[ISN] NIST sets FISMA standards for federal IT systems

InfoSec News isn at c4i.org
Thu Mar 16 05:03:04 EST 2006


By William Jackson
GCN Staff

The National Institute of Standards and Technology has released the
final standard for securing agency computer systems under the Federal
Information Security Management Act.

Federal Information Processing Standard 200 [1] sets minimum security
requirements for federal systems in 17 security areas. It is the third
of three publications required from NIST under FISMA, which requires
executive branch agencies to establish consistent, manageable IT
security programs for non-national security systems. The intent of
FISMA is to implement risk-based processes for selecting and
implementing security controls.

FIPS 199 [2], released two years ago, establishes standards for
categorizing IT systems as low, moderate or high-impact, depending on
the effect of a breach of confidentiality, integrity or availability
of the system. Special Publication 800-53 [3] - "Recommended Security
Controls for Federal Information Systems", lays out the tools to be
used under FIPS 200 to secure IT systems.

Agencies must be in compliance with FIPS 200 by March 2007.

Requirements are spelled out for: 

* Access control 
* Awareness and training 
* Audit and accountability 
* Certification, accreditation and security assessments 
* Configuration management 
* Contingency planning 
* Identification and authentication 
* Incident response 
* Maintenance 
* Media protection 
* Physical and environmental protection planning 
* Personnel security 
* Risk assessment 
* System and services acquisition 
* System and communications protection 
* System and information integrity.

Agencies must employ on each system the proper security controls in
each of these areas depending on whether it is a low, moderate or
high-impact system.

NIST also is updating its standards for digital signatures. A draft of
FIPS 186-3 [4], which would replace the current FIPS 186-2, has been
released for comment.

The original digital signature standard was released in 1994 and has
been updated twice, in 1998 and 1999. The current version authorizes
the use of key sizes of 512 and 1024 bits with approved algorithms.  
Key sizes of 1024 now are considered the minimum acceptable level for
security of digital signatures.

"With advances in technology, it is prudent to consider larger key
sizes," NIST said. "Draft FIPS 186-3 allows the use of 1024, 2048 and
3072-bit keys."

Comments on the proposed standard should be made by June 12 to
elaine.barker at nist.gov, or mailed to the Chief, Computer Security
Division, Information Technology Laboratory, Attention: Comments on
Draft FIPS 186-3, 100 Bureau Drive, Stop 8930, National Institute of
Standards and Technology, Gaithersburg, MD 20899-8930.

[1] http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
[2] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
[3] http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
[4] http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_March2006.pdf

More information about the ISN mailing list