Guide to NIST Security Documents Legal Requirements
Contents
- 1 Legal Requirements
- 1.1 FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA)
- 1.2 OMB CIRCULAR A-130: MANAGEMENT OF FEDERAL INFORMATION RESOURCES, APPENDIX III: SECURITY OF FEDERAL AUTOMATED INFORMATION RESOURCES
- 1.3 E-GOVERNMENT ACT OF 2002
- 1.4 HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-12 (HSPD-12), COMMON IDENTIFICATION STANDARD FOR FEDERAL EMPLOYEES AND CONTRACTORS
- 1.5 OMB CIRCULAR A-11: PREPARATION, SUBMISSION, AND EXECUTION OF THE BUDGET
- 1.6 OTHER REQUIREMENTS WITH SUPPORTING DOCUMENTS
Legal Requirements
There are certain legal requirements regarding IT security to which Federal agencies must adhere. Many come from legislation, while others come from Presidential Directives or the Office of Budget and Management (OMB) Circulars. Here is a list of the major sources of these requirements with supporting documents from NIST. Some of the documents are a direct result of mandates given to NIST. Others are documents developed in order to give guidance to Federal agencies in how to carry out legal requirements.
Title III of the E-Gov Act of 2002 (Public Law 107-347)
FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA)
Categorization of all information and information systems and minimum information security requirements for each category
| FIPS 200 | Security Controls for Federal Information Systems |
|---|---|
| FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
| SP 800-70 | Security Configuration Checklists Program for IT Products |
| SP 800-60 | Guide for Mapping Types of Information and Information Systems to Security Categories |
| SP 800-53 | Recommended Security Controls for Federal Information Systems |
| SP 800-53A | Guide for Assessing the Security Controls in Federal Information Systems |
| SP 800-37 | Guide for the Security Certification and Accreditation of Federal Information Systems |
| SP 800-34 | Contingency Planning Guide for Information Technology Systems |
| SP 800-30 | Risk management Guide for Information Technology Systems |
| SP 800-26 Rev 1 | Guide for Information Security Program Assessments and System Reporting Form |
| SP 800-18 Rev 1 | Guide for Developing Security Plans for Information Systems |
Identification of an information system as a national security system
| SP 800-59 | Guide for Identifying an Information System as a National Security System |
|---|
Detection and handling of information security incidents
| SP 800-84 | Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities |
|---|---|
| SP 800-61 | Computer Security Incident Handling Guide |
| SP 800-83 | Guide to Malware Incident Prevention and Handling |
| SP 800-86 | Guide to Integrating Forensic Techniques into Incident Response |
| SP 800-51 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme |
| December 2005 | Preventing And Handling Malware Incidents: How To Protect Information Technology Systems From Malicious Code And Software |
Manage security incidents
| SP 800-61 | Computer Security Incident Handling Guide |
|---|---|
| SP 800-83 | Guide to Malware Incident Prevention and Handling |
| SP 800-86 | Guide to Integrating Forensic Techniques into Incident Response |
| SP 800-51 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme |
Annual public report on activities undertaken in the previous year
| NISTIR 7285 | Computer Security Division 2005 Annual Report |
|---|---|
| NISTIR 7219 | Computer Security Division 2004 Annual Report |
| NISTIR 7111 | Computer Security Division 2003 Annual Report |
OMB CIRCULAR A-130: MANAGEMENT OF FEDERAL INFORMATION RESOURCES, APPENDIX III: SECURITY OF FEDERAL AUTOMATED INFORMATION RESOURCES
Assess risks
| FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
|---|
Certify and accredit systems
| FIPS 200 | Security Controls for Federal Information Systems |
|---|---|
| SP 800-37 | Guide for the Security Certification and Accreditation of Federal Information Systems |
Develop contingency plans and procedures
| SP 800-34 | Contingency Planning Guide for Information Technology Systems |
|---|---|
| SP 800-46 | Security for Telecommuting and Broadband Communications |
Manage system configurations and security throughout the system development life cycle
| SP 800-64 Rev 1 | Security Considerations in the Information System Development Life Cycle |
|---|---|
| SP 800-70 | Security Configuration Checklists Program for IT Products |
| SP 800-34 | Contingency Planning Guide for Information Technology Systems |
| NISTIR 7316 | Assessment of Access Control Systems |
Mandates agency-wide information security program development and implementation
| SP 800-18, Rev 1 | Guide for Developing Security Plans for Information Systems |
|---|---|
| SP 800-100 | Information Security Handbook: A Guide for Managers |
| SP 800-12 | An Introduction to Computer Security: The NIST Handbook |
Conduct security awareness training
| SP 800-50 | Building an Information Technology Security Awareness and Training Program |
|---|---|
| SP 800-16 | Information Technology Security Training Requirements: A Role- and Performance-Based Model |
| SP 800-46 | Security for Telecommuting and Broadband Communications |
E-GOVERNMENT ACT OF 2002
Mandates NIST development of security standards
| FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
|---|---|
| FIPS 200 | Security Controls for Federal Information Systems |
HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-12 (HSPD-12), COMMON IDENTIFICATION STANDARD FOR FEDERAL EMPLOYEES AND CONTRACTORS
Establishes a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors
| FIPS 201-1 | Personal Identity Verification for Federal Employees and Contractors |
|---|---|
| SP 800-85B | PIV Data Model Test Guidelines |
| SP 800-85A | PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance) |
| SP 800-79 | Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations |
| SP 800-78 | Cryptographic Algorithms and Key Sizes for Personal Identity Verification |
| SP 800-76 | Biometric Data Specification for Personal Identity Verification |
| SP 800-73 Rev 1 | Integrated Circuit Card for Personal Identification Verification |
| NISTIR 7337 | Personal Identity Verification Demonstration Summary |
| NISTIR 7284 | Personal Identity Verification Card Management Report |
| January 2006 | Testing And Validation Of Personal Identity Verification (PIV) Components And Subsystems For Conformance To Federal Information Processing Standard 201 |
| August 2005 | Implementation Of FIPS 201, Personal Identity Verification (PIV) Of Federal Employees And Contractors |
| March 2005 | Personal Identity Verification (PIV) Of Federal Employees And Contractors: Federal Information Processing Standard (FIPS) 201 |
OMB CIRCULAR A-11: PREPARATION, SUBMISSION, AND EXECUTION OF THE BUDGET
Capital Planning
| SP 800-65 | Integrating IT Security into the Capital Planning and Investment Control Process |
|---|
OTHER REQUIREMENTS WITH SUPPORTING DOCUMENTS
Health Insurance Portability and Accountability Act (HIPAA)
For more information about HIPAA requirements, please visit www.cms.hhs.gov
Assure health information privacy and security
Standardize electronic data interchange in health care transactions
| SP 800-66 | An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule |
|---|
Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection
For more information about HSPD-7, please visit www.dhs.gov
Protect critical infrastructure
| FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
|---|---|
| FIPS 200 | Security Controls for Federal Information Systems |
| SP 800-18 | Guide for Developing Security Plans for Information Technology Systems |
| SP 800-30 | Risk Management Guide for Information Technology Systems |
| SP 800-37 | Guide for Security Certification and Accreditation of Federal Information Systems |
| SP 800-53 | Recommended Security Controls for Federal Information Systems |
| SP 800-60 | Guide for Mapping Types of Information and Information Systems to Security Categories |
| SP 800-59 | Guideline for Identifying an Information System as a National Security System |
| SP 800-82 | Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security |
- Tanya Brewer, Editor
- Matthew Scholl, Editor
- Disclaimer: Any mention of commercial products is for information only; it does not imply NIST recommendation or endorsement, nor does it imply that the products mentioned are necessarily the best available for the purpose.
- Michael James, Design/Production
- The DesignPond
