1、FIPS PUB 200 _ FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems _ Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 March 2006 U.S.
2、DEPARTMENT OF COMMERCE Carlos M. Gutierrez, Secretary NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY William Jeffrey, DirectorProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Information a
3、nd Information Systems _ FOREWORD The Federal Information Processing Standards (FIPS) Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federa
4、l Information Security Management Act (FISMA) of 2002. Comments concerning FIPS publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900. - CITA M. FU
5、RLANI, ACTING DIRECTOR INFORMATION TECHNOLOGY LABORATORY ii Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems _ AUTHORITY Federal Information Processing
6、Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Ac
7、t of 2002 (Public Law 107-347). iii Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems _ Federal Information Processing Standards 200March 9, 2006 Announc
8、ing the Standard for Minimum Security Requirements for Federal Information and Information Systems Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to the Fed
9、eral Information Security Management Act (FISMA) of 2002. 1. Name of Standard. FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems. 2. Category of Standard. Information Security. 3. Explanation. The E-Government Act (P.L. 107-347), passed by the one hu
10、ndred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA
11、), emphasizes the need for each federal agency to develop, document, and implement an enterprise-wide program to provide information security for the information and information systems that support the operations and assets of the agency including those provided or managed by another agency, contra
12、ctor, or other source. FISMA directed the promulgation of federal standards for: (i) the security categorization of federal information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; and (ii) minimum securi
13、ty requirements for information and information systems in each such category. This standard addresses the specification of minimum security requirements for federal information and information systems. 4. Approving Authority. Secretary of Commerce. 5. Maintenance Agency. Department of Commerce, NIS
14、T, Information Technology Laboratory. 6. Applicability. This standard is applicable to: (i) all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the A
15、tomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Secti
16、on 3542(b)(2). The standard has been broadly developed from a technical perspective to complement similar standards for national security systems. In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical i
17、nfrastructure of the United States are encouraged to consider the use of this standard, as appropriate. iv Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Syst
18、ems _ 7. Specifications. FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. 8. Implementations. This standard specifies minimum security requirements for federal information and information systems in seventeen security-related areas. Federal agencie
19、s must meet the minimum security requirements as defined herein through the use of the security controls in accordance with NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, as amended. 9. Effective Date. This standard is effective immediately. Federal a
20、gencies must be in compliance with this standard not later than one year from its effective date. 10. Qualifications. The application of the security controls defined in NIST Special Publication 800-53 required by this standard represents the current state-of-the-practice safeguards and countermeasu
21、res for information systems. The security controls will be reviewed by NIST at least annually and, if necessary, revised and extended to reflect: (i) the experience gained from using the controls; (ii) the changing security requirements within federal agencies; and (iii) the new security technologie
22、s that may be available. The minimum security controls defined in the low, moderate, and high security control baselines are also expected to change over time as well, as the level of security and due diligence for mitigating risks within federal agencies increases. The proposed additions, deletions
23、, or modifications to the catalog of security controls and the proposed changes to the security control baselines in NIST Special Publication 800-53 will go through a rigorous, public review process to obtain government and private sector feedback and to build consensus for the changes. Federal agen
24、cies will have up to one year from the date of final publication to fully comply with the changes but are encouraged to initiate compliance activities immediately. 11. Waivers. No provision is provided under FISMA for waivers to FIPS made mandatory by the Secretary of Commerce. 12. Where to Obtain C
25、opies. This publication is available from the NIST Computer Security Division web site by accessing http:/csrc.nist.gov/publications. v Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Inf
26、ormation and Information Systems _ TABLE OF CONTENTS SECTION 1 PURPOSE1 SECTION 2 INFORMATION SYSTEM IMPACT LEVELS.1 SECTION 3 MINIMUM SECURITY REQUIREMENTS.2 SECTION 4 SECURITY CONTROL SELECTION.4 APPENDIX A TERMS AND DEFINITIONS6 APPENDIX B REFERENCES 10 APPENDIX C ACRONYMS .11 vi Provided by IHSN
27、ot for ResaleNo reproduction or networking permitted without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems _ 1 PURPOSE The E-Government Act of 2002 (Public Law 107-347), passed by the one hundred and seventh Congress and signe
28、d into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA) of 2002, tasked NIST with the resp
29、onsibility of developing security standards and guidelines for the federal government including the development of: Standards for categorizing information and information systems1collected or maintained by or on behalf of each federal agency based on the objectives of providing appropriate levels of
30、 information security according to a range of risk levels; Guidelines recommending the types of information and information systems to be included in each category; and Minimum information security requirements for information and information systems in each such category. FIPS Publication 199, Stan
31、dards for Security Categorization of Federal Information and Information Systems, approved by the Secretary of Commerce in February 2004, is the first of two mandatory security standards required by the FISMA legislation.2FIPS Publication 200, the second of the mandatory security standards, specifie
32、s minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. This standard will promote the development, impleme
33、ntation, and operation of more secure information systems within the federal government by establishing minimum levels of due diligence for information security and facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information syst
34、ems that meet minimum security requirements. 2 INFORMATION SYSTEM IMPACT LEVELS FIPS Publication 199 requires agencies to categorize their information systems as low-impact, moderate-impact, or high-impact for the security objectives of confidentiality, integrity, and availability. The potential imp
35、act values assigned to the respective security objectives are the highest values (i.e., high water mark3) from among the security categories that have been determined for each type of information resident on those information systems.4The generalized format for expressing the security category (SC)
36、of an information system is: SCinformation system = (confidentiality, impact), (integrity, impact), (availability, impact), where the acceptable values for potential impact are low, moderate, or high. 1An information system is a discrete set of information resources organized for the collection, pro
37、cessing, maintenance, use, sharing, dissemination, or disposition of information. Information resources include information and related resources, such as personnel, equipment, funds, and information technology.2NIST security standards and guidelines referenced in this publication are available at h
38、ttp:/csrc.nist.gov. 3The high water mark concept is employed because there are significant dependencies among the security objectives of confidentiality, integrity, and availability. In most cases, a compromise in one security objective ultimately affects the other security objectives as well. 4NIST
39、 Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, provides implementation guidance on the assignment of security categories to information and information systems. 1 Provided by IHSNot for ResaleNo reproduction or networking permitted
40、 without license from IHS-,-,-FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems _ Since the potential impact values for confidentiality, integrity, and availability may not always be the same for a particular information system, the high water mark co
41、ncept must be used to determine the overall impact level of the information system. Thus, a low-impact system is an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate
42、 and no security objective is greater than moderate. And finally, a high-impact system is an information system in which at least one security objective is high. The determination of information system impact levels must be accomplished prior to the consideration of minimum security requirements and
43、 the selection of appropriate security controls for those information systems. 3 MINIMUM SECURITY REQUIREMENTS The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the in
44、formation processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (v
45、ii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; an
46、d (xvii) system and information integrity. The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems. Policies and procedures play an important role in the effective implementation of enterprise-wide information security progr
