Which document defines minimum security requirements for federal information and information systems?

The question tests knowledge of which publication sets the baseline of security requirements agencies must meet for federal information and information systems. The correct document is FIPS 200. It defines the minimum security requirements and establishes the baseline security controls that agencies must implement, mapped to the impact levels defined in FIPS 199. It also indicates that the detailed controls come from SP 800-53, which agencies select and apply to meet those minimum requirements. Understanding the other options helps clarify why this is the right choice: FIPS 199 describes the impact levels (low, moderate, high) used to determine how stringent the protections must be, not the minimum controls themselves. CNSSI-1253 covers the process of security categorization for federal information and systems, focusing on how to classify information rather than prescribing the baseline protections. SP 800-53 provides the actual security controls and the methodology for selecting and implementing them, but it serves as the control catalog used to meet the minimum requirements outlined in FIPS 200, rather than defining the minimum requirements on its own.