Love it or hate it, it’s the law

FIPS 200: Minimum Security Requirements for Federal Information and Information Systems

The National Institute of Standards and Technology has defined mandatory minimum requirements for protecting federal data and computer systems. But security experts disagree about whether the new mandate will raise the federal government’s information security grade, which is now a D-plus.

NIST published the security requirements March 14 as Federal Information Processing Standard (FIPS) 200. It is the second standard NIST has published to implement the Federal Information Security Management Act (FISMA) of 2002. The first was FIPS 199, which NIST released in February 2004. It required agencies to categorize their information systems as low, medium or high risk relative to threats that could compromise the information stored or processed on those systems.

The new FIPS requirements are also based on risk levels. The standard identifies 17 security controls that agencies can use to protect information. They include access controls, security awareness and training, and configuration management. Agencies must be ready to comply with FIPS 200 by March 2007.

Some security experts say the new standard will not initiate better information security because too much depends on how agencies implement controls and audit their systems.

FIPS 200 “breaks down in its implementation and in testing,” said Bruce Brody, vice president of information security at the research firm Input. Input released a report in mid-March that criticizes FISMA’s reliance on paperwork instead of technology-based audits.

NIST officials say FIPS 200 establishes minimum security requirements for federal information and information systems that are not related to national security. A companion document, NIST Special Publication 800-53, defines a set of risk-based procedures for selecting security controls that satisfy those minimum requirements.

Brody, who is critical of the lack of uniformity in implementing FISMA, said the NIST publications address important security issues in great detail. However, federal agencies need better implementation guidance, he added.

Brody said federal agencies must have authoritative guidance on what they should implement and how their chief information officers should test those implementations. “The CIO is powerless,” he said. “Administrators ask, ‘How do I put these changes in place? How do I test them? How often do I test them?’ It all gets a little unwieldy for the CIO.”

Others say FIPS 200 is the most complete information security standard to date. Clint Kreitner, president and chief executive officer of the Center for Internet Security, described FIPS 200 as “the most comprehensive work available in the area of information security management — public or private.”

In a field that is so new, he added, it is too much to expect implementation and auditing guidelines tailored to each federal agency.

“The whole realm of security practices is still evolving,” Kreitner said. “The threats to information security are relatively young. We’re still figuring out the best way to manage them. There isn’t a cookbook we can look at for what to do.”

Small and large agencies face different challenges in implementing FIPS 200 because of disparities in budgets and expertise, Kreitner said. But the most important factor is how an agency works within the FIPS mandate and adapts those security requirements to its needs.

“Intelligent local adaptation and implementation [are] the key to using all the NIST guidance documents,” he said.

Kreitner declined to comment on whether most agencies will be able to comply with FIPS 200 by the March 2007 deadline. But he said the mandate will push agencies to improve their day-to-day security practices.