FIPS Publication 199

NIST
  • Click here to download the original properly formatted document.
  • Federal Information Processing Standards are standard guidelines set by the United States government.  The standardization of these guidelines are there to have a road map of how organizations should handle many different methods of networks and security.  This piece details FIPS 199 which concerns itself with the CIA (Confidentiality, Integrity, and Availability)  This is an important standard for all current and future network employees.

Technology is a tool, and a key that has allowed us to expand our horizons and go beyond the traditional barriers that we tend to have in this world.  When we realized the potential of this technology, we began to understand how amazing it could be and the things we could do with it.  We did not have to be stuck within certain limits anymore.  Sure, we have cars, airplanes, and boats for transportation, but this world opened up a whole new way to communicate with everyone around the world as long as we are connected.

Governments, organizations and businesses also realize the potential for such technology.  They too became connected as ways to reach each other, and consumers much more efficiently.  In the case of businesses, they found better ways to advertise while also offering their products in much more accessible ways, including digitally.  Music and movies now have accepted this and allow consumers to easily access services where listening to a song, or watching a movie can happen instantly for a small price.  Online stores such as Amazon have created a very trustworthy environment where they can offer a variety of products, more so than normal brick and mortar stores.  We have expanded our lives in many ways, but what we may not have realized is how this change could affect us negatively.

While we have taken down barriers and opened doors, we may not have realized how difficult this new frontier may be to handle.  There are constantly threats every day that are out there to do damage on all levels of users.  Of course, threats exists in most thing that we have in life, but in the digital realm, these threats have become much bigger and there can be far more to lose.  An example would be that perhaps a bank has a brick and mortar place a few places across the state.  These are susceptible to different kinds of attacks, but mostly in a local way.  However, this same bank that is now connected online and offers services has now raised their risk levels greatly due to the fact that not only is important information stored on these servers, they have now opened themselves to attacks from all over the world instead of relatively small community.  This kind of thinking can apply to anyone from the government, down to the typical users who logs on via their connection to simply socialize over numerous networks.

This type of thinking is the reason that a hot topic in today’s world is information security.  Information security is the idea of understanding the risks and threats while creating a safe environment for everyone.  It is this idea that protects data, information, and our daily lives from the malevolent codes and attackers.  This extends far further than we may think because as we become more connected, we have to realize that there are threats to our real lives such.  Electric grids that keep our power running, power and chemical plants, delivery services, water services, etc. can all be at risk in many different ways.  These risks can affect our lives in many ways, and even cause death.  It is why we have a set of publications and standards that are meant to help us understand and keep the highest quality of control and security over all threats.  Here, I look at and try to understand and compare the FIPS PUB-199 which sets standards for security categorization of federal information and information systems.

The FIPS PUB-199 serves in identifying the importance of the CIA rule; confidentiality, integrity, and availability.  Besides that, the main purpose of this publication is to recognize the value of information security and how it relates to our economical and national security interests.  It was created to serve as a road map, a set of guidelines that should be followed in terms of security.  We want to be able to categorize information and security as said in the publication, “to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices.”

As I mentioned earlier, FIPS PUB-199 focuses on the idea of confidentiality, integrity, and availability, which are very common themes in the world of information security.  Confidentiality is the method of preventing valuable information from being accessed by unauthorized individuals.  Integrity is the method of allowing data to have a level of trust, meaning that data should not be modified.  When modified, it violates the rule and the integrity of the data cannot be trusted.  Availability is the method of allowing information and data to be available and accessed by the proper individuals when it is needed.  This doesn’t only account for data, as it also can refer to the networks and systems that are running.  They should always be available.

With the FIPS PUB-199, the CIA is classified in a low, moderate, and high impact rating.  These ratings are there to give purpose to the severity of the current situation and is a good scale to moderate it on.  The idea is to define the impact of the possible breach or attack and rate the loss of CIA.  Publication 199 list it as the following:

“The potential impact is LOW if—

− The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

The potential impact is MODERATE if—

− The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

The potential impact is HIGH if—

− The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.”

This is a good system, but can it hold up in our current world where far more many people are connected, and a lot has changed in terms of just not only government security, but of businesses as well.  Again, we are turning more and more digital and purchasing products this way as well.  Our information is constantly out there whether it is for shopping, online gaming, book reading, music, socializing, etc.  We are far more connected including other countries that may have the will to cause difficulty and harm with each other due to disagreements in world affairs.  But can these current systems in place handle all of this, and how can companies constantly keep up with the new threats.  This is the power of being connected.

Implementing this system can cause difficulty, but it is also a necessity.  One of the problems that we see a lot is the improper implementation of information security methods.  These methods can range from the simplistic measures of firewalls and virus scanners, to the more difficult challenges of incident response.  Information security is absolutely vital to having a successful network structure and to keep the confidentiality, integrity, and availability intact.  Creating an information security plan can be challenging, especially when considering the amounts of standards and regulations to consider.  I outline the basis and my own thoughts about the FIPS PUB-199 above as an overview to how it can be implemented into a system.

Let us take the idea of a popular networking service: gaming.  We know that the gaming industry is a huge business that rakes in billions of dollars each year.  A big part of this is having an online community where gamers can play with or against each other in various types of online matches.  These platforms can range from home console systems (think Xbox 360, PlayStation 3) to the typical and long history of the PC where online services have greatly expanded from not just playing games, but purchasing digital games via services such as Steam and Origin, and we now have to understand the impact that Smartphones and tablets have now made across the world as Android and iOS have hit it huge with portable everything.  The connections that we now have across the world come in a variety, but this is a connection that in many cases require the use of payments for online services, usernames and passwords, and some personal information that are usually stored on servers.

I bring this up as a potential idea to set an implementation plan because of the many attacks that occur on these types of servers.  Over a year ago, Sony’s PlayStation network was completely hacked due to improper implantation of security methods.  Their service was down for nearly a month, there was a huge fear of user’s personal information being stolen (and it wasn’t even encrypted), and not to mention that Sony themselves lost a lot of money.  Later on that year, there were concerns about Steam being hacked as well.  Although their service did not go down and the problem was corrected quickly, it was still a nervous issue due to the fact that the service is used for purchasing digital goods.  Of course, Microsoft has not been invincible to this as it was only within the past four months that there have been some major issues with Xbox Live accounts being hacked, used, and sold off to others.  Yes, this industry is a big deal because there are so many users that enjoy these services in whichever form.  Whether you’re a console owner, someone who likes quick games over tablets or phones, or someone who prefers the PC approach and enjoys buying digital goods, there is a lot to gain and a lot to lose.

According to FIPS 199, as explained above, our main concerns are to recognize and protect the information by following a set of standards and guidelines.  How can the CIA be incorporated into these systems to allow for a better experience, and have they been implemented enough already, but it was just inevitable?  In the case of Sony, I don’t believe so.

It is very clear from this that Sony did not follow any important guidelines and regulations on their network.  There are reasons that the NIST special publications and the NIST Federal Information Processing Standards are there, because they are guidelines, a road map to help governments, businesses, and even users understand the threats and risks of our information technology world.  As for FIPS 199, the major concern here is to address confidentiality, integrity, and availability, and to categorize their impact on services.  Sony gives us an example here of not following this model at all.  And while there were no loss of life through this (although who can tell when gamers become enraged, right) it can easily be categorized that these impacts were moderate to high on the scale.  My implementation above would have helped secure a network and promptly handle the fallout afterward.  The CIA model is a very respected model that is used in most cases, and I believe that my implementation of securing this network, even by adding simple ideas, would have allowed this model to flourish within their system.

There are many times that I argue whether or not our rules and regulations are out of date and need updated.  I still believe that because of how fast our technology and ideas are moving, we also need to constantly monitor our own guidelines and regulations and modify where needed.  Eventually, some of these will be out of date.  However, with FIPS 199, I feel that its emphasis on the CIA model is something that can stand the test of time for quite a while because it doesn’t base it on a set of hardware or rules that could go out of date.  It’s basis is to remind us that security is vital to any organization, and keeping data, information, and networks within the CIA is always going to be important.  In fact, I think this is one of the better guidelines to follow.  Perhaps someday a model like this and the idea of confidentiality, integrity, and availability will be taken seriously in all organizations.  We must understand that security has to take the front position as we continue progressing down this digital highway.

University of Miami (NA) Confidentiality, Integrity, and Availability (CIA).  Retrieved from http://it.med.miami.edu/x904.xml

NIST (2004) FIPS PUB 199.  Retrieved from http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

Anthony, S.(April 27, 2011)  How the PlayStation Network was Hacked.  Retrieved from http://www.extremetech.com/gaming/84218-how-the-playstation-network-was-hacked

Comments are closed.