NIST Releases Final FISMA Standard for IT Systems

The final standard for ensuring the security of federal agencies’ computer systems under the Federal Information Security Management Act (FISMA) has been released by the National Institute of Standards and Technology (NIST), Government Computer News (GCN) reports.

The standard, called Federal Information Processing Standard (FIPS) 200, includes minimum security requirements for federal computer systems in a number of key areas, GCN reports.

Agencies must comply with the newly released standard by March 2007, according to GCN.

FIPS 200 is the final of three publications called for from NIST within FISMA, which mandates that executive branch agencies all create ongoing, up-to-date and manageable security measures for non-national computer systems, according to GCN.

The goal of FISMA is to establish risk-based security practices for applying appropriate security controls to federal agencies’ various systems, GCN reports.

The first NIST publication required under FISMA, FIPS 199, was released in 2004, and it was created to help rank systems’ need for security as low, moderate or high, based on the projected impact of a data breach or other system failure, according to GCN.

The second NIST publication, Special Publication 800-53, specifies the tools that should be employed to secure IT systems under the newly released publication FIPS 200, GCN reports.

According to GCN, security requirements for the following areas are included within FIPS 200:

-Access Control

-Awareness and Training

-Audit and Accountability

-Certification, Accreditation and Security Assessments

-Configuration Management

-Contingency Planning

-Identification and Authentication

-Incident Response

-Maintenance

-Media Protection

-Physical and Environmental Protection Planning

-Personnel Security

-Risk Assessment

-System and Services Acquisition

-System and Communications Protection

-System and Information Integrity

Federal agencies must apply the appropriate level of security controls to each of these areas based on the low, moderate or high impact rating they received under FIPS 199, GCN reports.

For related CSO content, read Five Years and Flunking.

Keep checking in at our CSO Security Feed page for updated news coverage.

Copyright © 2006 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.