FIPS 200

FIPS 200 (Federal Information Processing Standard 200) specifies the minimum security requirements for federal information systems across 17 security-related areas. After a system is categorized using FIPS 199, FIPS 200 tells you the minimum security areas that must be addressed — access control, awareness and training, audit and accountability, and so on.

FIPS 200 works hand-in-hand with NIST SP 800-53, which provides the specific controls to meet those minimum requirements. Together, they form the control selection foundation for the RMF process.

Why It Matters

FIPS 200 establishes the minimum bar for security. Understanding these minimum requirements helps you ensure your security program covers all required areas, even as you tailor specific controls to your system's needs.