U.S. Department of Health and Human Services
FIPS 199 is used to determine the system categorization level of an IT system. This categorization is then used to identify minimum security controls, which are described in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations.
FIPS 200 established 17* families of security controls, also called “security-related areas." You will see the 17 families of security controls appear in many NIST special publications and processes, such as NIST SP 800-53 Rev. 3.
Note: Of the eighteen security control families in NIST Special Publication 800-53, seventeen families closely aligned with the seventeen minimum security requirements for federal information and information systems in FIPS 200. One additional family (Program Management [PM] family) provides controls for information security programs. This family, while not referenced in FIPS 200, provides security controls at the organizational rather than the information-system level.
Page 8 of 8
Information Security and the EPLC FIPS