The IT Law Wiki
Explore
Main Page
All Pages
Community
Interactive Maps
Random page
TopContent
Most Visited Pages
Cell phone
Radio frequency spectrum
RFID tag
Cloud consumer
Internet
Newly Changed Pages
Computer terminal
Persuasive evidence
Website operator
Bfdi
Email bombing
Pornography
Message modification
Most Popular Pages
community
Community portal
forum
FANDOM
Fan Central
BETA
Games
Anime
Movies
TV
Video
Wikis
Explore Wikis
Community Central
Start a Wiki
Don't have an account?
Register
Sign In
Sign In
Register
The IT Law Wiki
34,539
pages
Explore
Main Page
All Pages
Community
Interactive Maps
Random page
TopContent
Most Visited Pages
Cell phone
Radio frequency spectrum
RFID tag
Cloud consumer
Internet
Newly Changed Pages
Computer terminal
Persuasive evidence
Website operator
Bfdi
Email bombing
Pornography
Message modification
Most Popular Pages
community
Community portal
forum
Editing
FIPS 199
Back to page
Edit
Edit source
View history
Talk (0)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Citation == [[NIST]], Standards for Security Categorization of Federal Information and Information Systems ('''FIPS 199''') (Feb. 2004) ([http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf full-text]). == Overview == FIPS 199 defines the [[security categories]], [[security objectives]], and impact levels to which [[NIST Special Publication 800-60]] maps [[information]] types. FIPS 199 establishes [[security categories]] based on the magnitude of harm expected to result from [[compromise]]s rather than on the results of an assessment that includes an attempt to determine the probability of [[compromise]]. FIPS 199 also describes the context of use for this guideline. FIPS 199 is the mandatory standard to be used by all federal agencies to categorize all [[information]] and [[information system]]s [[collect]]ed or [[maintain]]ed by or on behalf of each agency based on the objectives of providing appropriate levels of [[information security]] according to impact. [[Security]] categorization standards for [[information]] and [[information system]]s provide a common framework and understanding for expressing [[security]] that, for the federal government, promotes: (i) effective management and oversight of [[information security]] programs, including the coordination of [[information security]] efforts throughout the civilian, [[national security]], emergency preparedness, [[homeland security]], and law enforcement communities; and (ii) consistent reporting to the [[Office of Management and Budget]] ([[OMB]]) and [[Congress]] on the adequacy and [[effectiveness]] of [[information security]] policies, procedures, and practices. == Security categories == FIPS 199 establishes [[security categories]] for both information<ref>Information is categorized according to its information type. An information type is a specific category of [[information]] (e.g., [[privacy]], medical, [[proprietary]], financial, investigative, contractor sensitive, [[security management]]) defined by an organization or, in some instances, by a specific law, Executive Order, directive, [[policy]], or [[regulation]].</ref> and [[information system]]s. The security categories are based on the potential impact on an organization should certain events occur. The potential impacts could jeopardize the [[information]] and [[information system]]s needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. [[Security categories]] are to be used in conjunction with [[vulnerability]] and [[threat]] information in assessing the [[risk]] to an organization. FIPS 199 establishes three potential levels of impact (low, moderate, and high) relevant to securing federal [[information]] and [[information system]]s for each of three stated security objectives ([[confidentiality]], [[integrity]], and [[availability]]). [[File:Table_1.jpg|650px]] == Impact assessment == FIPS 199 defines three levels of potential impact on organizations or individuals should there be a [[security breach|breach of security]] (i.e., a loss of [[confidentiality]], [[integrity]], or [[availability]]). The application of these definitions must take place within the context of each organization and the overall national interest. Table 2 provides FIPS 199 potential impact definitions. [[File:Table_2.jpg|650px]] In FIPS 199, the [[security category]] of an information type can be associated with both [[user information]] and [[system information]] and can be applicable to [[information]] in either [[electronic]] or non-electronic form. It is also used as [[input]] in considering the appropriate [[security]] category for a [[system]]. == References == <references /> [[Category:Publication]] [[Category:Technology]] [[Category:Security]] [[Category:Standards]] [[Category:2004]]
Summary:
Please note that all contributions to the The IT Law Wiki are considered to be released under the CC-BY-SA
Cancel
Editing help
(opens in new window)
Follow on IG
TikTok
Join Fan Lab