Wednesday, October 8, 2003

FIPS - 199

SilverStr pointed out that FIPS 199 is finally out.

This is an extremely short document as government standards go but has far reaching effects as it sets a standard in base terminology for information security and information systems security. The shorter version of the document is "This applies to data, systems, personnel and organizations."

The acceptable format is:

SC(information type)={(confidentiality,impact),(integrity,impact),(availability,impact)}


  • "information type" is the person, org, data or system being described and
  • "impact" is either "high", "moderate", "low" or "N/A".

You'll see this used in incident reports, acquisitions, etc. If you interface with government organizations in any way, start using this now. You'll be ahead of the game when its use becomes mandatory (December).