# 1.5: FIPS 199 and 200

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$

( \newcommand{\kernel}{\mathrm{null}\,}\) $$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\id}{\mathrm{id}}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\kernel}{\mathrm{null}\,}$$

$$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$

$$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$

$$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\AA}{\unicode[.8,0]{x212B}}$$

$$\newcommand{\vectorA}[1]{\vec{#1}} % arrow$$

$$\newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$$

$$\newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vectorC}[1]{\textbf{#1}}$$

$$\newcommand{\vectorD}[1]{\overrightarrow{#1}}$$

$$\newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}}$$

$$\newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}}$$

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

FIPS 199

Two years later (2004), NIST published FIPS1 PUB 199, Standards for Security Categorization of Federal Information and Information Systems. This short (13 page) publication defined the potential impact on information and information systems in the event of a security breach (which it defined as the loss of CIA).

FIPS 199 categorized potential impact on “organizational operations, organizational assets or individuals” as Low, Moderate or High (Table 1).

 Table 1 - Impact Level and Consequence IMPACT CONSEQUENCE (to “organizational operations, organizational assets or individuals”) Low Limited Moderate Serious High Severe or Catastrophic

For security/risk assessment, ‘consequence’ is interpreted subjectively since consequence(s) can vary from one organization to another. For the purpose of discussion, however, a scenario involving a brick-and-mortar retail store might describe the consequence of an information system disruption as follows:

Limited: one or more sales registers have failed but backups and redundant systems keep transactions flowing with little noticeable disruption to either store operations or customer service.

Serious: one of more sales registers have failed and backup systems lag; unable to keep pace with transactions. Registers are shut down with noticeable disruption to store operations (i.e., long customer lines).

Severe or Catastrophic: one of more systems have failed and backup systems are non-existent or have also critically failed. Registers are unable to process transactions and business is halted. There is an obvious impact on store operations.

In each scenario, the ability to maintain normal business operations is adversely impacted and it is within this operational standard that the level of consequence (Limited, Serious, or Severe or Catastrophic) is defined.

FIPS 200

In 2006, NIST published FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems. It specified minimum security requirements for (federal) information and information systems covering seventeen security-related areas2. As cited in FISMA, minimum security requirements are correlated to the level of adverse impact to Confidentiality, Integrity and Availability (CIA) caused by a data breach as outlined in FIPS 199. FIPS 200 also provided a methodology for determining an information system’s security category (Low, Moderate or High).

Below is an example of FIPS 200 minimum security requirement as it pertains to ACCESS CONTROL:

Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.

While some NIST publications serve as standalone guides others utilize associated publications which supplement or complement their particular topic. For example, the NIST Cybersecurity Framework3 and Control Catalog (SP. 800-53r5)4 reference one another. Likewise, when discussing security\risk assessment there is a connection between FISMA, FIPS and NIST SP.800 171r2/1725.

[1] Federal Information Processing Standards (FIPS)

[2] This number has expanded and now consists of 20 areas (or Security Control Families) as outlined in NIST SP.800-53r5 (Security Control Catalog).

[3] Framework for Improving Critical Infrastructure Cybersecurity.

[4] Security and Privacy Controls for Information Systems and Organizations.

[5] SP.800-171 was originally published in June, 2015 with updates to it or its companion publications (800-172 & 800-172A) in 2016, 2019, 2020 and 2021.

This page titled 1.5: FIPS 199 and 200 is shared under a CC BY-NC 4.0 license and was authored, remixed, and/or curated by Thomas P. Dover.