According to Ron Ross, NIST's director of the National Information Assurance Partnership, FIPS-199 "is part of the NIST effort to give federal agencies guidance on the level of security controls they need in meeting the classic security areas of Confidentiality, Integrity and Availability."

As drafted, FIPS-199 creates a matrix of nine charted boxes for cross-referencing specific requirements for Low-, Moderate- and High Risk information and systems. Ross said the new Federal Information Processing Standard draws on the method by which classified systems are categorized, where a Top Secret system might be defined by the "impact of its loss" on a national mission.

Ross said many non-national security systems running today nonetheless need to meet tougher requirements because they might contain information related to critical infrastructure, terrorist alerts, witness protection, sensitive citizen information, etc.

Something like medical privacy data can be subject to varying levels of non-disclosure law and regulation, and agencies maintaining such data need a better grasp on how to make sure basic controls are implemented to assure compliance, Ross told an Energy department computer security conference last month.

The FIPS-199 effort dovetails with work being done on NIST special publication 800-53, which will standardize Minimum Security Controls for agency IT. Ross said the 800-53 process has led officials to examine and often incorporate existing standards from across many agency-specific processes, including the Defense department, the National Security Agency, the Central Intelligence Agency, ISO 17799 and elsewhere.

A draft of Special Publication 800-53 is also expected out this summer.

NIST is accepting comments until August 14 fips.comments@nist.gov.

Read more at: http://www.csrc.nist.gov/publications/drafts/FIPS199-FRnotice.pdf