Guide to NIST Security Documents Legal Requirements-Improved
Contents
Legal Requirements
There are certain legal requirements regarding IT security to which Federal agencies must adhere. Many come from legislation, while others come from Presidential Directives or the Office of Budget and Management (OMB) Circulars. Here is a list of the major sources of these requirements with supporting documents from NIST. Some of the documents are a direct result of mandates given to NIST. Others are documents developed in order to give guidance to Federal agencies in how to carry out legal requirements.
Title III of the E-Gov Act of 2002 (Public Law 107-347)
Federal Information Security Management Act
Federal Information Security Management Act of 2002 (FISMA)
Categorization of all information and information systems and minimum information security requirements for each category
| NIST FIPS 200 | Security Controls for Federal Information Systems |
|---|---|
| NIST FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
| NIST SP 800-70 | Security Configuration Checklists Program for IT Products |
| NIST SP 800-60 | Guide for Mapping Types of Information and Information Systems to Security Categories |
| NIST SP 800-53 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53A | Guide for Assessing the Security Controls in Federal Information Systems |
| NIST SP 800-37 | Guide for the Security Certification and Accreditation of Federal Information Systems |
| NIST SP 800-34 | Contingency Planning Guide for Information Technology Systems |
| NIST SP 800-30 | Risk management Guide for Information Technology Systems |
| NIST SP 800-26 Rev 1 | Guide for Information Security Program Assessments and System Reporting Form |
| NIST SP 800-18 Rev 1 | Guide for Developing Security Plans for Information Systems |
Identification of an information system as a national security system
| NIST SP 800-59 | Guide for Identifying an Information System as a National Security System |
|---|
Detection and handling of information security incidents
| NIST SP 800-84 | Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities |
|---|---|
| NIST SP 800-61 | Computer Security Incident Handling Guide |
| NIST SP 800-83 | Guide to Malware Incident Prevention and Handling |
| NIST SP 800-86 | Guide to Integrating Forensic Techniques into Incident Response |
| NIST SP 800-51 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme |
| NIST SB 2005-12 | Preventing And Handling Malware Incidents: How To Protect Information Technology Systems From Malicious Code And Software |
Manage security incidents
| NIST SP 800-61 | Computer Security Incident Handling Guide |
|---|---|
| NIST SP 800-83 | Guide to Malware Incident Prevention and Handling |
| NIST SP 800-86 | Guide to Integrating Forensic Techniques into Incident Response |
| NIST SP 800-51 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme |
Annual public report on activities undertaken in the previous year
| NIST IR 7285 | Computer Security Division 2005 Annual Report |
|---|---|
| NIST IR 7219 | Computer Security Division 2004 Annual Report |
| NIST IR 7111 | Computer Security Division 2003 Annual Report |
OMB Circular A-130
Management Of Federal Information Resources, Appendix Iii: Security Of Federal Automated Information Resources ==
Assess risks
| NIST FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
|---|
Certify and accredit systems
| NIST FIPS 200 | Security Controls for Federal Information Systems |
|---|---|
| NIST SP 800-37 | Guide for the Security Certification and Accreditation of Federal Information Systems |
Develop contingency plans and procedures
| NIST SP 800-34 | Contingency Planning Guide for Information Technology Systems |
|---|---|
| NIST SP 800-46 | Security for Telecommuting and Broadband Communications |
Manage system configurations and security throughout the system development life cycle
| NIST SP 800-64 Rev 1 | Security Considerations in the Information System Development Life Cycle |
|---|---|
| NIST SP 800-70 | Security Configuration Checklists Program for IT Products |
| NIST SP 800-34 | Contingency Planning Guide for Information Technology Systems |
| NIST IR 7316 | Assessment of Access Control Systems |
Mandates agency-wide information security program development and implementation
| NIST SP 800-18, Rev 1 | Guide for Developing Security Plans for Information Systems |
|---|---|
| NIST SP 800-100 | Information Security Handbook: A Guide for Managers |
| NIST SP 800-12 | An Introduction to Computer Security: The NIST Handbook |
Conduct security awareness training
| NIST SP 800-50 | Building an Information Technology Security Awareness and Training Program |
|---|---|
| NIST SP 800-16 | Information Technology Security Training Requirements: A Role- and Performance-Based Model |
| NIST SP 800-46 | Security for Telecommuting and Broadband Communications |
E-Government Act Of 2002
Mandates NIST development of security standards
| NIST FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
|---|---|
| NIST FIPS 200 | Security Controls for Federal Information Systems |
Homeland Security Presidential Directive-12
Homeland Security Presidential Directive-12 (HSPD-12), Common Identification Standard For Federal Employees And Contractors
Establishes a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors
| NIST FIPS 201-1 | Personal Identity Verification for Federal Employees and Contractors |
|---|---|
| NIST SP 800-85B | PIV Data Model Test Guidelines |
| NIST SP 800-85A | PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance) |
| NIST SP 800-79 | Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations |
| NIST SP 800-78 | Cryptographic Algorithms and Key Sizes for Personal Identity Verification |
| NIST SP 800-76 | Biometric Data Specification for Personal Identity Verification |
| NIST SP 800-73 Rev 1 | Integrated Circuit Card for Personal Identification Verification |
| NIST IR 7337 | Personal Identity Verification Demonstration Summary |
| NIST IR 7284 | Personal Identity Verification Card Management Report |
| NIST SB 2006-01 | Testing And Validation Of Personal Identity Verification (PIV) Components And Subsystems For Conformance To Federal Information Processing Standard 201 |
| NIST SB 2005-08 | Implementation Of FIPS 201, Personal Identity Verification (PIV) Of Federal Employees And Contractors |
| NIST SB 2005-03 | Personal Identity Verification (PIV) Of Federal Employees And Contractors: Federal Information Processing Standard (FIPS) 201 |
OMB Circular A-11
OMB Circular A-11: Preparation, Submission, And Execution Of The Budget
Capital Planning
| NIST SP 800-65 | Integrating IT Security into the Capital Planning and Investment Control Process |
|---|
Other Requirements With Supporting Documents
Health Insurance Portability and Accountability Act (HIPAA)
For more information about HIPAA requirements, please visit www.cms.hhs.gov
Assure health information privacy and security
Standardize electronic data interchange in health care transactions
| NIST SP 800-66 | An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule |
|---|
Homeland Security Presidential Directive-7
Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection
For more information about HSPD-7, please visit www.dhs.gov
Protect critical infrastructure
| NIST FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
|---|---|
| NIST FIPS 200 | Security Controls for Federal Information Systems |
| NIST SP 800-18 | Guide for Developing Security Plans for Information Technology Systems |
| NIST SP 800-30 | Risk Management Guide for Information Technology Systems |
| NIST SP 800-37 | Guide for Security Certification and Accreditation of Federal Information Systems |
| NIST SP 800-53 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-60 | Guide for Mapping Types of Information and Information Systems to Security Categories |
| NIST SP 800-59 | Guideline for Identifying an Information System as a National Security System |
| NIST SP 800-82 | Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security |
- Tanya Brewer, Editor
- Matthew Scholl, Editor
- Disclaimer: Any mention of commercial products is for information only; it does not imply NIST recommendation or endorsement, nor does it imply that the products mentioned are necessarily the best available for the purpose.
- Michael James, Design/Production
- The DesignPond
