What Are FIPS 199 and FIPS 200 and, How Are They Related?
There are several compliance standards for federal and defense cybersecurity. CMMC, FedRAMP, the Cybersecurity Framework (CSF) and the Risk Management Framework (RMF) all serve critical functions in protecting government IT systems and associated vendor products and services.
Behind all of these frameworks are crucial security publications, each one serving a particular purpose in defining the practices, controls and procedures that organizations can use to meet their compliance demands. We’ve previously covered such documents as NIST 800-53 and NIST 800-171, showing how these documents play a role in national cyber defense.
In this article, we’ll discuss two more guidelines: Federal Information Processing Standard (FIPS) 199 and FIPS 200.
What Is FIPS 199?
FIPS 199, “Standards for Security Categorization of Federal Information and Information Systems,” proposes a system to (at the title suggest) categorize federal IT systems based on security needs and the importance of the data contained therein.
FIPS 199 stems from the requirements of the Federal Information Security Modernization Act (FISMA), a law that defines security obligations and requirements for federal agencies. Primarily, FISMA defines the following security requirements for federal systems:
- Confidentiality: Agencies must preserve data against unauthorized access, maintain the privacy of said data.
- Integrity: Agencies must protect against the unauthorized modification, destruction or corruption of that data as part of its regular use.
- Availability: Agencies must ensure timely and reliable access to all information in government IT systems.
FIPS 199 specifies three impact levels that derive their criteria from these objectives. “Impact” in this case refers to the potential loss of confidentiality, integrity or availability that could occur if a given IT system and its contained information are breached. The severity of that impact would place a given IT system at a higher impact level.
The impact levels in FIPS 199 are:
- Low Impact: A breach of low-impact systems could have a “limited” impact on government agencies and associated constituents. “Limited” impact includes degradation in agency capabilities, minor damage to organizational assets or minor financial loss or harm to individuals.
- Moderate Impact: A breach of moderate impact systems will have serious adverse effects, including significant degradation of an agency’s mission or capabilities, significant damage to agency assets or significant harm (bodily or financially) to individuals that does not involve loss of life.
- High Impact: Breaches of high impact systems could lead to catastrophic damages to both the agency and individuals. This includes the loss of the ability of the agency to function, severe damages to organizational assets, and severe harm to individuals, up to and including loss of life.
FIPS 199 details some calculations on how to determine a system’s impact level, but by and large this determination is made based on both the type of information contained in the system, the security categorization of that information and how those factors shape the importance of the confidentiality, integrity and availability of that information.
What is FIPS 200?
FIPS 200, “Minimum Security Requirements for Federal Information and Information Systems,” outlines guidelines for the minimum requirements agencies face when implementing IT systems and associated security controls. More specifically, this document “specifies minimum security requirements for information and information systems supporting executive agencies of the federal government and a risk-based process for selecting security controls.”
First, FIPS 200 defines several security control categories across which agencies must implement security controls. These include:
- Access Controls: Limit access to information based on user authorization.
- Awareness and Training: Ensure that users are aware of regulations, requirements and appropriate practices under compliance obligations.
- Audit and Accountability: Organizations must be able to retain information, monitor systems and audit those systems for specific events, user behaviors and security threats.
- Certification, Accreditation and Security Assessments: Agencies should assess controls, develop plans to remediate problems and monitor said systems based on security and compliance requirements.
- Configuration Management: Maintain baseline configuration standards and inventories of IT systems (software, hardware, etc. and enforce those standards through organizational policies.
- Contingency Planning: Establish plans, including detection, mitigation and recovery for incidents related to disaster recovery, emergency response and backup needs.
- Identification and Authentication: Identity system users, authenticate them and maintain controls over how those users access system resources.
- Incident Response: Establish and maintain plans for responding to security incidents, including detection, analysis, containment and recovery.
- Maintenance: Perform periodic maintenance operations on IT systems and, if possible, automate those processes.
- Media Protection: Protect physical media, including paper records and digital information, including sanitizing and destroying media no longer in use.
- Physical and Environmental Protection: Maintain controls for physical access to data, including security around data centers and workstations.
- Planning: Develop regular, updated and implemented security plans with an organizational scope.
- Personnel Security: Vet employees, executives and vendors for trustworthiness in handling sensitive IT systems and maintain procedures for protecting information during personnel changes like hiring and termination.
- Risk Assessment: Assess and manage organizational risk and use risk as a metric to help define the adoption of cybersecurity controls.
- System and Services Acquisition: Incorporate system development lifecycle practices to manage the acquisition, removal and maintenance of physical, digital and vendor-provided systems.
- System and Communications Protection: Secure and protect any information transmitted internally or externally by the organization.
- System and Information Integrity: Monitor, report and remediate system flaws promptly.
This list of categories closely maps onto NIST 800-53, the source of security controls for federal agencies. More specifically, each control family listed in NIST 800-53 has a corresponding list of baseline controls outlined in the companion publication NIST 800-53B. For example, each control family has a set of controls, and each control fits into a low, moderate, or high baseline categorization.
he then and quantity of controls implemented by an agency is accordingly dictated by its impact level as defined under FIPS 199:
- Low-impact systems must meet the low baseline of security controls listed in NIST 800-53B.
- Moderate-impact systems must employ tailored security controls from the NIST 800-53B moderate baseline.
- High-impact systems must employ tailored security controls from the NIST 800-53B high baseline.
Government Compliance Made Simple with Lazarus Alliance
If you’ve read this far you’ve seen the complex interactions between different compliance documents. Once you get into frameworks like FedRAMP, you are looking at balancing audits and information from a variety of sources, mainly those like FIPS 199, FIPS 200 and NIST 800-series documents.
Lazarus Alliance provides expert auditing, automation and consulting solutions that take these complex requirements and turn them into streamlined, productive security practices. Our audit support can help your company reduce compliance and audit workflow demands from months to days while opening doors for business in the federal and defense supply chain industry.
Call Lazarus Alliance at 1-888-896-7580 or fill our this form.