refers to NIST Special Publication 800-53 and says that federal agencies must meet its requirements.
The seventeen areas are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Certification, Accreditation, and Security Assessments
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Physical and Environmental Protection
- Personnel Security
- Risk Assessment
- System and Services Acquisition
- System and Communications Protection
- System and Information Integrity