Which document establishes the security requirements for federal information systems?

The Federal Information Processing Standards (FIPS) are crucial because they serve as mandatory federal standards that define the security requirements necessary for federal information systems. These standards are established by the National Institute of Standards and Technology (NIST) in compliance with federal law, particularly the Federal Information Security Modernization Act (FISMA). They provide a foundation that federal agencies must follow to ensure the confidentiality, integrity, and availability of sensitive information.

FIPS is specifically formulated to address security and processing of information in federal systems, making it the authoritative source for security requirements in this context. This framework ensures consistency across all federal agencies regarding security controls, thereby supporting a robust national security posture.

While NIST guidelines are also vital and provide comprehensive recommendations, they are not mandatory like FIPS. The Cybersecurity Framework (CSF) is a voluntary framework that helps organizations bolster their cybersecurity posture but does not directly establish the security requirements for federal information systems. The Risk Management Framework (RMF) is a structured process designed to manage risk in information systems and supports FISMA compliance and implementation of security controls but does not solely define the requirements themselves. Hence, FIPS stands out as the correct option for establishing security requirements specifically for federal information systems.