Getting to Know FIPS 200 - Pabrai on HIPAA/HITECH Compliance
Health IT and Electronic Health Activate your FREE membership today |  Log-in
Home > IT Blogs > Pabrai on HIPAA/HITECH Compliance > Getting to Know FIPS 200
>>VIEW ALL POSTS  

Pabrai on HIPAA/HITECH Compliance

« Why You Should Follow FIPS 199?
Why PCI DSS is a Valued Reference »
Jun 18 2010   1:49PM GMT


Getting to Know FIPS 200



Posted by: pabrai

All U.S. federal agencies must be compliant with FIPS 200. FIPS 200 - developed by NIST - establishes the Minimum Security Requirements for Federal Information and Information Systems. FIPS 200, the second of the mandatory security standards for FISMA compliance, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.

Security professionals should be familiar with FIPS 200 as it is a valuable reference - together with FIPS 199 and NIST SP 800-53 - and may have an impact in further enhancing the scope, definition and requirements associated with your organization’s information security plan or strategy. I know I have found FIPS 199 and NIST SP 800-53 to be significant works of value that have helped to enhance the quality of information security policies of several organizations.

The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. The security-related areas include:

  1. Access control
  2. Awareness and training
  3. Audit and accountability
  4. Certification, accreditation, and security assessments
  5. Configuration management
  6. Contingency planning
  7. Identification and authentication
  8. Incident response
  9. Maintenance
  10. Media protection
  11. Physical and environmental protection
  12. Planning
  13. Personnel security
  14. Risk assessment
  15. Systems and services acquisition
  16. System and communications protection
  17. System and information integrity

A new (#18) security-related area was added recently in NIST SP 800-53 (Rev 3), Program management. This new addition requires the development of an organization-wide information security program plan.

So if you are not already familiar with FIPS 200, take a look at it. The minimal security requirements for federal information and federal information systems should be influencing the minimal requirements for sensitive, confidential client information that your organization is trusted with.

What are the minimal areas you have established in your organization’s information security program?

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register