There are several compliance standards for federal and defense cybersecurity. CMMC, FedRAMP, the Cybersecurity Framework (CSF) and the Risk Management Framework (RMF) all serve critical functions in protecting government IT systems and associated vendor products and services.
Behind all of these frameworks are crucial security publications, each one serving a particular purpose in defining the practices, controls and procedures that organizations can use to meet their compliance demands. We’ve previously covered such documents as NIST 800-53 and NIST 800-171, showing how these documents play a role in national cyber defense.
In this article, we’ll discuss two more guidelines: Federal Information Processing Standard (FIPS) 199 and FIPS 200.
What Is FIPS 199?
FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems,” proposes a system to (at the title suggest) categorize federal IT systems based on security needs and the importance of the data contained therein.
FIPS 199 stems from the requirements of the Federal Information Security Modernization Act (FISMA), a law that defines security obligations and requirements for federal agencies. Primarily, FISMA defines the following security requirements for federal systems:
- Confidentiality: Agencies must preserve data against unauthorized access, maintain the privacy of said data.
- Integrity: Agencies must protect against the unauthorized modification, destruction or corruption of that data as part of its regular use.
- Availability: Agencies must ensure timely and reliable access to all information in government IT systems.
FIPS 199 specifies three impact levels that derive their criteria from these objectives. “Impact” in this case refers to the potential loss of confidentiality, integrity or availability that could occur if a given IT system and its contained information are breached. The severity of that impact would place a given IT system at a higher impact level.
The impact levels in FIPS 199 are:
- Low Impact: A breach of low-impact systems could have a “limited” impact on government agencies and associated constituents. “Limited” impact includes degradation in agency capabilities, minor damage to organizational assets or minor financial loss or harm to individuals.
- Moderate Impact: A breach of moderate impact systems will have serious adverse effects, including significant degradation of an agency’s mission or capabilities, significant damage to agency assets or significant harm (bodily or financially) to individuals that does not involve loss of life.
- High Impact: Breaches of high impact systems could lead to catastrophic damages to both the agency and individuals. This includes the loss of the ability of the agency to function, severe damages to organizational assets, and severe harm to individuals, up to and including loss of life.
FIPS 199 details some calculations on how to determine a system’s impact level, but by and large this determination is made based on both the type of information contained in the system, the security categorization of that information and how those factors shape the importance of the confidentiality, integrity and availability of that information.
What is FIPS 200?
FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems,” outlines guidelines for the minimum requirements agencies face when implementing IT systems and associated security controls. More specifically, this document “specifies minimum security requirements for information and information systems supporting executive agencies of the federal government and a risk-based process for selecting security controls.”
First, FIPS 200 defines several security control categories across which agencies must implement security controls. These include:
- Access Controls: Limit access to information based on user authorization.
- Awareness and Training: Ensure that users are aware of regulations, requirements and appropriate practices under compliance obligations.
- Audit and Accountability: Organizations must be able to retain information, monitor systems and audit those systems for specific events, user behaviors and security threats.
- Certification, Accreditation and Security Assessments: Agencies should assess controls, develop plans to remediate problems and monitor said systems based on security and compliance requirements.
- Configuration Management: Maintain baseline configuration standards and inventories of IT systems (software, hardware, etc. and enforce those standards through organizational policies.
- Contingency Planning: Establish plans, including detection, mitigation and recovery for incidents related to disaster recovery, emergency response and backup needs.
- Identification and Authentication: Identity system users, authenticate them and maintain controls over how those users access system resources.
- Incident Response: Establish and maintain plans for responding to security incidents, including detection, analysis, containment and recovery.
- Maintenance: Perform periodic maintenance operations on IT systems and, if possible, automate those processes.
- Media Protection: Protect physical media, including paper records and digital information, including sanitizing and destroying media no longer in use.
- Physical and Environmental Protection: Maintain controls for physical access to data, including security around data centers and workstations.
- Planning: Develop regular, updated and implemented security plans with an organizational scope.
- Personnel Security: Vet employees, executives and vendors for trustworthiness in handling sensitive IT systems and maintain procedures for protecting information during personnel changes like hiring and termination.
- Risk Assessment: Assess and manage organizational risk and use risk as a metric to help define the adoption of cybersecurity controls.
- System and Services Acquisition: Incorporate system development lifecycle practices to manage the acquisition, removal and maintenance of physical, digital and vendor-provided systems.
- System and Communications Protection: Secure and protect any information transmitted internally or externally by the organization.
- System and Information Integrity: Monitor, report and remediate system flaws promptly.
This list of categories closely maps onto NIST 800-53, the source of security controls for federal agencies. More specifically, each control family listed in NIST 800-53 has a corresponding list of baseline controls outlined in the companion publication NIST 800-53B. For example, each control family has a set of controls, and each control fits into a low, moderate, or high baseline categorization.
he then and quantity of controls implemented by an agency is accordingly dictated by its impact level as defined under FIPS 199:
- Low-impact systems must meet the low baseline of security controls listed in NIST 800-53B.
- Moderate-impact systems must employ tailored security controls from the NIST 800-53B moderate baseline.
- High-impact systems must employ tailored security controls from the NIST 800-53B high baseline.
Government Compliance Made Simple with Lazarus Alliance
If you’ve read this far you’ve seen the complex interactions between different compliance documents. Once you get into frameworks like FedRAMP, you are looking at balancing audits and information from a variety of sources, mainly those like FIPS 199, FIPS 200 and NIST 800-series documents.
Lazarus Alliance provides expert auditing, automation and consulting solutions that take these complex requirements and turn them into streamlined, productive security practices. Our audit support can help your company reduce compliance and audit workflow demands from months to days while opening doors for business in the federal and defense supply chain industry.
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
