"Protecting our government networks remains a critical priority for this administration," said U.S. Commerce Secretary Donald L. Evans. "This new standard will help agencies better handle security threats by providing better information and guidance to federal agencies so they can make sound decisions."
The standard was developed following passage of the Federal Information Security Management Act (FISMA) of 2002. Federal Information Processing Standard (FIPS) 199, Standards for the Security Categorization of Federal Information and Information Systems, introduces significant changes in how the federal government protects information and the computerized networks that store information by giving detailed guidance on how to categorize systems.
The standard includes criteria to be used by civilian agencies in categorizing information and information systems, providing appropriate levels of security according to a range of impact levels. Under the standard, agencies will assess the potential impact on their missions that would result from a security breach due to loss of confidentiality (unauthorized disclosure of information), integrity (unauthorized modification of information) or availability (denial of service).
The mandatory standard will be a critical component of an agency's risk management program. As required by FISMA, NIST is also developing a companion standard that will specify minimum security requirements for all federal systems. A draft of that material was published by NIST in 2003 for public comment. Together, these two standards will help ensure that appropriate, cost-effective security measures are put in place for each federal system. NIST also has a variety of computer security guidelines that may be used in conjunction with the new standard.
A copy of the standard is available at http://csrc.nist.gov.