NIST drafts rules for gauging security risks

Draft FIPS 199: Standards for Security Categorization of Federal Information and Information Systems

The National Institute of Standards and Technology took its first step last week toward defining the minimum security measures agencies must take to protect their systems, as mandated by the Federal Information Security Management Act of 2002.

NIST's proposed Federal Information Processing Standard (FIPS) 199 provides criteria that agencies must use to categorize their information and information systems based on the security risks involved.

The key is not the categories used — high-, medium- or low-risk — but the criteria provided for assessing risk, security experts say. Once approved, FIPS 199 will provide a common framework for managing information security across government.

"There needs to be standardization" so that agencies are all using the same criteria for risk assessment of their systems, said Sallie McDonald, a senior official in the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate.

The draft standard would require agencies to assess risk by measuring the potential impact of a security breach along three lines: the confidentiality, integrity and availability of the information.

For example, a system with patient data could be high-risk for confidentiality and integrity because the stored information must be kept private and intact, but it could be low-risk for availability because users do not need to access it every day. Other systems could fit into other combinations of the categories.

The draft standard emphasizes the potential impact of a breach, rather than the likelihood, said Ed Roback, chief of the NIST Computer Security Division.

Every system faces some level of threat and that threat changes every day, so the more prudent path to follow is to focus on assessing the potential harm to the agency and to the people whose information is stored in the system, Roback said.

"Threat changes a lot, and we also don't have a great idea of the threats that are out there," he said. "This will help [agencies] get thinking about the risk that they face and what impact it could have" on their mission and their users.

Acknowledging at the outset that threat is a constant for every system is "a smart step to take," said Alan Paller, director of research for the SANS Institute, an information security education and consulting organization. "That is what has been missing in all risk analysis at federal agencies."

Including that basic premise in a mandated standard "could have a profoundly significant impact on federal agencies," Paller said.

Comments on the draft are due by Aug. 14 and can be submitted to fips.comments@nist.gov.

"We want to get a sense from the agencies whether these three levels make sense to them," Roback said. It is also important to make sure that agencies understand the subtle differences among the categories, he said.

The guidance lays a solid foundation for future work by establishing common definitions, said Marcia Wilke, manager of EDS' risk assessment group.

"Before, most agencies did use [the terms] low, medium and high, but what did they each mean by it?" she asked. "Now when someone talks about low confidentiality, everybody knows what that means."

The definitions will help standardize agencies' reports to Congress and other agencies. "It's really geared to a more high-level strategic planning, which is the first step of having a more secure organization," said Cheryl Lieberman, senior risk assessment consultant at EDS.

To fill in the details, later this year NIST will issue guidance on how different types of information — such as medical, judicial and geospatial — relate to the three categories and define the minimum security steps to be taken based on the categories, Roback said.

Those steps are "where the rubber hits the road," he said.

Michael Hardy contributed to this article.

***

Stepping toward security

As required by the Federal Information Security Management Act of 2002, the National Institute of Standards and Technology is developing three sets of guidelines that will help agencies determine the level of security needed for their information systems:

* The Federal Information Processing Standard 199, released last week. Outlines how to categorize systems based on the level of risk in three areas: confidentiality, integrity and availability.

* Guidelines for how different types of information — such as medical or legal — align with those categories.

* Minimum security measures for the information and information systems in each category.