Minimum Security Requirements

Federal Information processing Standards
Minimum Security Requirements for Federal Information and Information Systems
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
FIPS PUB 200
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION

3 MINIMUM SECURITY REQUIREMENTS
The minimum security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems. The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting federal information and information systems.

Specifications for Minimum Security Requirements
AccessControl(AC): Organizationsmustlimitinformationsystemaccesstoauthorizedusers,processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
AwarenessandTraining(AT): Organizationsmust:(i)ensurethatmanagersandusersoforganizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
AuditandAccountability(AU): Organizationsmust:(i)create,protect,andretaininformationsystemaudit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Certification,Accreditation,andSecurityAssessments(CA): Organizationsmust:(i)periodicallyassessthe security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
2
FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems
________________________________________________________________________________________________
ConfigurationManagement(CM): Organizationsmust:(i)establishandmaintainbaselineconfigurationsand inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
ContingencyPlanning(CP): Organizationsmustestablish,maintain,andeffectivelyimplementplansfor emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
IdentificationandAuthentication(IA): Organizationsmustidentifyinformationsystemusers,processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
IncidentResponse(IR): Organizationsmust:(i)establishanoperationalincidenthandlingcapabilityfor organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
Maintenance(MA): Organizationsmust:(i)performperiodicandtimelymaintenanceonorganizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
MediaProtection(MP): Organizationsmust:(i)protectinformationsystemmedia,bothpaperanddigital;(ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
Planning(PL): Organizationsmustdevelop,document,periodicallyupdate,andimplementsecurityplans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
PersonnelSecurity(PS): Organizationsmust:(i)ensurethatindividualsoccupyingpositionsof responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
SystemandServicesAcquisition(SA): Organizationsmust:(i)allocatesufficientresourcestoadequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
3
FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems
________________________________________________________________________________________________
SystemandCommunicationsProtection(SC): Organizationsmust:(i)monitor,control,andprotect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
SystemandInformationIntegrity(SI): Organizationsmust:(i)identify,report,andcorrectinformationand information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.