FIPS PUB 200

U.S. Federal Cybersecurity Compliance Part II

Federal Information Processing Standard (FIPS) 200

You can find Part I here.

FIPS stands for Federal Information Processing Standard (FIPS). FIPS PUB 200 is one of nine series of computer system security standards for the U.S Government. It is important to note that both, FIPS 199 and FIPS 200 are mandatory security standards required by the Federal Information Security Management Act (FISMA) to be followed by government agencies.

The FIPS PUB 200 publication “specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.”¹

To be FIPS 200 compliant, an organization must follow 17 security-related areas that are part of the minimum security requirements covered in FIPS PUB 200:

1. Access control (AC)
2. Awareness and training (AT)
3. Audit and accountability (AU)
4. Certification, accreditation, and security assessments (CA)
5. Configuration management (CM)
6. Contingency planning (CP)
7. Identification and authentication (IA)
8. Incident response (IR)
9. Maintenance (MA)
10. Media protection (MP)
11. Physical and environmental protection (PE)
12. Planning (PL)
13. Personnel security (PS)
14. Risk assessment (RA)
15. Systems and services acquisition (SA)
16. System and communications protection (SC), and
17. System and information integrity (SI).

To meet minimum security requirements, organizations would select controls from the latest NIST SP 800-53 security controls as they deemed appropriate, and making sure it provides adequate² security based on the organization’s risk.