Question

Please explain to me in your own words (no cut and past) what each of the following documents mean and what they are trying to accomplish.

• FIPS 199
• FIPS 200
• 800-39

Answer 1

FIPS stands for Federal  Informational Processing Standards these are set of rules that describe the document processing,encryption algorithm and other information technology standards for use with in non-military government and by government contractors and vendors who work with agencies.

FIPS 199/200

- Its all about Risk Assessment and Risk Management. Federal agencies must conduct these assessments per The Federal Information Security Management Act of 2002 (FISMA).

- So it made NIST (National Institute of Standards and Technology) to develop these standards i.e

1. Categorize information based on the level of risks(FIPS 199).

2. Secure information appropriate to its level(FIPS 200).

FIPS 199 :

- Security Categories for information and information Systems.

1. Based on security objectives:

a)Confidentiality.

b) Integrity.

c) Availability.

2. Levels of impact if a security breach occurred:

a)Low.

b) Moderate.

c)High.

FIPS 200 :

- FIPS 200 provides guidance to properly protecting the system, base on this classification

Controls fall within 17 categories:

1) Access control.

2) Awareness and Training.

3) Audit and Accountability.

4) Certification, accreditation, security and Assessments.

5) Configuration Management.

6) Contingency Planning.

7) Identification and Authentication.

8) Incident Response.

9) Maintenance.

10) Media protection.

11) Physical and environmental protection.

12) Planning.

13)Personnel Security.

14) Risk Assessment.

15) Systems and Service Acquisition.

16) System and Communication Protection.

17) System and Information Integrity.

SP 800-39 :

- It is a Special Publication titled as Information Security,  standards are set by NIST in response to FISMA.

-SP 800-39 purpose is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems.