FIPS 200 Front Matter
FIPS PUB 200
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION
Minimum Security Requirements for Federal Information and Information Systems
- Computer Security Division
- Information Technology Laboratory
- National Institute of Standards and Technology
- Gaithersburg, MD 20899-8930
- U.S. DEPARTMENT OF COMMERCE
- Carlos M. Gutierrez, Secretary
- NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
- William Jeffrey, Director
The Federal Information Processing Standards (FIPS) Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of the Federal Information Security Management Act (FISMA) of 2002. Comments concerning FIPS publications are welcomed and should be addressed to the Director, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8900, Gaithersburg, MD 20899-8900.
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347).
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA) of 2002.
1. Name of Standard.
FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems.
The E-Government Act (P.L. 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), emphasizes the need for each federal agency to develop, document, and implement an enterprise-wide program to provide information security for the information and information systems that support the operations and assets of the agency including those provided or managed by another agency, contractor, or other source. FISMA directed the promulgation of federal standards for: (i) the security categorization of federal information and information systems based on the objectives of providing appropriate levels of information security according to a range of risk levels; and (ii) minimum security requirements for information and information systems in each such category. This standard addresses the specification of minimum security requirements for federal information and information systems.
4. Approving Authority.
Secretary of Commerce.
5. Maintenance Agency.
This standard is applicable to: (i) all information within the federal government other than that information that has been determined pursuant to Executive Order 12958, as amended by Executive Order 13292, or any predecessor order, or by the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure and is marked to indicate its classified status; and (ii) all federal information systems other than those information systems designated as national security systems as defined in 44 United States Code Section 3542(b)(2). The standard has been broadly developed from a technical perspective to complement similar standards for national security systems. In addition to the agencies of the federal government, state, local, and tribal governments, and private sector organizations that compose the critical infrastructure of the United States are encouraged to consider the use of this standard, as appropriate.
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
This standard specifies minimum security requirements for federal information and information systems in seventeen security-related areas. Federal agencies must meet the minimum security requirements as defined herein through the use of the security controls in accordance with NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, as amended.
9. Effective Date.
The application of the security controls defined in NIST Special Publication 800-53 required by this standard represents the current state-of-the-practice safeguards and countermeasures for information systems. The security controls will be reviewed by NIST at least annually and, if necessary, revised and extended to reflect: (i) the experience gained from using the controls; (ii) the changing security requirements within federal agencies; and (iii) the new security technologies that may be available. The minimum security controls defined in the low, moderate, and high security control baselines are also expected to change over time as well, as the level of security and due diligence for mitigating risks within federal agencies increases. The proposed additions, deletions, or modifications to the catalog of security controls and the proposed changes to the security control baselines in NIST Special Publication 800-53 will go through a rigorous, public review process to obtain government and private sector feedback and to build consensus for the changes. Federal agencies will have up to one year from the date of final publication to fully comply with the changes but are encouraged to initiate compliance activities immediately.
12. Where to Obtain Copies.