In the world of government contracting, information security is taken very seriously. There are a dozen different standards for security depending on who you are, what information you handle, and what department you’re working with. We’ve talked about many of them before, such as DFARS, FedRAMP, and CMMC, but there’s yet another to discuss. As you’ve guessed, if you’ve read the title, or as you know from seeing this post, we’re talking about FIPS.
So, what is FIPS, what are the 199 and 200 documents, what does compliance mean, and what do you need to do as a company planning to work with the government? Let’s dig in.
BLUF - Bottom Line Up Front
FIPS, established by NIST, consists of standards for federal information security. FIPS 199 categorizes information systems based on confidentiality, integrity, and availability, which guides security requirements. FIPS 200 sets minimum security controls based on these categories. Organizations handling federal information, except classified and national security data, should use these standards. Compliance involves applying specific controls from NIST SP 800-53. FedRAMP certification ensures adherence for cloud service providers. Tools like Ignyte aid in meeting these complex requirements.
What is FIPS?
FIPS is another set of standards defined by, you guessed it, the National Institute of Standards and Technology, NIST. In simple terms, it stands for Federal Information Processing Standards.
FIPS is not one thing but rather a wide range of different publications, all of which are standards applying to specific technologies. They are, in a sense, “patches” that cover gaps in otherwise-extant compliance frameworks and industry standards. In cases where no other government regulation provides a standard for a certain technology, no broadly-used third-party standard exists, and the government uses that technology, a FIPS is created to cover those bases and set a standard. Or, to put it in the specific terms NIST uses:
“The National Institute of Standards and Technology (NIST) develops FIPS publications when required by statute and/or there are compelling federal government requirements for cybersecurity.”
There are currently 13 active FIPS publications. Others have been withdrawn and superseded by newer versions or are no longer relevant. Of the active FIPS documents, ten are in their final form, and three are drafts.
They are:
- FIPS 140-2 – Security Requirements for Cryptographic Modules
- FIPS 140-3 – Security Requirements for Cryptographic Modules
- FIPS 180-4 – Secure hash Standard
- FIPS 186-5 – Digital Signature Standard
- FIPS 197 – Advanced Encryption Standard
- FIPS 198-1 – The Keyed-Hash Message Authentication Code
- FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems
- FIPS 200 – Minimum Security Requirements for Federal Information and Information Systems
- FIPS 201-3 – Personal Identity Verification of Federal Employees and Contractors
- FIPS 202 – SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
- FIPS 203 (Draft) – Module-Lattice-Based Key-Encapsulation Mechanism Standard
- FIPS 204 (Draft) – Module-Lattice-Based Digital Signature Standard
- FIPS 205 (Draft) – Stateless Hash-Based Digital Signature Standard
As you can see, most of these are broadly related to the same concepts: cryptography, information security, hashing, and proof of identity. Only two of them stand out: FIPS 199 and 200.
What is FIPS 199?
FIPS 199 is the Standards for Security Categorization of Federal Information and Information Systems. What does that mean? To understand, we need to draw back to more overarching concerns.
The government, as you might expect, wants its various departments to be secure and resilient against information security threats. However, they also know that there’s a significant difference between something like the nuclear launch codes and the internal employee potluck meal sign-up list. Different agencies and different information need to be treated differently.
Different frameworks, like CMMC or FedRAMP, have varying requirements based on the level of information the agency or company accesses. The security requirements for handling public information are different from handling CUI, which are different from those for handling Classified information.
This naturally leads you to the next question: how do you classify the organization in terms of what information it handles? This, too, requires a standard, and that standard is FIPS 199. This all stems from FISMA, the Federal Information Security Management Act of 2014. FISMA outlined several tasks for NIST. The first of those tasks was:
[…the development of] standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels.
FIPS 199 is that set of standards. Using FIPS 199 is how you determine what your impact level is and, thus, what other standards from documents like NIST SP 800-171 are required to be implemented.
How Does FIPS 199 Work?
Elsewhere in various standards within the overall government apparatus, you’ve likely heard of the axes of impact levels. There are three categories and three impact levels against which an organization’s information is judged.
The categories are:
- Confidentiality: Agencies must preserve data against unauthorized access and maintain the privacy of that data.
- Integrity: Agencies must protect against unauthorized modification, corruption, or destruction of that data as part of its regular use.
- Availability: Agencies must ensure timely and reliable access to all information in government IT systems.
That third one is surprisingly important. Information can be very secure if you lock it away in cold storage and make it impossible to access, but that’s not a solution to any problem, so availability is governed as well.
The three impact levels apply to each of these categories. Impact levels refer to the effects of a breach of the relevant category. A break of confidentiality for the employee roster of a government agency is much lower than a break of confidentiality of the master password for a senator’s email server. The three impact levels are:
- Low: A breach of low impact has a limited impact on agencies and constituents, which can be damaging to the agency or minor financial harm to individuals but is otherwise limited.
- Moderate: A breach of moderate impact has a serious effect on agencies and constituents. It can be a serious roadblock to agency performance, cause significant damage to agency assets, or cause significant harm to individuals.
- High: A breach of high impact has a potentially catastrophic effect on both the agency and individuals involved. This includes complete loss of agency ability to function, severe financial damages, and even potential loss of life to individuals involved.
Two examples directly from FIPS 199 are:
A law enforcement agency managing sensitive information about investigations. This information has strict confidentiality requirements, needs to be protected against modification or disruption, and needs to be accessible to a limited number of people; the impact levels for each end up as Confidentiality (High), Integrity (Moderate), and Availability (Moderate).
A bank evaluating routine administrative information that isn’t privacy-related performs a similar analysis and determines that the risk of damage from a break of any of the three categories is low, setting their categories for this information as Confidentiality (Low), Integrity (Low), and Availability (Low)
Critically, agencies and businesses often handle different kinds of information in different systems. The information you handle in your email system is different from what you handle in your customer databases, to use a basic example. This means that depending on the set of information you’re looking at, you might have different classifications. Say you have two systems that look like this:
- System 1: Confidentiality (Low), Integrity (High), Availability (Low)
- System 2: Confidentiality (Low), Integrity (Moderate), Availability (High)
These combine for your overall agency security classification, using the high watermark for each category. Thus, your overall configuration would be Confidentiality (Low), Integrity (High), and Availability (High).
You can, of course, read deeper into this in the actual FIPS 199 document here.
What is FIPS 200?
FIPS 200 is the Minimum Security Requirements for Federal Information and Information Systems documents. If you consider FIPS 199 to be the first step in the process of determining the ideal security posture for your agency, FIPS 200 is the next step.
FIPS 199 allows you to determine the impact level minimum you need to consider. FIPS 200 then takes that impact level value and runs you through each of the seventeen security control families to determine the minimum security standards you need to comply with across each of those families.
- Access Control
- Awareness And Training
- Audit And Accountability
- Certification, Accreditation, And Security Assessments
- Configuration Management
- Contingency Planning
- Identification And Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical And Environmental Protection
- Planning
- Personnel Security
- Risk Assessment
- Systems And Services Acquisition
- System And Communications Protection
- System And Information Integrity
If these sound familiar, they are. These are essentially the same categories as the list of security controls defined in NIST SP 800-53. There’s a good reason for that: FIPS 200 is the document that defines what goes into NIST SP 800-53.
Essentially, you use FIPS 199 and FIPS 200 to determine what your required security posture should be and what security controls apply to you, then you use NIST SP 800-53 and NIST SP 800-53b to drill down into those specific controls at that specific impact level and work on implementing what you find, as well as how assess the controls and determine their effectiveness.
How does FIPS 200 work? Like FIPS 199, it’s essentially the baseline definitions from which other definitions are later derived. As such, it’s not really a worksheet or a process to follow. Generally, you don’t need to read or care about what it says unless you want an underlying understanding of how the security families are defined; the actionable information you need is in documents like NIST SP 800-53.
Who Has to Care About FIPS 199 and FIPS 200?
Some government standards apply only to the government agencies handling specific kinds of tasks. Others apply to any government agency, and yet others apply to all government contractors, subcontractors, and members of various supply lines. The scope is important, so to whom do FIPS 199 and 200 apply?
FIPS 199/200 applies to all information handled by the federal government that is not:
- Classified by executive order, order of the Atomic Energy Act, or other acts;
- Part of a designated National Security System;
So, any information that isn’t classified and isn’t part of National Security as defined by 44 USC 3542(b)(2) falls under the purview of FIPS 199. It’s a broad umbrella.
Additionally, FIPS is not limited to federal agencies. The standards are open and available for any state government, local government, tribal government, or private entity to use if they see fit.
FIPS 199/200 are standard definitions, however, they are not a framework or a validation process.
What Does it Mean to Comply with FIPS 199 & 200?
On its own, nothing.
FIPS 199 and FIPS 200 are documents that outline the basis of other standards, most notably NIST SP 800-53. There’s no way to “comply” with FIPS 199; it’s simply a definition you use to determine your impact levels. Likewise, there’s no way to “comply” with FIPS 200; it’s simply a definition you use to identify security controls.
Actual compliance is the act of identifying the specific controls and posture required out of NIST SP 800-53 and implementing those controls for that posture. In other words, it’s FedRAMP compliance.
If you’re a cloud services provider and you wish to work with the government handling information that is both not classified and not part of national security, FedRAMP certification is a good way to do it. The full process for obtaining FedRAMP certification and the Authority to Operate is lengthy and complex, however. Each of those 17 control families has anywhere from a small handful to dozens of individual security controls, all of which need to be evaluated and implemented according to your impact level for your organization.
None of this is fast or easy. That’s where we come in. At Ignyte, we’ve developed a platform designed specifically to help you identify and track each individual security control, from initial definition to the plan of action and milestones necessary to implement those controls, to third-party testing and validation, to obtaining certification, and even beyond, into continuous monitoring and compliance.
FIPS 199/200, NIST SP 800-53, FedRAMP; these are just some of the many frameworks we cover, as well. If your company falls outside of the FedRAMP purview and you need to comply with a different framework, like CMMC, HITRUST, HIPAA, or virtually anything else, we have you covered as well.
If you’re interested, you can request a demo of our platform and see precisely how it works for you. Alternatively, feel free to reach out with any questions you may have. We’re more than happy to help.
Additionally, if you’re looking for further information about FIPS, FedRAMP, ITAR, or any other form of compliance, we highly recommend you check out our other articles. We have a plethora of information available to you; all you have to do is click here to get started. And if there’s another topic you’d like us to cover in a future article, be sure to let us know!
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.