NIST issues security drafts

NIST Computer Security Resource Center

The National Institute of Standards and Technology last week released drafts of two security publications to help agencies define the levels of security necessary for different types of information systems and establish or fine-tune processes for handling security incidents.

The final draft of Federal Information Processing Standard (FIPS) 199, "Standards for Security Categorization of Federal Information and Information Systems," is the first step in a series of standards, guidelines and requirements mandated under the Federal Information Security Management Act (FISMA) of 2002. The standard, released Sept. 17, outlines ways to link different types of federal information and systems, and the risks each faces. NIST will later tie this to guidance for the appropriate level of security, depending on the assigned level of risk.

The standard focuses on three security areas for information and systems: confidentiality, integrity and availability. It then defines three levels of potential impact on organizations or individuals if any of those security areas are compromised.

Assigning a level of risk is not a clear-cut process, because it must be considered in the context of each agency, states the draft, which includes several examples of how to apply the three security areas and three impact levels. The document, for instance, discusses the difference between a system that needs high availability but holds information that needs only low confidentiality measures, and a system that can be offline for a period of time, but needs both high confidentiality and integrity for its information.

The institute on Sept. 15 released a draft of the Computer Security Incident Handling Guide (Special Publication 800-61), intended to help agencies meet a FISMA requirement to establish some level of incident handling capability and report to the Office of Management and Budget and the Federal Computer Incident Response Center (FedCIRC).

Incident Response Centers are receiving a lot of attention now because of the number and severity of recent attacks, such as the Blaster worm and SoBig.F virus that surfaced last month. Many agencies already have such capabilities, but the latest guide is designed to help existing and new organizations.

It outlines best practices within a response center, common policies to work with outside partners, and examples of how a response center fits within an agency's larger technology and policy structure.

The guidance is designed for the chief information officers and their security staffs, and details sharing information, addressing morale issues, the benefits and pitfalls of having an employee-staffed response center or one that is partially outsourced, and other issues.

Comments on the draft guidance may be sent to NIST by Oct. 15 at


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.