This document summarizes the Federal Information Security Management Act (FISMA) reporting requirements and the National Institute of Standards and Technology (NIST) Special Publication 800-37 guidelines for certification and accreditation (C&A) of federal information systems. It outlines the four phases of the C&A process - initiation, security certification, security accreditation, and continuous monitoring. The purpose is to provide guidance to information security managers on applying the NIST risk management framework to comply with FISMA and ensure adequate security of federal information systems.
This document compares and analyzes two US federal information security documents: NIST SP 800-37 and ICD 503. It finds that NIST SP 800-37 provides a more detailed and comprehensive certification and accreditation process. However, the documents are not directly comparable as SP 800-37 is a guideline and ICD 503 is a higher-level policy. The document traces the evolution of federal IT security policy and processes over time, showing how SP 800-37 incorporates elements of previous approaches. It concludes that a new, innovative approach may help achieve better information assurance across the government.
The document provides a system security plan for the <INSERT SYSTEM NAME> system. It contains 3 sections - an executive summary, system description and overview of security controls. The executive summary introduces the system security plan and provides a high-level summary of the <INSERT SYSTEM NAME> system, including that it is categorized as moderate impact and supports <INSERT ENVIRONMENT SUPPORTED>. The system description section provides details on the system technical environment, software, hardware and interconnections. The security controls section identifies which NIST 800-53 controls have been met, partially met, not met or are not applicable for the system.
This document discusses implementing IT security controls and the behavioral aspects of managing insider threats. It summarizes research showing that technical controls alone cannot solve security issues as they are also social and organizational problems. Later research applied a systems dynamics model and signal detection theory to observe behavioral risks, finding that information workers and security officers use experience and thresholds to decide when to investigate anomalies. Training staff on security tools and awareness was found to significantly reduce insider attacks. A 2010 framework addressed insider threats by considering the organization, individual, IT systems, and environment.
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]Walter Richard Sweeney
This document provides an overview of the legislative and regulatory foundations for assessing the security of NASA information systems. It outlines laws like FISMA 2002 and 2014, directives from the Office of Management and Budget and Department of Homeland Security, and guidance from the National Institute of Standards and Technology. It also discusses how NASA's own governance documents and strategic plans adhere to these federal mandates for continuous security monitoring and independent annual assessments.
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
The document is the version 2.7 of the IT Handbook for the University System of Georgia (USG), updated in February 2018. It provides an overview and history of changes made to the handbook. The handbook establishes IT standards, best practices, and compliance requirements for USG organizations to follow related to governance, project management, security, privacy, facilities, and other IT functions. It is intended to help IT professionals and ensure practices align with laws, regulations, and Board of Regents policies.
OIG: Review of NASA's Management and Oversight of Its Information Technology ...Bill Duncan
We found that NASA's IT security program
had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited.
These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program
. We also found that NASA's Office of Chief Information Officer (OCIO) had not effectively managed corrective action plans used to prioritize the mitigation of IT security weaknesses. This occurred because OCIO did not have a formal policy for managing the plans and did not follow recognized best practices when it purchased an information system that it hoped would facilitate Agency-wide management of IT corrective action plans. However, after spending more than $3 million on the system since October 2005, implementation of the software failed.
The Agency is currently expending funds to acquire a replacement system. Specifically, we found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA. For example, the system contained corrective actions plans for only 2 percent (7 of 289) of the 29 systems we sampled. In our judgment, the system was underutilized because OCIO did not fully document detailed system requirements prior to selecting the system and did not have users validate requirements via acceptance testing prior to implementing it. Because the information system contained minimal data and the manual process the Agency relied on was not consistently followed, OCIO's management of corrective actions plans was ineffective and did not ensure that significant IT security weaknesses were corrected in a timely manner.
Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA's IT security program will not be fully effective in protecting critical Agency information systems. Moreover, until such improvements are made OCIO will not be in a position to effectively allocate resources to correct IT security weaknesses. Management
1 NPR 2810.1A, "Security of Information Technology," Chapter7, defines moderate impact as "loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on NASA operations, organizational assets, or individuals." High impact is defined as "loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on NASA operations, organizational assets, or individuals." 2 NASA OIG. "Federal Information Security Management Act: Fiscal Year 2009 Report from the Office of Inspector General" (IG-10-001, November 10, 2009). 3 NASA OIG. "Review of the Information Technology Security of the Internet Protocol Operational Network (IONet)" (IG-10-013, May 13, 2010); and NASA OIG. "Audit of NASA's Efforts to Continuously Monitor Critical Information Technology Security Controls" (IG-10-019, September 14, 2010).
This document compares and analyzes two US federal information security documents: NIST SP 800-37 and ICD 503. It finds that NIST SP 800-37 provides a more detailed and comprehensive certification and accreditation process. However, the documents are not directly comparable as SP 800-37 is a guideline and ICD 503 is a higher-level policy. The document traces the evolution of federal IT security policy and processes over time, showing how SP 800-37 incorporates elements of previous approaches. It concludes that a new, innovative approach may help achieve better information assurance across the government.
The document provides a system security plan for the <INSERT SYSTEM NAME> system. It contains 3 sections - an executive summary, system description and overview of security controls. The executive summary introduces the system security plan and provides a high-level summary of the <INSERT SYSTEM NAME> system, including that it is categorized as moderate impact and supports <INSERT ENVIRONMENT SUPPORTED>. The system description section provides details on the system technical environment, software, hardware and interconnections. The security controls section identifies which NIST 800-53 controls have been met, partially met, not met or are not applicable for the system.
This document discusses implementing IT security controls and the behavioral aspects of managing insider threats. It summarizes research showing that technical controls alone cannot solve security issues as they are also social and organizational problems. Later research applied a systems dynamics model and signal detection theory to observe behavioral risks, finding that information workers and security officers use experience and thresholds to decide when to investigate anomalies. Training staff on security tools and awareness was found to significantly reduce insider attacks. A 2010 framework addressed insider threats by considering the organization, individual, IT systems, and environment.
20170112 Working Group Assessment Mandate Presentation DRAFT V1[2]Walter Richard Sweeney
This document provides an overview of the legislative and regulatory foundations for assessing the security of NASA information systems. It outlines laws like FISMA 2002 and 2014, directives from the Office of Management and Budget and Department of Homeland Security, and guidance from the National Institute of Standards and Technology. It also discusses how NASA's own governance documents and strategic plans adhere to these federal mandates for continuous security monitoring and independent annual assessments.
NIST 800-125 a DRAFT (HyperVisor Security)David Sweigert
This document provides security recommendations for hypervisor deployment. It discusses architectural choices for hypervisors, including whether the hypervisor is installed on bare metal or another OS, and whether it uses hardware or software for virtualization support. It also covers potential threats related to the hypervisor's baseline functions, such as execution isolation for VMs and device emulation. The document then provides security recommendations based on these architectural choices and hypervisor functions. It focuses recommendations on device emulation and access control, as well as VM management functions like memory and CPU allocation, image management, and security monitoring of VMs.
This document is NIST Special Publication 800-53 Revision 4 which provides a catalog of security and privacy controls for federal information systems. It aims to protect operations, assets, individuals and organizations from threats. The controls are customizable and part of an organization-wide risk management process. It also describes developing specialized control overlays for specific environments. Finally, it addresses security from functionality and assurance perspectives to ensure systems are sufficiently trustworthy.
The document is the version 2.7 of the IT Handbook for the University System of Georgia (USG), updated in February 2018. It provides an overview and history of changes made to the handbook. The handbook establishes IT standards, best practices, and compliance requirements for USG organizations to follow related to governance, project management, security, privacy, facilities, and other IT functions. It is intended to help IT professionals and ensure practices align with laws, regulations, and Board of Regents policies.
OIG: Review of NASA's Management and Oversight of Its Information Technology ...Bill Duncan
We found that NASA's IT security program
had not fully implemented key FISMA requirements needed to adequately secure Agency information systems and data. For example, we found that only 24 percent (7 of 29) of the systems we reviewed met FISMA requirements for annual security controls testing and only 52 percent (15 of 29) met FISMA requirements for annual contingency plan testing. In addition, only 40 percent (2 of 5) of the external systems we reviewed were certified and accredited.
These deficiencies occurred because NASA did not have an independent verification and validation function for its IT security program
. We also found that NASA's Office of Chief Information Officer (OCIO) had not effectively managed corrective action plans used to prioritize the mitigation of IT security weaknesses. This occurred because OCIO did not have a formal policy for managing the plans and did not follow recognized best practices when it purchased an information system that it hoped would facilitate Agency-wide management of IT corrective action plans. However, after spending more than $3 million on the system since October 2005, implementation of the software failed.
The Agency is currently expending funds to acquire a replacement system. Specifically, we found that the information system was significantly underutilized and therefore was not an effective tool for managing corrective action plans across NASA. For example, the system contained corrective actions plans for only 2 percent (7 of 289) of the 29 systems we sampled. In our judgment, the system was underutilized because OCIO did not fully document detailed system requirements prior to selecting the system and did not have users validate requirements via acceptance testing prior to implementing it. Because the information system contained minimal data and the manual process the Agency relied on was not consistently followed, OCIO's management of corrective actions plans was ineffective and did not ensure that significant IT security weaknesses were corrected in a timely manner.
Until NASA takes steps to fully meet FISMA requirements and to improve its system acquisition practices, NASA's IT security program will not be fully effective in protecting critical Agency information systems. Moreover, until such improvements are made OCIO will not be in a position to effectively allocate resources to correct IT security weaknesses. Management
1 NPR 2810.1A, "Security of Information Technology," Chapter7, defines moderate impact as "loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on NASA operations, organizational assets, or individuals." High impact is defined as "loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on NASA operations, organizational assets, or individuals." 2 NASA OIG. "Federal Information Security Management Act: Fiscal Year 2009 Report from the Office of Inspector General" (IG-10-001, November 10, 2009). 3 NASA OIG. "Review of the Information Technology Security of the Internet Protocol Operational Network (IONet)" (IG-10-013, May 13, 2010); and NASA OIG. "Audit of NASA's Efforts to Continuously Monitor Critical Information Technology Security Controls" (IG-10-019, September 14, 2010).
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development life cycles, and incorporating supply chain risk management. Organizations can use the RMF and its processes to effectively manage security, privacy, and supply chain risks to operations and assets.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
This publication contains comprehensive updates to the
Risk Management Framework. The updates include an
alignment with the constructs in the NIST Cybersecurity
Framework; the integration of privacy risk management
processes; an alignment with system life cycle security
engineering processes; and the incorporation of supply
chain risk management processes. Organizations can
use the frameworks and processes in a complementary
manner within the RMF to effectively manage security
and privacy risks to organizational operations and
assets, individuals, other organizations, and the Nation.
Revision 2 includes a set of organization-wide RMF tasks
that are designed to prepare information system owners
to conduct system-level risk management activities. The
intent is to increase the effectiveness, efficiency, and
cost-effectiveness of the RMF by establishing a closer
connection to the organization’s missions and business
functions and improving the communications among
senior leaders, managers, and operational personnel.
https://doi.org/10.6028/NIST.SP.800-37r2
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
December 2018
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
https://doi.org/10.6028/NIST.SP.800-37r2
NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
________________________________________________________________________________________________
PAGE i
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
including minimum requirements for federal information systems, but such standards and
guidelines shall .
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
The HIPAA Security Rule (at 45 C.F.R. §164.308(a)(1)(ii)(A)) requires an initial security risk analysis according to risk analysis guidance issued by HHS/OCR based on NIST standards.
OCR Audit Protocols for Risk Analysis are clear! CMS, as planned, has launched audits of organizations who have attested to Meaningful Use Objectives and Risk Analyses will be audited. Have you completed a bona fide HIPAA Security Risk Analysis?
This document introduces information security continuous monitoring (ISCM) which is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. It describes how establishing an ISCM strategy and program can help organizations move from compliance-driven to data-driven risk management. Key aspects covered include defining an ISCM strategy, establishing an ISCM program, implementing the program, analyzing and reporting findings, responding to findings, and reviewing and updating the strategy and program. Both automated and manual processes have roles to play in ISCM.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
This document provides guidance for conducting risk assessments to support risk management at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results. Risk assessments are a key part of effective risk management and help inform decision making throughout the system development life cycle. Organizations have flexibility in applying this guidance based on their specific needs.
NIST Special Publication 800-39 Managi.docxvannagoforth
NIST Special Publication 800-39 Managing Information
Security Risk
Organization, Mission, and Information
System View
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
I N F O R M A T I O N S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
March 2011
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix ...
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
Guide for Security-Focused Configuration Management of I.docxwhittemorelucilla
This document provides guidelines for implementing security-focused configuration management of information systems. It aims to help federal agencies integrate information security into their configuration management processes. The document describes configuration management concepts and principles, roles and responsibilities, and outlines a process for planning, implementing, controlling, monitoring and using SCAP for configuration management. It is intended to support organizations in securely configuring, operating and maintaining their information systems.
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This report summarizes the Information Security Oversight Office's (ISOO) activities in fiscal year 2003 related to classifying and safeguarding national security information. It provides statistics on original classification decisions, derivative classification decisions, and declassified records. It also discusses implementation of Executive Order 12958, which aims to promote openness while protecting national security. Key events in 2003 included an amendment to EO 12958 calling for automatic declassification of older records by 2006 and continued work to refine the security system to suit the electronic era. Implementation challenges include excessive delays in granting security clearances. The report concludes effective oversight requires continuous effort to balance an informed public with national security.
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
Building an Information Technology Security Awareness an.docxrichardnorman90310
Building an Information
Technology Security Awareness
and Training Program
Mark Wilson and Joan Hash
NIST Special Publication 800-50
C O M P U T E R S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8933
October 2003
U.S. Department of Commerce
Donald L. Evans, Secretary
Technology Administration
Phillip J. Bond, Under Secretary for Technology
National Institute of Standards and Technology
Arden L. Bement, Jr., Director
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2003
For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
NIST Special Publication 800-50
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in
furtherance of its statutory responsibilities under the Federal Information Security Management Act
(FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for
providing adequate information security for all agency operations and assets, but such standards and
guidelines shall not apply to national security systems. This guideline is consistent with the requirements
of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental
information is provided A-130, Appendix III.
This guideline has been prepared for use by federal agencies. It may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by
NIST.)
Nothing in this document should be taken to contradict standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory author.
SP 800-150, the Guide to Cyber Threat Information SharingDavid Sweigert
This document provides guidelines for organizations to establish coordinated computer security incident response capabilities through active cyber threat information sharing and ongoing coordination with partners. It discusses the benefits of information sharing and challenges to overcome. Various information sharing architectures and both formal and informal sharing communities are described. The document also provides guidance on understanding an organization's current cybersecurity capabilities, establishing and maintaining information sharing relationships, and protecting sensitive incident response data.
NIST SP 800-137 Information security continuous monitoring (ISCM)David Sweigert
This document provides guidance for implementing Information Security Continuous Monitoring (ISCM) programs in federal agencies to maintain ongoing authorization of information systems and support risk management decisions. It discusses establishing an ISCM strategy based on the organization's mission and architecture. Key aspects of the ISCM process include defining roles and responsibilities, implementing automated monitoring capabilities, analyzing data to identify security issues, responding appropriately to findings, and regularly reviewing and updating the monitoring program. The publication aims to help agencies proactively manage information security risks to systems and missions over time.
This document provides guidance for building an effective IT security awareness and training program as required by FISMA and OMB Circular A-130. It discusses key roles and responsibilities, components of an awareness and training program, and a lifecycle approach for designing, developing, implementing and evaluating such a program. The goal is to ensure all IT users understand security policies and responsibilities to protect systems and data.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
This document provides guidance for state, local, tribal, and territorial (SLTT) law enforcement on reporting cyber incidents to federal authorities. It outlines types of incidents that should be reported, such as those affecting critical infrastructure, national security, or public safety. The document details the information that should be included in reports, such as technical details about the incident and impacted systems. It also lists several ways for SLTT law enforcement to report incidents, including email, phone, or online portals, and specifies the federal agencies responsible for accepting different types of reports related to cybercrime, national infrastructure, or investigations.
More Related Content
Similar to Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
https://class.waldenu.edu/webapps/assessment/take/launchAssessment.jsp?course_id=_16908130_1&
content_id=_61332310_1&mode=cpview
Date updated: September 23, 2021
Withdrawn NIST Technical Series Publication
Warning Notice
The attached publication has been withdrawn (archived) and is provided solely for historical purposes. It
may have been superseded by another publication (indicated below).
Withdrawn Publication
Series/Number NIST Special Publication 800-53 Rev. 4
Title Security and Privacy Controls for Federal Information Systems and
Organizations
Publication Date(s) April 2013 (including updates as of January 22, 2015)
Withdrawal Date September 23, 2021
Withdrawal Note SP 800-53 Rev. 4 is superseded in its entirety by SP 800-53 Rev. 5 (September
2020, including updates as of 12/10/20).
Superseding Publication(s) (if applicable)
The attached publication has been superseded by the following publication(s):
Series/Number NIST Special Publication 800-53 Rev. 5
Title Security and Privacy Controls for Information Systems and Organizations
Author(s) Joint Task Force
Publication Date(s) September 2020 (including updates as of December 10, 2020)
URL/DOI https://doi.org/10.6028/NIST.SP.800-53r5
Additional Information (if applicable)
Contact Computer Security Division (Information Technology Laboratory)
Latest revision of the
attached publication
Related Information https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Withdrawal
Announcement Link
https://doi.org/10.6028/NIST.SP.800-53r5
https://csrc.nist.gov/projects/risk-management/sp800-53-controls
https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
http://dx.doi.org/10.6028/NIST.SP.800-53r4
NIST Special Publication 800-53
Revision 4
Security and Privacy Controls for
Federal Information Systems
and Organizations
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
This publication is available free of charge from:
http://dx.doi.org/10.6028/NIST.SP.800-53r4
April 2013
INCLUDES UPDATES AS OF 01-22-2015
U.S. Department of Commerce
Rebecca M. Blank, Acting Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director
http://dx.doi.org/10.6028/NIST.SP.800-53r4
Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems
and Organizations
_____________________________________________ ...
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development life cycles, and incorporating supply chain risk management. Organizations can use the RMF and its processes to effectively manage security, privacy, and supply chain risks to operations and assets.
This document summarizes NIST Special Publication 800-37, Revision 2 which provides guidelines for applying the Risk Management Framework (RMF) to information systems and organizations. The RMF is a structured process for managing security and privacy risks. Key updates in Revision 2 include aligning with the NIST Cybersecurity Framework, integrating privacy risk management, aligning with system development lifecycles, and incorporating supply chain risk management. Organizations can use the RMF and other frameworks in a complementary manner to effectively manage security and privacy risks.
NIST Special Publication 800-37 Revision 2 Ris.docxrobert345678
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
This publication contains comprehensive updates to the
Risk Management Framework. The updates include an
alignment with the constructs in the NIST Cybersecurity
Framework; the integration of privacy risk management
processes; an alignment with system life cycle security
engineering processes; and the incorporation of supply
chain risk management processes. Organizations can
use the frameworks and processes in a complementary
manner within the RMF to effectively manage security
and privacy risks to organizational operations and
assets, individuals, other organizations, and the Nation.
Revision 2 includes a set of organization-wide RMF tasks
that are designed to prepare information system owners
to conduct system-level risk management activities. The
intent is to increase the effectiveness, efficiency, and
cost-effectiveness of the RMF by establishing a closer
connection to the organization’s missions and business
functions and improving the communications among
senior leaders, managers, and operational personnel.
https://doi.org/10.6028/NIST.SP.800-37r2
NIST Special Publication 800-37
Revision 2
Risk Management Framework for
Information Systems and Organizations
A System Life Cycle Approach for Security and Privacy
JOINT TASK FORCE
This publication is available free of charge from:
https://doi.org/10.6028/NIST.SP.800-37r2
December 2018
U.S. Department of Commerce
Wilbur L. Ross, Jr., Secretary
National Institute of Standards and Technology
Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology
https://doi.org/10.6028/NIST.SP.800-37r2
NIST SP 800-37, REVISION 2 RISK MANAGEMENT FRAMEWORK FOR INFORMATION SYSTEMS AND ORGANIZATIONS
A System Life Cycle Approach for Security and Privacy
________________________________________________________________________________________________
PAGE i
This publication is available free of charge from
: https://doi.org/10.6028/N
IST.S
P
.800-37r2
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law
(P.L.) 113-283. NIST is responsible for developing information security standards and guidelines,
including minimum requirements for federal information systems, but such standards and
guidelines shall .
Are NIST standards clouding the implementation of HIPAA security risk assessm...David Sweigert
The HIPAA Security Rule (at 45 C.F.R. §164.308(a)(1)(ii)(A)) requires an initial security risk analysis according to risk analysis guidance issued by HHS/OCR based on NIST standards.
OCR Audit Protocols for Risk Analysis are clear! CMS, as planned, has launched audits of organizations who have attested to Meaningful Use Objectives and Risk Analyses will be audited. Have you completed a bona fide HIPAA Security Risk Analysis?
This document introduces information security continuous monitoring (ISCM) which is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. It describes how establishing an ISCM strategy and program can help organizations move from compliance-driven to data-driven risk management. Key aspects covered include defining an ISCM strategy, establishing an ISCM program, implementing the program, analyzing and reporting findings, responding to findings, and reviewing and updating the strategy and program. Both automated and manual processes have roles to play in ISCM.
This document provides guidance for conducting risk assessments to support risk management activities at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results over time. Risk assessments are an important part of effective enterprise-wide risk management for both public and private sector organizations that depend on information systems and technology.
This document provides guidance for conducting risk assessments to support risk management at the organizational, mission/business process, and information system levels. It describes the fundamentals of risk management and risk assessment, the risk assessment process, and how to communicate and maintain risk assessment results. Risk assessments are a key part of effective risk management and help inform decision making throughout the system development life cycle. Organizations have flexibility in applying this guidance based on their specific needs.
NIST Special Publication 800-39 Managi.docxvannagoforth
NIST Special Publication 800-39 Managing Information
Security Risk
Organization, Mission, and Information
System View
JOINT TASK FORCE
TRANSFORMATION INITIATIVE
I N F O R M A T I O N S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
March 2011
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and
Technology (NIST) promotes the U.S. economy and public welfare by providing technical
leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test
methods, reference data, proof of concept implementations, and technical analyses to advance the
development and productive use of information technology. ITL’s responsibilities include the
development of management, administrative, technical, and physical standards and guidelines for
the cost-effective security and privacy of other than national security-related information in
federal information systems. The Special Publication 800-series reports on ITL’s research,
guidelines, and outreach efforts in information system security, and its collaborative activities
with industry, government, and academic organizations.
PAGE ii
________________________________________________________________________________________________
Special Publication 800-39 Managing Information Security Risk
Organization, Mission, and Information System View
Authority
This publication has been developed by NIST to further its statutory responsibilities under the
Federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is
responsible for developing information security standards and guidelines, including minimum
requirements for federal information systems, but such standards and guidelines shall not apply to
national security systems without the express approval of appropriate federal officials exercising
policy authority over such systems. This guideline is consistent with the requirements of the
Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections.
Supplemental information is provided in Circular A-130, Appendix ...
NIST Special Publication 800-34 Rev. 1 Contingency.docxpicklesvalery
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for
Federal Information Systems
Marianne Swanson
Pauline Bowen
Amy Wohl Phillips
Dean Gallup
David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in
order to describe an experimental procedure or concept adequately. Such identification is not
intended to imply recommendation or endorsement by the National Institute of Standards and
Technology, nor is it intended to imply that the entities, materials, or equipment are
necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in
accordance with responsibilities assigned to NIST under the Federal Information Security
Management Act of 2002. The methodologies in this document may be used even before the
completion of such companion documents. Thus, until such time as each document is
completed, current requirements, guidelines, and procedures (where they exist) remain
operative. For planning and transition purposes, federal agencies may wish to closely follow
the development of these new documents by NIST. Individuals are also encouraged to review
the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are
available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34
Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010)
CODEN: NSPUE2
http://csrc.nist.gov/publications
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analysis to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative
activities with industry, government, and academic organizations..
Guide for Security-Focused Configuration Management of I.docxwhittemorelucilla
This document provides guidelines for implementing security-focused configuration management of information systems. It aims to help federal agencies integrate information security into their configuration management processes. The document describes configuration management concepts and principles, roles and responsibilities, and outlines a process for planning, implementing, controlling, monitoring and using SCAP for configuration management. It is intended to support organizations in securely configuring, operating and maintaining their information systems.
Contingency Planning Guide for Federal Information Systems Maria.docxmaxinesmith73660
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
NIST Special Publication 800-34 Rev. 1
Contingency Planning Guide for Federal Information Systems
Marianne Swanson Pauline Bowen Amy Wohl Phillips Dean Gallup David Lynes
May 2010
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
There are references in this publication to documents currently under development by NIST in accordance with responsibilities assigned to NIST under the Federal Information Security Management Act of 2002. The methodologies in this document may be used even before the completion of such companion documents. Thus, until such time as each document is completed, current requirements, guidelines, and procedures (where they exist) remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new documents by NIST. Individuals are also encouraged to review the public draft documents and offer their comments to NIST.
All NIST documents mentioned in this publication, other than the ones noted above, are available at http://csrc.nist.gov/publications.
National Institute of Standards and Technology Special Publication 800-34 Natl. Inst. Stand. Technol. Spec. Publ. 800-34, 150 pages (May 2010) CODEN: NSPUE2
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
ii
CONTINGENCY PLANNING GUIDE FOR FEDERAL INFORMATION SYSTEMS
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in furtherance of its st.
This report summarizes the Information Security Oversight Office's (ISOO) activities in fiscal year 2003 related to classifying and safeguarding national security information. It provides statistics on original classification decisions, derivative classification decisions, and declassified records. It also discusses implementation of Executive Order 12958, which aims to promote openness while protecting national security. Key events in 2003 included an amendment to EO 12958 calling for automatic declassification of older records by 2006 and continued work to refine the security system to suit the electronic era. Implementation challenges include excessive delays in granting security clearances. The report concludes effective oversight requires continuous effort to balance an informed public with national security.
This document provides an overview of enterprise patch management technologies. It begins with an introduction that explains the purpose and scope is to assist organizations in understanding enterprise patch management technologies. It describes the importance of patch management for addressing software vulnerabilities. It then examines the key challenges of patch management, such as timing, prioritization and testing of patches. The document provides an overview of the components, security capabilities and management capabilities of enterprise patch management technologies. It concludes with a brief discussion of metrics for measuring the effectiveness of these technologies and comparing the importance of patches. The appendices include a tutorial on the Security Content Automation Protocol (SCAP) and a summary of recommendations for improving patch management.
This document provides guidance on conducting risk assessments and is intended for organizations to help:
1) Determine the most appropriate risk responses to ongoing cyber threats and disasters.
2) Guide investment strategies and decisions for the most effective cyber defenses to help protect operations, assets, individuals, and the nation.
3) Maintain ongoing situational awareness of the security state of systems and their operating environments.
The guidance focuses on risk assessments as one of the four steps in the risk management process and expands on factors like threats, vulnerabilities, impacts, and likelihoods to assess information security risk at the organizational, mission, and system levels. Templates and scales are also provided to facilitate risk assessments.
Building an Information Technology Security Awareness an.docxrichardnorman90310
Building an Information
Technology Security Awareness
and Training Program
Mark Wilson and Joan Hash
NIST Special Publication 800-50
C O M P U T E R S E C U R I T Y
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8933
October 2003
U.S. Department of Commerce
Donald L. Evans, Secretary
Technology Administration
Phillip J. Bond, Under Secretary for Technology
National Institute of Standards and Technology
Arden L. Bement, Jr., Director
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology
(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s
measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of
concept implementations, and technical analyses to advance the development and productive use of
information technology. ITL’s responsibilities include the development of technical, physical,
administrative, and management standards and guidelines for the cost-effective security and privacy of
sensitive unclassified information in Federal computer systems. This Special Publication 800-series
reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative
activities with industry, government, and academic organizations.
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON: 2003
For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250
Mail: Stop SSOP, Washington, DC 20402-0001
NIST Special Publication 800-50
Authority
This document has been developed by the National Institute of Standards and Technology (NIST) in
furtherance of its statutory responsibilities under the Federal Information Security Management Act
(FISMA) of 2002, Public Law 107-347.
NIST is responsible for developing standards and guidelines, including minimum requirements, for
providing adequate information security for all agency operations and assets, but such standards and
guidelines shall not apply to national security systems. This guideline is consistent with the requirements
of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency
Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental
information is provided A-130, Appendix III.
This guideline has been prepared for use by federal agencies. It may be used by nongovernmental
organizations on a voluntary basis and is not subject to copyright. (Attribution would be appreciated by
NIST.)
Nothing in this document should be taken to contradict standards and guidelines made mandatory and
binding on federal agencies by the Secretary of Commerce under statutory author.
SP 800-150, the Guide to Cyber Threat Information SharingDavid Sweigert
This document provides guidelines for organizations to establish coordinated computer security incident response capabilities through active cyber threat information sharing and ongoing coordination with partners. It discusses the benefits of information sharing and challenges to overcome. Various information sharing architectures and both formal and informal sharing communities are described. The document also provides guidance on understanding an organization's current cybersecurity capabilities, establishing and maintaining information sharing relationships, and protecting sensitive incident response data.
NIST SP 800-137 Information security continuous monitoring (ISCM)David Sweigert
This document provides guidance for implementing Information Security Continuous Monitoring (ISCM) programs in federal agencies to maintain ongoing authorization of information systems and support risk management decisions. It discusses establishing an ISCM strategy based on the organization's mission and architecture. Key aspects of the ISCM process include defining roles and responsibilities, implementing automated monitoring capabilities, analyzing data to identify security issues, responding appropriately to findings, and regularly reviewing and updating the monitoring program. The publication aims to help agencies proactively manage information security risks to systems and missions over time.
This document provides guidance for building an effective IT security awareness and training program as required by FISMA and OMB Circular A-130. It discusses key roles and responsibilities, components of an awareness and training program, and a lifecycle approach for designing, developing, implementing and evaluating such a program. The goal is to ensure all IT users understand security policies and responsibilities to protect systems and data.
PYA Principal Barry Mathis presented “The IT Analysis Paralysis,” in which attendees:
Received a compressive review of the many IT frameworks that can be used to develop effective internal audit programs.
Learned the differences between commercial, federal, and industry frameworks.
Received tips, tools, and techniques for creating an effective framework based on risk assessment and identified risks.
Similar to Implementation of NIST guidelines for the CISO / ISO / Privacy Officer (20)
This document provides guidance for state, local, tribal, and territorial (SLTT) law enforcement on reporting cyber incidents to federal authorities. It outlines types of incidents that should be reported, such as those affecting critical infrastructure, national security, or public safety. The document details the information that should be included in reports, such as technical details about the incident and impacted systems. It also lists several ways for SLTT law enforcement to report incidents, including email, phone, or online portals, and specifies the federal agencies responsible for accepting different types of reports related to cybercrime, national infrastructure, or investigations.
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
This network analysis report examines a packet capture file containing traffic between two internal hosts downloading a file from a remote server. The analysis found that one internal host, with IP ending in 1.119, experienced significant packet loss during the download, as shown by drops in throughput and bursts of TCP errors. This packet loss indicates a potential failure at an infrastructure device, likely causing the observed retransmissions and degradation in performance. Further analysis of ingress traffic is needed to determine if the packet loss is occurring internally or externally to the network.
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
This document provides notes for the CompTIA CASP exam, organized by exam domain:
1. Enterprise Security topics include placement of firewalls and other security appliances, SELinux mandatory access controls, storage area networks, encryption of multiple operating systems on a solid state drive, and TOCTOU attacks.
2. Risk Management and Incident Response domains cover risk terms.
3. Research and Analysis focuses on cryptographic concepts, enterprise storage technologies, and host and application security controls.
4. Integration of Computing, Communications and Business Disciplines addresses remote access and IPv6 issues.
5. Technical Integration of Enterprise Components involves application integration enablers.
National Cyber Security Awareness Month - October 2017David Sweigert
National Cyber Security Awareness Month is held each October to promote cybersecurity awareness and education. It is a collaborative effort between the Department of Homeland Security and private partners. There are 5 themes highlighted during the month - simple online safety steps, cybersecurity in the workplace, security of connected devices and the internet of things, cybersecurity careers, and protecting critical infrastructure. Each week focuses on one of these themes and provides resources to help organizations and individuals strengthen cybersecurity. The goal is to engage the public and encourage everyone to play a role in cybersecurity.
California Attorney General Notification Penal Code 646.9David Sweigert
This letter requests assistance from the California Attorney General's office for the District Attorney of San Luis Obispo County. It describes activities of an individual named Nathan Ames Stolpman who broadcasts livestreams on YouTube and videos on Patreon directing "crowd stalking" followers to target and harass private citizens by publishing their personal information. Stolpman issues "bounties" for photos of targeted individuals and provides their intended locations. The letter writer believes the District Attorney has not demonstrated a clear understanding of relevant privacy laws and requests the Attorney General's office provide technical assistance to the District Attorney regarding Stolpman's activities.
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
This House resolution expresses support for developing educational programs to better prepare students for cybersecurity careers by promoting ethical hacking skills. It notes the critical shortage of cybersecurity professionals and growing cyber threats facing the US. The resolution states that partnerships between industry, government and academia should collaborate to create programs, competitions and curricula giving students hands-on experience with in-demand cybersecurity skills like ethical hacking to help close this workforce gap.
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
This document discusses how racketeering and wire fraud laws can be used to combat hoax news sites that engage in "CrowdStalking" to distribute misinformation. These sites target critical infrastructure operators, federal employees, and security advisors. The document provides an example of how social engineering attacks can steal millions from a company. It argues that legal action against hoax news site operators can deter such attacks, and establishes criteria for when racketeering laws may apply to their activities, such as using deception for financial gain. The document identifies specific YouTube personalities like Nathan Stolpman and Jesse Moorefield who operate hoax news sites.
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
The document summarizes a study on how Live Action Role Play (LARP) simulations can create cognitive threat vectors using the example of two YouTube conspiracy theorists, Jason Goodman and George Webb. In June 2017, they created a sense of hysteria among their online fans by claiming a container ship was sailing into the Port of Charleston with a dirty bomb onboard, leading to the port's evacuation. The document argues this "crowdsourcing" format can weaponize sensationalized information and represents an emerging threat that critical infrastructure operators need to be aware of. It can potentially lead unwitting participants to engage in criminal acts or attacks in response to implied calls for action by the game's controllers.
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
The Cyber Incident Response Team responds to cyber crises and threats. It is composed of 15 personnel including managers, analysts, specialists in areas like forensics and infrastructure. The team investigates incidents, uses mitigation approaches, and documents actions. It requires equipment like laptops, forensics tools, and communications devices and is deployable for up to 14 days.
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
The Cyber Incident Response Team responds to cyber crises and threats. It is composed of 15 personnel including managers, analysts, specialists in areas like forensics and infrastructure. The team investigates incidents, uses mitigation approaches, and documents actions. It requires equipment like laptops, forensics tools, and communications devices and is deployable for up to 14 days.
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
The document provides guidance for a National Qualification System (NQS) to strengthen resource management under the National Incident Management System (NIMS). The NQS will define qualifications for emergency response personnel through common standards and certification processes to enhance coordination during multi-jurisdictional responses. It establishes guidelines for qualification criteria and processes, certification of qualified personnel, and credentialing of certified personnel. Feedback is sought on the draft guidelines over a 30-day period.
National Incident Management System - NQS Public FeedbackDavid Sweigert
The National Qualification System (NQS) provides a common language and approach to qualify emergency personnel in order to facilitate more effective mutual aid response. It establishes standardized job titles, minimum qualifications, and certification processes to help requesting agencies obtain resources with the needed skills and qualifications. The NQS supplements the National Incident Management System by providing guidance on personnel resource typing and supports the goal of a more secure and resilient nation through qualified emergency personnel who can respond across jurisdictions.
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
The document discusses establishing Medical Computer Emergency Response Teams (MedCERT) to coordinate responses to cybersecurity incidents affecting medical devices and networks. It argues that healthcare cybersecurity is currently unprepared for emergencies and that response and recovery need to be emphasized in addition to prevention and protection. The document recommends that MedCERT teams receive training in the National Incident Management System and Incident Command System to effectively respond to incidents. It also calls for improved information sharing across the healthcare industry regarding cyber threats.
National Preparedness Goals 2015 2nd editionDavid Sweigert
The National Preparedness Goal outlines core capabilities across five mission areas - Prevention, Protection, Mitigation, Response, and Recovery - that are necessary to deal with risks facing the nation. The document describes each mission area and defines related core capabilities and preliminary targets. Prevention focuses on capabilities to avoid, prevent, or stop terrorist threats, while other mission areas take an all-hazards approach. Key capabilities include planning, public information and warning, operational coordination, intelligence and information sharing, and interdiction and disruption. The goal is for the whole community to achieve a secure and resilient nation through these interdependent capabilities.
The document provides an overview and update of the Healthcare and Public Health (HPH) Sector-Specific Plan (SSP). Key points include:
- The SSP establishes a vision, mission, goals, and activities to guide security and resilience efforts for HPH critical infrastructure.
- Goals focus on risk assessment, risk management, information sharing, partnership development, and response/recovery.
- Metrics will measure progress on priorities like risk analysis, information sharing, and partnership engagement.
- The update reflects maturation of sector partnerships and addresses evolving risks to critical infrastructure.
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
The Emergency Services Sector Cyber Risk Assessment evaluates risks to six critical emergency services disciplines from potential cyber threats. Through a collaborative process, subject matter experts identified seven risk scenarios and assessed their potential consequences. High risks included natural disasters disrupting 9-1-1 systems, loss of critical databases hampering operations, and compromised systems spreading misinformation. The assessment aims to enhance cybersecurity and resilience across the emergency services sector through informed resource allocation and partnership.
Gemma Wean- Nutritional solution for Artemiasmuskaan0008
GEMMA Wean is a high end larval co-feeding and weaning diet aimed at Artemia optimisation and is fortified with a high level of proteins and phospholipids. GEMMA Wean provides the early weaned juveniles with dedicated fish nutrition and is an ideal follow on from GEMMA Micro or Artemia.
GEMMA Wean has an optimised nutritional balance and physical quality so that it flows more freely and spreads readily on the water surface. The balance of phospholipid classes to- gether with the production technology based on a low temperature extrusion process improve the physical aspect of the pellets while still retaining the high phospholipid content.
GEMMA Wean is available in 0.1mm, 0.2mm and 0.3mm. There is also a 0.5mm micro-pellet, GEMMA Wean Diamond, which covers the early nursery stage from post-weaning to pre-growing.
About this webinar: This talk will introduce what cancer rehabilitation is, where it fits into the cancer trajectory, and who can benefit from it. In addition, the current landscape of cancer rehabilitation in Canada will be discussed and the need for advocacy to increase access to this essential component of cancer care.
International Cancer Survivors Day is celebrated during June, placing the spotlight not only on cancer survivors, but also their caregivers.
CANSA has compiled a list of tips and guidelines of support:
https://cansa.org.za/who-cares-for-cancer-patients-caregivers/
At Apollo Hospital, Lucknow, U.P., we provide specialized care for children experiencing dehydration and other symptoms. We also offer NICU & PICU Ambulance Facility Services. Consult our expert today for the best pediatric emergency care.
For More Details:
Map: https://cutt.ly/BwCeflYo
Name: Apollo Hospital
Address: Singar Nagar, LDA Colony, Lucknow, Uttar Pradesh 226012
Phone: 08429021957
Opening Hours: 24X7
Joker Wigs has been a one-stop-shop for hair products for over 26 years. We provide high-quality hair wigs, hair extensions, hair toppers, hair patch, and more for both men and women.
Comprehensive Rainy Season Advisory: Safety and Preparedness Tips.pdfDr Rachana Gujar
The "Comprehensive Rainy Season Advisory: Safety and Preparedness Tips" offers essential guidance for navigating rainy weather conditions. It covers strategies for staying safe during storms, flood prevention measures, and advice on preparing for inclement weather. This advisory aims to ensure individuals are equipped with the knowledge and resources to handle the challenges of the rainy season effectively, emphasizing safety, preparedness, and resilience.
Michigan HealthTech Market Map 2024. Includes 7 categories: Policy Makers, Academic Innovation Centers, Digital Health Providers, Healthcare Providers, Payers / Insurance, Device Companies, Life Science Companies, Innovation Accelerators. Developed by the Michigan-Israel Business Accelerator
Can coffee help me lose weight? Yes, 25,422 users in the USA use it for that ...nirahealhty
The South Beach Coffee Java Diet is a variation of the popular South Beach Diet, which was developed by cardiologist Dr. Arthur Agatston. The original South Beach Diet focuses on consuming lean proteins, healthy fats, and low-glycemic index carbohydrates. The South Beach Coffee Java Diet adds the element of coffee, specifically caffeine, to enhance weight loss and improve energy levels.
2024 HIPAA Compliance Training Guide to the Compliance OfficersConference Panel
Join us for a comprehensive 90-minute lesson designed specifically for Compliance Officers and Practice/Business Managers. This 2024 HIPAA Training session will guide you through the critical steps needed to ensure your practice is fully prepared for upcoming audits. Key updates and significant changes under the Omnibus Rule will be covered, along with the latest applicable updates for 2024.
Key Areas Covered:
Texting and Email Communication: Understand the compliance requirements for electronic communication.
Encryption Standards: Learn what is necessary and what is overhyped.
Medical Messaging and Voice Data: Ensure secure handling of sensitive information.
IT Risk Factors: Identify and mitigate risks related to your IT infrastructure.
Why Attend:
Expert Instructor: Brian Tuttle, with over 20 years in Health IT and Compliance Consulting, brings invaluable experience and knowledge, including insights from over 1000 risk assessments and direct dealings with Office of Civil Rights HIPAA auditors.
Actionable Insights: Receive practical advice on preparing for audits and avoiding common mistakes.
Clarity on Compliance: Clear up misconceptions and understand the reality of HIPAA regulations.
Ensure your compliance strategy is up-to-date and effective. Enroll now and be prepared for the 2024 HIPAA audits.
Enroll Now to secure your spot in this crucial training session and ensure your HIPAA compliance is robust and audit-ready.
https://conferencepanel.com/conference/hipaa-training-for-the-compliance-officer-2024-updates
This particular slides consist of- what is Pneumothorax,what are it's causes and it's effect on body, risk factors, symptoms,complications, diagnosis and role of physiotherapy in it.
This slide is very helpful for physiotherapy students and also for other medical and healthcare students.
Here is a summary of Pneumothorax:
Pneumothorax, also known as a collapsed lung, is a condition that occurs when air leaks into the space between the lung and chest wall. This air buildup puts pressure on the lung, preventing it from expanding fully when you breathe. A pneumothorax can cause a complete or partial collapse of the lung.
R3 Stem Cell Therapy: A New Hope for Women with Ovarian FailureR3 Stem Cell
Discover the groundbreaking advancements in stem cell therapy by R3 Stem Cell, offering new hope for women with ovarian failure. This innovative treatment aims to restore ovarian function, improve fertility, and enhance overall well-being, revolutionizing reproductive health for women worldwide.
Can Allopathy and Homeopathy Be Used Together in India.pdfDharma Homoeopathy
This article explores the potential for combining allopathy and homeopathy in India, examining the benefits, challenges, and the emerging field of integrative medicine.
Hypertension and it's role of physiotherapy in it.Vishal kr Thakur
This particular slides consist of- what is hypertension,what are it's causes and it's effect on body, risk factors, symptoms,complications, diagnosis and role of physiotherapy in it.
This slide is very helpful for physiotherapy students and also for other medical and healthcare students.
Here is summary of hypertension -
Hypertension, also known as high blood pressure, is a serious medical condition that occurs when blood pressure in the body's arteries is consistently too high. Blood pressure is the force of blood pushing against the walls of blood vessels as the heart pumps it. Hypertension can increase the risk of heart disease, brain disease, kidney disease, and premature death.
TEST BANK For Accounting Information Systems, 3rd Edition by Vernon Richardso...rightmanforbloodline
TEST BANK For Accounting Information Systems, 3rd Edition by Vernon Richardson, Verified Chapters 1 - 18, Complete Newest Version
TEST BANK For Accounting Information Systems, 3rd Edition by Vernon Richardson, Verified Chapters 1 - 18, Complete Newest Version
TEST BANK For Accounting Information Systems, 3rd Edition by Vernon Richardson, Verified Chapters 1 - 18, Complete Newest Version
Bringing AI into a Mid-Sized Company: A structured Approach
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
1. FISMA reporting and NIST guidelines
A Research Paper
By
Faisal Shirazee, MSNS, CISSP
2. Paper by Faisal Shirazee 2
Executive Summary
The purpose of this paper is to provide guidance for performing C&A activities and to
provide guidance to the associated level of effort required based on assurance
requirements. Assurance is defined as a measure of confidence that the security features,
attributes and functions enforce the security policy. Assurance can be established for
operations (enterprises), systems, operational environments, and components or
mechanisms. Assurance refers to the claims and evidence for believing the correctness
effectiveness, and workmanship of the security service or mechanism. Verification
verifies and validates the security assurance for a system associated with an environment.
Accreditation evaluates whether the operation impacts associated with any residual
system weaknesses are tolerable or unacceptable. Life-cycle assurance requirements
provide a framework for secure system design, implementation and maintenance.
This paper is for the use of all Information Security Systems Managers (ISSM),
Information Security Systems Officers (ISSO), or any other Information Assurance (IA)
analysts involved in the C&A process. This guide advocates degrees of assurance as the
initial basis for determining the level of effort necessary to complete the C&A. Once the
degrees of assurance have been determined, the certification team can then identify the
level-of-effort required for verification of the system. The level-of-effort will then define
the document package needed for certification and accreditation.
This paper intends to clarify the FISMA reporting requirements and it intends to
summarize the NIST 800-37 process of certification and accreditation.
3. Paper by Faisal Shirazee 3
Table of Contents
Faisal Shirazee, MSNS, CISSP .......................................................................................1
Executive Summary ........................................................................................................2
Table of Contents............................................................................................................3
Section 1: FISMA Reporting and C&A Process ..............................................................4
Section 2: How to apply NIST guidelines........................................................................3
Section 3: C&A Activities Process Summary..................................................................4
3.1 Phase I – Initiation Phase.................................................................................4
3.1.1 Activity 1: Preparation .............................................................................4
3.1.2 Activity 2: Notification and Resource Identification.................................7
3.1.3 Activity 3 - System Security Plan Analysis, Update, and Acceptance.......7
3.2 Phase II: Security Certification ........................................................................9
3.2.1 Activity 4 - Security Control Assessment...............................................10
3.2.2 Activity 5 - Security Certification Documentation..................................11
3.3 Phase III: Security Accreditation Phase..........................................................13
3.3.1 Activity 6 - Security Accreditation Decision ..........................................13
3.4 Phase IV: Continuous Monitoring Phase.......................................................15
3.4.1 Activity 8 - Configuration Management and Control..............................15
3.4.2 Activity 9 - Security Control Monitoring....................................................16
3.4.3 Activity 10 - Status Reporting and Documentation.................................17
Appendix A. A Checklist for SP..............................................................................19
Appendix B: ACRONYMS.....................................................................................30
REFERENCES .............................................................................................................32
4. Paper by Faisal Shirazee 4
Section 1: FISMA Reporting and C&A Process
The Federal Information Security Management Act of 2002 (FISMA, Title III, Public
Law 107-347, December 17, 2002), provides government-wide requirements for
information security, superseding the Government Information Security Reform Act and
the Computer Security Act.
Also, according to the Office of Management and Budget (OMB) Circular A-130,
Appendix III, the Clinger-Cohen Act supplements the information resources management
policies contained in the PRA by establishing a comprehensive approach for executive
agencies to improve the acquisition and management of their information resources, by:
1. focusing information resource planning to support their strategic missions;
2. implementing a capital planning and investment control process that links to
budget formulation and execution; and
3. rethinking and restructuring the way they do their work before investing in
information systems.
Federal agencies are responsible for providing information security protection of
information collected or maintained by or on behalf of the agency and information
systems used or operated by or on behalf of the agency. NIST has been tasked to develop
standards and guidelines, including minimum requirements, for providing adequate
information security for all agency operations and assets. Note: These standards and
guidelines do not apply to national security systems.
Federal Agencies are also to give annual and quarterly reports to congress on how to
address the adequacy and effectiveness of information security policies, procedures, and
practices in plans and reports relating to:
a. Annual agency budgets;
b. Information resources management under subchapter 1 of this chapter
c. Information technology management under subtitle III of title 40
d. Program performance under sections 1105 and 1115 through 1119 of title 31, and
sections 2801 and 2805 of title 39
e. Financial management under chapter 9 of title 31, and the Chief Financial Officers
Act of 1990 (31 U.S.C. 501 note; Public Law 101-576) (and the amendments made
by that Act)
f. Financial management systems under the Federal Financial Management
Improvement Act (31 U.S.C. 3512 note)
g. Internal accounting and administrative controls under section 3512 of title 31, (known
as the `Federal Managers Financial Integrity Act')
FISAM report should include any significant deficiency in a policy, procedure, or
practice identified as a material weakness in reporting under section 3512 of title 31.
In addition to the above requirements the report should include the time periods, and the
5. resources, including budget, staffing, and training, that are necessary to implement the
security program and security controls. The description of the security deficiencies
should be risk a based description. The FISMA reporting also holds each Federal agency
to provide the public with timely notice and opportunities for comment on proposed
information security policies and procedure.
6. Paper by Faisal Shirazee 3
Section 2: How to apply NIST guidelines
NIST has been tasked to develop minimum information security requirements
(management, operational and technical security controls) for information and
information systems in each such category. All three controls are defined in detail in the
next few sections of this paper. NIST is also to develop standards to be used by federal
agencies to categorize information and information systems based on the objectives of
providing appropriate levels of Information security according to a range of risk levels.
NIST publication FIPS 199, “Standards for Security Categorization of Federal
Information and Information Systems” is the guide on how to categorize the Federal
Systems.
NIST is also to develop guidelines recommending the types of information and
information systems to be included in each category described in FIPS Publication 199
NIST is in the process of producing publication 800-60, “Guide for Mapping Types of
Information and Information Systems to Security Categories”. A final publication is due
some time in the summer of 2004.
Other very important publications are NSIT 800-200 “Minimum Security Controls for
Federal Information Systems” and NIST Special Publication 800-53, “Recommended
Security Controls for Federal Information”. Both of these publications are currently in
draft phase. These documents will provide Federal Agencies a common minimum base
line for their security controls.
The publication NIST 800-37 (Guide for the Security Certification and Accreditation of
Federal Information Systems) is published to guide Federal agencies to a standard
Security Certification and Accreditation (C&A) process. All Federal agencies are or will
be following these guidelines to certify and accredit their system. NIST 800-37 is a very
comprehensive document but it can be overwhelming. I have summarized the steps
described in NIST-800-37 that can translate into an easier implementation of NIST 800-
37. I am also attaching a check list as an appendix to this document. This appendix A is a
checklist to collect information for the Security Plan.
For additional NIST publication please visit the NIST web site at:
http://csrc.nist.gov/publications/nistpubs/index.ht
7. Paper by Faisal Shirazee 4
Section 3: C&A Activities Process Summary
The security certification and accreditation process consists of four distinct phases: (i) an
Initiation Phase; (ii) a Security Certification Phase; (iii) a Security Accreditation Phase; and
(iv) a Continuous Monitoring Phase. Each phase consists of a set of well-defined tasks
and subtasks that are to be carried out, as indicated, by responsible individuals (e.g., the
Chief Information Officer, Authorizing Official, Authorizing Official’s designated
representative, Information Systems Security Manager, Information System Owner,
Information Owner, Information Systems Security Officer, Certification Agent, and User
Representatives). The security certification and accreditation activities can be applied to
an information system at appropriate phases in the system development life cycle.
Additionally, the activities can be tailored to apply a level of effort and rigor that is most
suitable for the information system undergoing security certification and accreditation
3.1 Phase I – Initiation Phase
The objective of the preparation task is to prepare for security certification and accreditation by
reviewing the system security plan and confirming that the contents of the plan are consistent
with an initial assessment of risk.
3.1.1 Activity 1: Preparation
The objective of the preparation task is to prepare for security certification and accreditation by
reviewing the system security plan and confirming that the contents of the plan are consistent
with an initial assessment of risk
3.1.1.1 Task 1.1 - Information System Description
Confirm that the information system has been fully described and documented in the system
security plan or an equivalent document.
A typical system description includes:
1. The name of the information system;
2. A unique identifier for the information system
3. The status of the information system with respect to the system development life cycle
4. The name and location of the organization responsible for the information system
5. Contact information for the information system owner or other individuals
knowledgeable about the information system
6. Contact information for the individual(s) responsible for the security of the information
system
7. The purpose, functions, and capabilities of the information system
8. The types of information processed, stored, and transmitted by the information system
9. The boundary of the information system for operational authorization (or security
accreditation)
10. The functional requirements of the information system
8. Paper by Faisal Shirazee 5
11. The applicable laws, directives, policies, regulations, or standards affecting the security
of the information and the information system
12. The individuals who use and support the information system (including their
organizational affiliations, access rights, privileges, and citizenship, if applicable);
13. The architecture of the information system
14. Hardware and firmware devices (including wireless System and applications software
(including mobile code)
15. Network topology; network connection rules for communicating with external
information systems, interconnected information systems and unique identifiers for those
systems;
16. Encryption techniques used for information processing, transmission, and storage
17. Public key infrastructures, certificate authorities, and certificate practice statements
18. The physical environment in which the information system operates
19. Web protocols and distributed, collaborative computing environments (processes, and
applications).
3.1.1.2 Task 1.2 - Security Categorization
Confirm that the security category of the information system has been determined and
documented in the system security plan or an equivalent document.
Consult NIST Special Publication 800-59 to confirm that the information system is other than a
national security system. For other than national security systems, FIPS 199 establishes three
potential impact levels (low, moderate, and high) for each of the stated security objectives
(confidentiality, integrity, and availability) relevant to securing federal information systems.
3.1.1.3 Task 1.3 – Threat Identification
Confirm that potential threats that could exploit information system flaws or weaknesses have
been identified and documented in the system security plan, risk assessment, or an equivalent
document.
It is important to consider all potential threats that could cause harm to an information system,
ultimately affecting the confidentiality, integrity, or availability of the system. Threats can be
natural (floods, earthquakes, tornadoes, landslides, avalanches, electrical storms), human (events
that are either enabled by or caused by human beings), or environmental (long-term power
failures, pollution, chemicals, liquid leakage). Threat information should be coordinated with the
Information Systems Security Manager and authorizing official to facilitate reuse and sharing
with other information system owners, Organization-wide. The level of effort (i.e., degree of rigor
and formality) applied to the threat identification process should be commensurate with the FIPS
199 security category of the information system (i.e., the level of effort increases as the potential
impact on agency operations, agency assets, or individuals increases). Threat identification
information is typically documented in the risk assessment, which should be included in the
system security plan either by reference or as an attachment.
9. Paper by Faisal Shirazee 6
3.1.1.4 Task 1.4 - Vulnerability Assessment
Confirm that flaws or weaknesses in the information system that could be exploited by potential
threat sources have been identified and documented in the system security plan, risk assessment,
or an equivalent document.
Flaws or weaknesses in an information system that could be exploited by potential threats
determine the potential vulnerabilities in that system. Vulnerability identification can be
conducted at any phase in the system development life cycle.
If the system is under development, the search for vulnerabilities focuses on the organization’s
security policies, planned security procedures, system requirement definitions, and developer
security product analyses.
If the system is being implemented, the identification of vulnerabilities is expanded to include
more specific information, such as the planned security features described in the security design
documentation and the results of the developmental security test and evaluation.
If the system is operational, the process of identifying vulnerabilities includes an analysis of the
system security controls employed to protect the system. The identification of vulnerabilities can
be accomplished in a variety of ways using questionnaires, on-site interviews, document reviews,
and automated scanning tools. Vulnerability information associated with system-specific and
common security controls should be coordinated with the senior agency information security
officer and authorizing officials to facilitate reuse and sharing with other information system
owners agency-wide. The level of effort (i.e., degree of rigor and formality) applied to the
vulnerability identification process should be commensurate with the FIPS 199 security category
of the information system (i.e., the level of effort increases as the potential impact on agency
operations, agency assets, or individuals increases).
Vulnerability identification information is typically documented in the risk assessment report,
which should be included in the system security plan either by reference or as an attachment.
3.1.1.5 Task 1.5 - Security Control Identification
Confirm that the security controls (either planned or implemented) for the information system
have been identified and documented in the system security plan or an equivalent document.
3.1.1.6 Task 1.6 - Initial Risk Determination
Confirm that the risk to the organization’s operations, assets, or individuals has been
determined and documented in the system security plan, risk assessment, or an equivalent
document.
FISMA and OMB Circular A-130, Appendix III, require risk assessments as part of a
risk-based approach to determining adequate, cost-effective security for an information
10. Paper by Faisal Shirazee 7
system. Assessing Organization-wide risk should be an ongoing activity to ensure that as
new threats and vulnerabilities are identified, adequate security controls are implemented.
Organization-wide risk is typically documented in the risk assessment, which should be
included in the system security plan either by reference or as an attachment.
3.1.2 Activity 2: Notification and Resource Identification
The objective of the notification and resource identification task is to:
1) provide notification to all concerned agency officials as to the impending security
certification and accreditation of the information system
2) determine the resources needed to carry out the effort
3) prepare a plan of execution for the certification and accreditation activities indicating
the proposed schedule and key milestones
3.1.2.1 Task 2.1 – Notification
The initial notification of key agency officials is an important activity to establish the security
certification and accreditation process as an integral part of the system development life cycle.
The notification also serves as an early warning to help prepare potential participants for the
upcoming tasks that will be necessary to plan, organize, and conduct the security certification and
accreditation. In some instances, the authorizing official or Information Systems Security
Manager provides the initial notification to the information system owner and other key agency
officials. This typically occurs when a specified time period has elapsed and the information
system must undergo reaccredidation in accordance with federal or agency policy.
Inform the Information Systems Security Manager, authorizing official, certification agent, user
representatives, and other interested agency officials that the information system requires security
certification and accreditation support.
3.1.2.2 Task 2.2 – Planning and Resources
Determine the level of effort and resources required for the security certification and accreditation
of the information system (including organizations involved) and prepare a plan of execution.
The level of effort required for security certification depends on:
1) the size and complexity of the information system
2) the FIPS 199 security category of the system
3) the security controls employed to protect the system
4) the specific methods and procedures used to assess the security controls in the system to
determine the extent to which the controls are implemented correctly
3.1.3 Activity 3 - System Security Plan Analysis, Update, and
Acceptance
The objective of the system security plan analysis, update, and acceptance task is to:
1) perform an independent review of the FIPS 199 security categorization
2) obtain an independent analysis of the system security plan
11. Paper by Faisal Shirazee 8
3) update the system security plan as needed based on the results of the independent
analysis
4) obtain acceptance of the system security plan by the authorizing official and
Information Systems Security Manager prior to conducting an assessment of the
security controls in the information system. The completion of this task concludes the
Initiation Phase of the security certification and accreditation process.
3.1.3.1Task 3.1 - Security Categorization Review
Review the FIPS 199 security categorization described in the system security plan to determine
if the assigned impact values with respect to the potential loss of confidentiality, integrity, and
availability are consistent with Organization’s actual mission requirements.
FIPS 199 is used as part of Organization’s risk management program to help ensure that
appropriate security controls are applied to each information system and that the controls are
adequately assessed to determine the extent to which the controls are implemented correctly,
operating as intended, and producing the desired outcome with respect to meeting the system
security requirements. The review of the security categorization ensures that the information
system owner has adequately reflected the importance (including criticality and sensitivity) of
the information system in supporting the operations and assets of Organization. Independent
review of the security categorization by the certification agent, authorizing official and
Information Systems Security Manager is performed as needed to ensure appropriate
categorization.
3.1.3.2 Task 3.2 - System Security Plan Analysis
The system security plan provides an overview of the information system security requirements
and describes the security controls in place or planned for meeting those requirements. The
independent review of the system security plan by the certification agent, authorizing official
and Information Systems Security Manager determines if the plan is complete and consistent
with the requirements document for the information system. The certification agent, authorizing
official, and Information Systems Security Manager also determine, at the level of analysis
possible only with available planning or operational documents and information from the risk
assessment, if the vulnerabilities in the information system and resulting Organization-wide risk
appear to be correct and reasonable. Based on the results of this independent review and analysis,
the certification agent, authorizing official and Information Systems Security Manager may
recommend changes to the system security plan. Whenever possible, these changes should be
reflected in the requirements document for the information system.
3.1.3.3 Task 3.3 - System Security Plan Update
Update the system security plan based on the results of the independent analysis and
recommendations of the certification agent, authorizing official and Information Systems
Security Manager.
The information system owner reviews the changes recommended by the certification agent,
authorizing official, and Information Systems Security Manager and consults with other agency
12. Paper by Faisal Shirazee 9
representatives (e.g., information owner, Information Systems Security Officer, or user
representatives) prior to making any final modifications to the system security plan. The
modifications to the system security plan may include any of the areas described in Task 1 (e.g.,
adjusting security controls, changing vulnerabilities, or modifying the agency-level risk).
3.1.3.4 Task 3.4 - System Security Plan Acceptance
If the agency-level risk described in the system security plan (or risk assessment) is deemed
unacceptable, the authorizing official and Information Systems Security Manager send the plan
back to the information system owner for appropriate action. If the Organization-wide risk
described in the system security plan (or risk assessment) is deemed acceptable, the authorizing
official and Information Systems Security Manager accept the plan. The acceptance of the system
security plan and Organization-wide risk assessment represents an important milestone in the
security certification and accreditation of the information system. The authorizing official and
Information Systems Security Manager, by accepting the system security plan, are agreeing to the
set of security controls proposed to meet the security requirements for the information system.
This Organization-wide agreement allows the security certification and accreditation process to
advance to the next phase (i.e., the actual assessment of the security controls). The acceptance
of the system security plan also approves the level of effort and resources required to
successfully complete the associated security certification and accreditation activities.
Key Milestones:
ÿ The following questions should be answered before proceeding to the Security
Certification Phase:
o Does the FIPS 199 security category of the information system
described in the system security plan appear to be correct?
o Have the resources required to successfully complete the security
certification and accreditation of the information system been
identified and allocated?
o Does the risk to agency operations (including mission, functions,
image, or reputation), agency assets, or individuals described in the
system security plan appear to be correct?
o Having decided that the Organization-wide risk appears to be
correct, would this risk be acceptable?
3.2 Phase II: Security Certification
The Security Certification Phase consists of two tasks:
1) Security control assessment and 2) Security certification documentation. The purpose of
this phase is to determine the extent to which the security controls in the information system
are implemented correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements for the system. This phase also addresses specific
actions taken or planned to correct deficiencies in the security controls and to reduce or
eliminate known vulnerabilities in the information system. Upon successful completion of this
phase, the authorizing official will have the information needed from the security certification
13. Paper by Faisal Shirazee 10
to determine the risk to Organization’s operations, assets, or individuals—and thus will be
able to render an appropriate security accreditation decision for the information system.
3.2.1 Activity 4 - Security Control Assessment
The objective of the security control assessment task is to:
1) Prepare for the assessment of the security controls in the information system
2) Conduct the assessment of the security controls
3) Document the results of the assessment.
Preparation for security assessment involves gathering appropriate planning and supporting
materials, system requirements and design documentation, security control implementation
evidence, and results from previous security assessments, security reviews, or audits.
Preparation also involves developing specific methods and procedures to assess the security
controls in the information system.
3.2.1.1 Task 4.1 - Documentation and Supporting Materials
Assemble any documentation and supporting materials necessary for the assessment of the
security controls in the information system; if these documents include previous assessments of
security controls, review the findings, results, and evidence.
3.2.1.2 Task 4.2 - Methods and Procedures
Select, or develop when needed, appropriate methods and procedures to assess the
management, operational, and technical security controls in the information system.
In lieu of developing unique or specialized methods and procedures to assess the security controls
in the information system, certification agents should consult NIST Special Publication 800-53A,
which provides standardized methods and procedures for assessing the security controls listed in
NIST Special Publication 800-53. The certification agent, if so directed by the information
system owner, authorizing official, or Information Systems Security Manager, can supplement
these assessment methods and procedures. Assessment methods and procedures may need to be
created for those security controls employed by Organization that are not contained in NIST
Special Publication 800-53. Additionally, assessment methods and procedures may need to be
tailored for specific system implementations.
3.2.1.3 Task 4.3 - Security Assessment
Federal Agencies have been instructed to use NSIT 800-26 as the self assessment tool.
Assess the management, operational and technical security controls in the information system
using methods and procedures selected or developed.
14. Paper by Faisal Shirazee 11
Security assessment determines the extent to which the security controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to meeting the
security requirements for the system. The results of the security assessment, including
recommendations for correcting any deficiencies in the security controls, are documented in the
security assessment report.
3.2.1.4 Task 4.4 - Security Assessment Report
Prepare the final security assessment report. The security assessment report contains:
1) The results of the security assessment (i.e., the determination of the extent to which the security
controls are implemented correctly, operating as intended, and producing the desired outcome
with respect to meeting the security requirements for the system)
2) Recommendations for correcting deficiencies in the security controls and reducing or
eliminating identified vulnerabilities. The security assessment report is part of the final
accreditation package along with the updated system security plan and plan of action and
milestones. The security assessment report is the certification agent’s statement regarding the
security status of the information system.
3.2.2 Activity 5 - Security Certification Documentation
The objective of the security certification documentation task is to: (i) provide the certification
findings and recommendations to the information system owner; (ii) update the system security
plan as needed; (iii) prepare the plan of action and milestones; and (iv) assemble the
accreditation package. The information system owner has an opportunity to reduce or eliminate
vulnerabilities in the information system prior to the assembly and compilation of the
accreditation package and submission to the authorizing official. This is accomplished by
implementing corrective actions recommended by the certification agent. The certification
agent should assess any security controls modified, enhanced, or added during this process. The
completion of this task concludes the Security Certification Phase.
3.2.2.1 Task 5.1 - Findings and Recommendations
Provide the information system owner with the security assessment report.
The information system owner relies on the security expertise and the technical judgment of the
certification agent to:
1) Assess the security controls in the information system
2) Provide specific recommendations on how to correct deficiencies in the controls and reduce
or eliminate identified vulnerabilities. The information system owner may choose to act on
selected recommendations of the certification agent before the accreditation package is
finalized if there are specific opportunities to correct deficiencies in security controls and
reduce or eliminate vulnerabilities in the information system. To ensure effective allocation of
resources Organization-wide, any actions taken by the information system owner prior to the
final accreditation decision should be coordinated with the authorizing official and Information
Systems Security Manager. The certification agent assesses any changes made to the security
15. Paper by Faisal Shirazee 12
controls in response to corrective actions by the information system owner and updates the
assessment report, as appropriate.
3.2.2.2 Task 5.2 - System Security Plan Update
Update the system security plan (and risk assessment) based on the results of the security
assessment and any modifications to the security controls in the information system.
The system security plan should reflect the actual state of the security controls after the security
assessment and any modifications by the information system owner in addressing the
recommendations for corrective actions from the certification agent. At the completion of the
Security Certification Phase, the security plan and risk assessment should contain an accurate list
and description of the security controls implemented and a list of identified vulnerabilities (i.e.,
controls not implemented).
3.2.2.3 Task 5.3 - Plan of Action and Milestones Preparation
Prepare the plan of action and milestones based on the results of the security assessment.
The plan of action and milestones document, one of the three key documents in the security
accreditation package, describes actions taken or planned by the information system owner to
correct deficiencies in the security controls and to address remaining vulnerabilities in the
information system (i.e., reduce, eliminate, or accept the vulnerabilities). The plan of actions and
milestones document identifies: (i) the tasks needing to be accomplished; (ii) the resources
required to accomplish the elements of the plan; (iii) any milestones in meeting the tasks; and (iv)
scheduled completion dates for the milestones.
3.2.2.4 Task 5.4 - Accreditation Package Assembly
Assemble the final security accreditation package and submit to authorizing official.
The information system owner is responsible for the assembly and compilation of the final
security accreditation package with inputs from the Information Systems Security Officer and the
certification agent. The accreditation package contains:
1) The security assessment report from the certification agent providing the results of the
independent assessment of the security controls and recommendations for corrective
actions
2) The plan of action and milestones from the information system owner indicating actions
taken or planned to correct deficiencies in the controls and to reduce or eliminate
vulnerabilities in the information system
3) The updated system security plan with the latest copy of the risk assessment. Certification
agent input to the final accreditation package provides an unbiased and independent view
of the extent to which the security controls in the information system are implemented
correctly, operating as intended, and producing the desired outcome with respect to
meeting the system security requirements. The authorizing official will use this
information during the Security Accreditation Phase to determine the risk to
Organization’s operations, assets, or individuals. The accreditation package can be
16. Paper by Faisal Shirazee 13
submitted in either paper or electronic form. The contents of the accreditation package
should be protected appropriately in accordance with Organization policy.
Key Milestone:
ÿ The following questions should be answered before proceeding to the Security
Accreditation Phase:
o To what extent are the security controls in the information system
implemented correctly, operating as intended, and producing the desired
outcome with respect to meeting the security requirements for the
system?
o What specific actions have been taken or are planned to correct
deficiencies in the security controls and to reduce or eliminate known
vulnerabilities in the information system?
3.3 Phase III: Security Accreditation Phase
The Security Accreditation Phase consists of two tasks:
1) Security accreditation decision and 2) Security accreditation documentation. The purpose of
this phase is to determine if the remaining known vulnerabilities in the information system
(after the implementation of an agreed-upon set of security controls) pose an acceptable level
of risk to Organization’s operations, assets, or individuals. Upon successful completion of this
phase, the information system owner will have one of the following:
1) Authorization to operate the information system
2) An interim authorization to operate the information system under specific terms and
conditions
3) Denial of authorization to operate the information system.
3.3.1 Activity 6 - Security Accreditation Decision
The objective of the security accreditation decision task is to: (i) determine the risk to
Organization’s operations, assets, or individuals; and (ii) determine if the Organization-wide
risk is acceptable. The authorizing official, working with information from the information
system owner, Information Systems Security Officer, and certification agent produced during
the previous phase, has independent confirmation of the identified vulnerabilities in the
information system and a list of planned or completed corrective actions to reduce or
eliminate those vulnerabilities. It is this information that is used to determine the final risk to
Organization and the acceptability of that risk.
3.3.1.1 Task 6.1 - Final Risk Determination
17. Paper by Faisal Shirazee 14
Determine the risk to Organization’s operations, assets, or individuals based on the
vulnerabilities in the information system and any planned or completed corrective actions to
reduce or eliminate those vulnerabilities.
The authorizing official receives the final security accreditation package from the information
system owner. The vulnerabilities in the information system confirmed by the certification
agent should be assessed to determine how those particular vulnerabilities translate into risk
to Organization’s operations, assets, or individuals. The authorizing official or designated
representative should judge which information system vulnerabilities are of greatest concern to
Organization and which vulnerabilities can be tolerated without creating unreasonable
Organization-wide risk. The plan of action and milestones (i.e., actions taken or planned to
correct deficiencies in the security controls and reduce or eliminate vulnerabilities) submitted by
the information system owner should also be considered in determining the risk to Organization.
The authorizing official may consult the information system owner, certification agent, or other
agency officials before making the final risk determination.
3.3.1.2 Task 6.2 - Risk Acceptability
The authorizing official should consider many factors when deciding if the risk to Organization’s
operations, assets, or individuals is acceptable. Balancing security considerations with mission
and operational needs is paramount to achieving an acceptable accreditation decision. The
authorizing official renders an accreditation decision for the information system after reviewing
all of the relevant information and, where appropriate, consulting with key agency officials.
If, after assessing the results of the security certification, the authorizing official deems that the
Organization-wide risk is acceptable, an authorization to operate is issued. The information
system is accredited without any restrictions or limitations on its operation.
If, after assessing the results of the security certification, the authorizing official deems that the
Organization-wide risk is unacceptable, but there is an important mission-related need to place
the information system into operation, an interim authorization to operate may be issued. The
interim authorization to operate is a limited authorization under specific terms and conditions
including corrective actions to be taken by the information system owner and a required
timeframe for completion of those actions. A detailed plan of action and milestones should be
submitted by the information system owner and approved by the authorizing official prior to the
interim authorization to operate taking effect. The information system is not accredited during the
period of limited authorization to operate.
If, after assessing the results of the security certification, the authorizing official deems that the
Organization-wide risk is unacceptable, the information system is not authorized for operation
and thus is not accredited.
3.3.1.3 Activity 7 - Security Accreditation Documentation
18. Paper by Faisal Shirazee 15
The objective of the security accreditation documentation task is to transmit the final security
accreditation package to the appropriate individuals and organizations and update the system
security plan with the latest information from the accreditation decision. The completion of this
task concludes the Security Accreditation Phase of the security certification and accreditation
process.
3.3.1.4Task 7.1- Security Accreditation Package Transmission
Provide copies of the final security accreditation package including the accreditation decision
letter (in either paper or electronic form), to the information system owner and any other
agency officials having an interest (i.e., need to know) in the security of the information system.
3.3.1.5 Task 7.2 - System Security Plan Update
The system security plan should be updated to reflect any changes in the information system
resulting from the Security Accreditation Phase. Any conditions set forth in the accreditation
decision should also be noted in the plan. It is expected that the changes to the system security
plan at this phase in the security certification and accreditation process would be minimal.
Key Milestone:
ÿ The following questions should be answered before proceeding to the Continuous
Monitoring Phase:
o Is this agency-level risk acceptable?
o How do the known vulnerabilities in the information system translate
into agency-level risk— that is, risk to Organization S&T operations,
assets, or individuals?
3.4 Phase IV: Continuous Monitoring Phase
The Continuous Monitoring Phase consists of three tasks:
1) Configuration management and control
2) Security control monitoring
3) Status reporting and documentation.
The purpose of this phase is to provide oversight and monitoring of the security controls in the
information system on an ongoing basis and to inform the authorizing official when changes
occur that may impact on the security of the system. The activities in this phase are performed
continuously throughout the life cycle of the information system. Reaccredidation may be
required because of specific changes to the information system or because federal or
Organization policies require periodic reaccredidation of the information system.
3.4.1 Activity 8 - Configuration Management and Control
The objective of the configuration management and control task is to:
19. Paper by Faisal Shirazee 16
1) Document the proposed or actual changes to the information system
2) Determine the impact of proposed or actual changes on the security of the system.
An information system will typically be in a constant state of migration with upgrades to
hardware, software, or firmware and possible modifications to the system environment.
Documenting information system changes and assessing the potential impact on the security of
the system on an ongoing basis is an essential aspect of maintaining the security accreditation.
3.4.1.1 Task 8.1 - Documentation of Information System Changes
An orderly and disciplined approach to managing, controlling, and documenting changes to an
information system is critical to the continuous assessment of the security controls that protect
the system. It is important to record any relevant information about the specific proposed or
actual changes to the hardware, firmware, or software such as version or release numbers,
descriptions of new or modified features or capabilities, and security implementation guidance.
It is also important to record any changes to the information system environment such as
modifications to the physical plant. The information system owner and Information Systems
Security Officer should use this information in assessing the potential security impact of the
proposed or actual changes to the information system. Significant changes to the information
system should not be undertaken prior to assessing the security impact of such changes.
3.4.1.2 Task 8.2 - Security Impact Analysis
Analyze the proposed or actual changes to the information system (including hardware,
software, firmware, and surrounding environment) to determine the security impact of
such changes.
3.4.2 Activity 9 - Security Control Monitoring
The objective of the security control monitoring task is to, select an appropriate set of security
controls in the information system to be monitored and assess the designated controls using
methods and procedures selected by the information system owner. The continuous monitoring
of security controls helps to identify potential security-related problems in the information
system that are not identified during the security impact analysis conducted as part of the
configuration management and control process.
3.4.2.1 Task 9.1 - Security Control Selection
The criteria established by the information system owner for selecting which security controls
will be monitored should reflect Organization’s priorities and importance of the information
system to the department. For example, certain security controls may be considered more
critical than other controls because of the potential impact on the information system if those
controls were subverted or found to be ineffective. The security controls being monitored
should be reviewed over time to ensure that a representative sample of controls is included in
the ongoing security assessments.
20. Paper by Faisal Shirazee 17
3.4.2.2 Task 9.2 - Selected Security Control Assessment
Assess an agreed-upon set of security controls in the information system to determine the
extent to which the controls are implemented correctly, operating as intended, and producing
the desired outcome with respect to meeting the security requirements for the system.
The continuous monitoring of security controls can be accomplished in a variety of
ways including security reviews, self-assessments, security testing and evaluation, or
audits.
3.4.3 Activity 10 - Status Reporting and Documentation
The objective of the status reporting and documentation task is to:
1. Update the system security plan to reflect the proposed or actual changes to the information
system
2. Update the plan of action and milestones based on the activities carried out during the
continuous monitoring phase
3. Report the security status of the information system to the authorizing official and
Information Systems Security Manager.
The information in the security status reports (typically conveyed through updated plans of
action and milestones) should be used to determine the need for security reaccredidation and to
satisfy FISMA reporting requirements.
3.4.3.1 Task 10.1 - System Security Plan Update
Update the system security plan based on the documented changes to the information system
(including hardware, software, firmware, and surrounding environment) and the results of the
continuous monitoring process.
3.4.3.2 Task 10.2 - Plan of Action and Milestones Update
Update the plan of action and milestones based on the documented changes to the information
system (including hardware, software, firmware, and surrounding environment) and the results of
the continuous monitoring process.
3.4.3.3 Task 10.3 - Status Reporting
Report the security status of the information system to the authorizing official and Information
Systems Security Manager.
The security status report (which can be submitted in the form of an updated plan of action and
milestones) should describe the continuous monitoring activities employed by the information
system owner. The security status report addresses vulnerabilities in the information system
discovered during the security certification, security impact analysis, and security control
monitoring and how the information system owner intends to address those vulnerabilities (i.e.,
reduce, eliminate, or accept the vulnerabilities). The authorizing official and the Information
Systems Security Manager should use the security status reports to determine if a security re-
accreditation is necessary.
21. Paper by Faisal Shirazee 18
Key Milestone:
ÿ The following questions should be answered before reinitiating the certification and
accreditation process:
o Have any changes to the information system affected the security
controls in the system or introduced new vulnerabilities into the
system?
o If so, has the Organization-wide risk—that is, the risk to Organization’s
operations, assets, or individuals been affected? Or
o Has a specified time period passed requiring the information system to be
reauthorized in accordance with federal or Organization policy?
22. Paper by Faisal Shirazee 19
Appendix A. A Checklist for SP
Index SSP Requirement Response Score Comments
System Identification
1 Provide system name, title, or unique
identifier.
2 Categorize the system as a General
Support System (GSS) or Major
Application (MA). (Use NSIT 800-
199 to categorize your system)
3 Is the SSP’s classification or
sensitivity clearly marked?
4 Provide the name of the organization
responsible for the system, to include
an address and other contact
information.
5 List the name, title, organization,
telephone number, e-mail, of the
person(s) designated to be the
point(s) of contact of the system
including system owner, project
manager, etc.
6 List the name, title, organization,
telephone number, e-mail, of the
person(s) designated to be
responsible for the security of the
system.
7 Are there appointment letters?
8 Describe the operational status of the
system, such as operational, under
development, undergoing a major
modification, etc.
9 Describe the function and purpose of
the system.
10 If GSS, are MAs supported listed?
11 Describe system environment
including boundaries and any special
security concerns (e.g., Internet
connection), hardware, software, and
communications resources.
System Interconnection and Data Sharing
12 Provide a list of all systems to which
the system under review is connected
- to include the Internet - or with
which it shares information.
23. Paper by Faisal Shirazee 20
Index SSP Requirement Response Score Comments
13 Provide names, unique identifiers and
the owner organization for all
systems to which the system under
review is connected or with which it
shares information.
14 Describe system interconnection and
information sharing with other
systems including a Memorandum of
Understanding or Agreement
(MOU/MOA) for each interface.
System Sensitivity
15 List laws, regulations, and policies
affecting the system.
16 Describe system’s criticality (mission
critical, mission important, or
mission supportive).
17 Describe system’s sensitivity
(confidentiality, integrity, and
availability) of the information
processed, stored, or transmitted by
the system, and assess rates for each
(low, medium, or high).
Management Controls
Risk Management
18 Describes the risk assessment
methodology used.
19 Does the risk assessment
methodology identify threats,
vulnerabilities, and additional
security controls required /
implemented to mitigate risks?
20 If no risk assessment has been
performed, does the SSP include a
milestone date for its completion?
21 If last risk assessment was performed
more than three years ago or if there
have been major changes to the
system, does SSP include a milestone
date for completion of follow-up risk
assessment?
Review of Security Controls
22 Include a description of the type of
security controls review (i.e. OIG
audit, self-assessment, etc.)
conducted for the system in the last
three years.
23 Include a summary of major findings
(to include material weaknesses) for
the security controls reviews
conducted.
24. Paper by Faisal Shirazee 21
Index SSP Requirement Response Score Comments
Rules of Behavior
23 Describe rules of behavior for the
system.
System Lifecycle
24 Describe how planning for security is
handled throughout each phase of the
System Development Life Cycle
(SDLC).
25 Is the system’s SDLC phase
identified?
If the system is in the development/acquisition phase, does the System Security Plan contain the following info
26 Security requirements identified
during the design phase.
27 Security controls test procedures
developed before procurement.
28 Solicitation documentation includes/d
security requirements and
evaluation/test procedures.
If the system is in the implementation phase, does the SSP contain the following information
29 Description of when and who
conducted design reviews and system
tests.
30 Testing schedule and procedures for
controls implemented after initial
testing and acceptance.
31 Identifies/references test procedures
documentation.
32 Describe whether such
documentation is maintained up-to-
date.
If the system is in the operational phase, does the SSP contain the following information
33 The security operations and
administration to include information
pertaining to backup procedures,
training for users and administrators,
management of cryptographic keys,
maintenance of user and
administrative privileges, and
updating security.
34 Description of the process for
ensuring operation assurance (I.e. if
C&A is the process for operational
assurance, then reference the
authorize processing section or
appropriate accreditation
documentation).
35 Detailed auditing processes used to
maintain system operational
assurance.
25. Paper by Faisal Shirazee 22
Index SSP Requirement Response Score Comments
If the system is in the disposal phase, does the SSP provide the following information
36 The requirements for and procedures
secure transfer and/or long-term
storage of data. (Note: The
requirements comes from the data
owner or the organization)
37 Requirements and procedures for
media sanitization. Again, The
requirements comes from the data
owner or the organization
Authorize Processing
38 References or contains information
pertaining to system certification and
accreditation.
If processing authorized, does C&A documentation include the following information
39 Completed technical and/or security
evaluation. This step could wait till
the end of the second phase of the
NIST 800-37 process.
40 Completed risk assessment (RA). The
RA could be of number of formats.
Please see the NIST 800-37 and
NIST 800-30 for further guidance. In
a nutshell a RA should list out all the
vulnerabilities associated with your
system or application, identify the
threat associated with them and a risk
based decision on realization of those
vulnerabilities.
41 Established rules of behavior that
have been signed by all users.
42 Completed and tested contingency
plan.
43 Statement certifying that system
meets all applicable federal laws,
regulations, policies, guidelines and
standards.
44 Statement certifying that stated
safeguards are in place, appears
adequate for the system, and operates
as intended.
Operational Controls
Personnel Security
45 Lists sensitivity levels for each
position. By position it means the job
title.
46 Clearly describe the background
screening process
26. Paper by Faisal Shirazee 23
Index SSP Requirement Response Score Comments
47 Thoroughly write out the access
controls for individuals who have
been granted access prior to
background check
48 Have in depth description of how
user access is restricted (least
privilege) to data files, to processing
capability, or to peripherals and type
of access (e.g., read, write, execute,
delete) to the minimum necessary to
perform the job
49 Describes how critical functions are
divided among different individuals
(separation of duties) to ensure that
no individual has all necessary
authority or information access which
could result in fraudulent activity
50 State he process for requesting,
establishing, issuing, and closing user
accounts
Physical and Environmental Security
51 What are the access controls
restricting the entry and exit of
personnel (and often equipment and
media) from an area, such as an
office building, suite, data center, or
room containing a local area network
(LAN) server?
52 Lists the fire safety procedures of the
building that house the systems
53 How support utilities, such as,
electric power, heating and air
conditioning, water sewage and other
utilities are verified for operability?
54 Are the controls to prevent data
interception from direct observation,
interception of data transmission and
electromagnetic interception listed
out clearly?
Production and Input/Output Controls
55 Detail the help desk support which
can respond to security incidents in a
timely manner
56 Write out or point out in the
respective document the procedures
to ensure unauthorized individuals
cannot read, copy, alter, or steal
printed or electronic information
27. Paper by Faisal Shirazee 24
Index SSP Requirement Response Score Comments
57 Describes procedures to ensure that
authorized users pick up, receive, or
deliver input and output information
and media. This process could be part
of SP or there could be a pointer
reference to another appropriate
document.
58 Consult with the privacy office and
ensure that internal/external labeling
for appropriate sensitivity (e.g.,
Privacy Act, Proprietary) are used
according to the organizational policy
and associated privacy laws.
59 List or point to an appropriate
document, which describes
procedures and controls used for
transporting or mailing media or
printed output
Contingency Planning – See B-2.7
60 Include emergency, backup, and
contingency procedures.
61 Lists contingency planning tests,
frequency, and totals.
Software Maintenance Controls
62 Describes how application or
software was developed (in-house or
under contract)
63 List the ownership of software. Who
ultimately owns the application?
Usually a person but could be a title
of an organization.
64 If the application software is
copyrighted commercial off-the-self
product or shareware or if the
software is sufficiently licensed,
write out either scenarios clearly.
65 Give a detail description of the
change control process in place for
the application or software or point to
an appropriate document.
Data Integrity Controls
66 Give detail description of how data is
protected from virus
67 What mechanisms are in place to
protect data from unlawful
modification? List them out clearly
68 Describes integrity controls used
within the system
28. Paper by Faisal Shirazee 25
Index SSP Requirement Response Score Comments
69 If intrusion detection tools are
installed on the system, give detail
description of its installation and
usage.
70 Describes how system performance
monitoring are used to analyze
system performance logs in real time
to look for availability problems,
including active attacks, and system
and network slowdowns and crashes
71 List how message authentication is
used in the application to ensure that
the sender of a message is known and
that the message has not been altered
during transmission
System Documentation
72 List all the documentation maintained
for the system. Basically, list all the
relevant document to the SP
Security Awareness and Training – See B-2.6
73 Include security training curriculum,
frequency, and totals.
74 List any specialized training for
security personnel (ISSO, ISSM,
etc.), system administrators, etc.
Technical Controls
Identification and Authentication
75 Thoroughly describe the method of
user authentication (password, token
and biometrics)
76 List the password system used,
including allowable character set.
List the organizational requirement of
password length.
77 Either point to or write detail
procedures for training users and the
materials covered.
78 Describes the frequency of password
changes and how password changes
are enforced
79 If biometrics controls are used,
describe them and explain how they
are implemented
80 Again, if token controls are used on
the system give a detail description of
them and how they are implemented
81 List the level of enforcement of the
access control mechanism (network,
operating system, and application)
29. Paper by Faisal Shirazee 26
Index SSP Requirement Response Score Comments
82 Describe how the access control
mechanism supports individual
accountability and audit trails (e.g.
passwords are associated with a user
identifier that is assigned to a single
individual)
83 Thoroughly describe the self-
protection techniques for the user
authentication mechanism (e.g.,
passwords are transmitted and stored
with one-way encryption to prevent
anyone [including the System
Administrator] from reading the
clear-text password)
84 Include the lock out criteria. For
example, number of invalid access
attempts that may occur for a given
user identifier or access location
(terminal or port) and the actions
taken when the limit is exceeded
85 If applicable, detail the use of
electronic signatures and the security
controls provided
86 List the policy and the
implementation of cryptographic key
management procedures for key
generation, distribution, storage,
entry, use, destruction and archiving
Logical Access Controls
87 Clearly state, how separation of
duties is enforced to prevent an
individual from having all necessary
authority or information access to
allow fraudulent activity without
collusion
88 Describe the application's capability
to establish an Access Controls List
or register of the users and the type of
access they are permitted
89 Give detail description of how
Access Control List is maintained
90 Thoroughly define how application
users are restricted from accessing
the operating system, other
applications, or other system
resources not needed in the
performance of their application
30. Paper by Faisal Shirazee 27
Index SSP Requirement Response Score Comments
91 List how often Access Control Lists
are reviewed to identify and remove
users who have left organization or
whose duties no longer require access
to the application
92 Describes controls to detect
unauthorized transaction attempts by
authorized and/or unauthorized users
93 Point out or describe the policy or
logical access controls that regulate
how users may delegate access
permissions or make copies of files
or information accessible to other
users
94 Clearly define, after what period of
user inactivity the system
automatically blanks associated
display screens and incase of an
application after what period of user
inactivity the system automatically
disconnects inactive users or requires
the user to enter a unique password to
reconnect.
95 Explain how encryption is used to
prevent unauthorized access to
sensitive files as part of the system or
application access control procedures
96 List what other hardware or technical
control are used to provide protection
against unauthorized system
penetration and other known Internet
threats and vulnerabilities if the
system is connected to the Internet or
other wide area network(s).
97 Describes any port protection devices
used to require specific access
authorization to the communication
ports, including the configuration of
the port protection devices, and if
additional passwords or tokens are
required.
98 Evaluate and determine whether
internal security labels are used to
control access to specific information
types or files, and if such labels
specify protective measures or
indicate additional handling
instructions.
99 If applicable, describe how host-
based authentication is used.
31. Paper by Faisal Shirazee 28
Index SSP Requirement Response Score Comments
Public Access Controls
If applicable, does the SSP provide a description of the public access controls to include the following information
100 I&A controls used, where applicable.
101 Access controls used to limit user
access and privileges.
102 Controls to prevent modification of
data.
103 Digital Signatures.
104 Segregation of system for public
access.
105 Generation of data copies for systems
accessed by the public.
106 Controls to prohibit public access to
live databases.
107 Controls to ensure information
distributed to public is virus-free.
108 Audit trails and user confidentiality.
109 System and data availability.
110 Legal considerations.
Auditing
111 Explain how audit trail are used to
support accountability by providing a
trace of user actions
112 Clearly define and write out the three
Ws of auditing. That is, who, when,
and why accessed the information of
your system.
113 Describes how audit trails are
designed and implemented to record
appropriate information to assist in
intrusion detection
114 If applicable, describe how audit
trials used as online tools to help
identify problems other than
intrusions as they occur
115 Provide supporting argument that
implemented audit trails are
sufficient to establish what events
occurred and who (or what) caused
them.
116 Clearly provide explanation on how
access to audit logs are restricted
117 Describes how separation of duties
between security personnel who
administer the access control function
and those who administer the audit
trial are used and enforced
32. Paper by Faisal Shirazee 29
Index SSP Requirement Response Score Comments
118 List how frequently audit trails are
reviewed and whether there are
review guidelines
119 Explain how the appropriate system-
level or application-level
administrator review the audit trails
following a known system or
application software problem, a
known violation of existing
requirements by a user, or some
unexplained system or user problem.
120 If audit analysis tools are used,
describes how those Audit analysis
tools, such as those based on audit
reduction, attack signature, and
variance techniques, are used in a
real-time or near real-time fashion
33. Paper by Faisal Shirazee 30
Appendix B: ACRONYMS
AIS automated information system
AFR Air Force Regulation
CA certification authority
C&A certification and accreditation
CAP connection approval process
CCB Configuration Control Board
CI configuration item
CM configuration management
COMPUSEC computer security
COMSEC communications security
CONOPS concept of operations
COTS commercial-off-the-shelf
CPU central processing unit
CTTA Certified TEMPEST Technical Authority
DAC discretionary access control
DITSCAP DoD Information Technology Security Certification and
Accreditation Process
DoD Department of Defense
DODD Department of Defense Directive
DT&E development test & evaluation
DTLS Descriptive top-level specification
ECP engineering change proposal
EPL evaluated products list
FCA functional configuration audit
FER final evaluation report
FIPS federal Information Processing Standard
FSRS functional security requirements specification
FTLS formal top-level specification
GOTS Government-off-the-shelf
HVAC heating/ventilation/air conditioning
I&A Identification and authentication
INFOSEC information systems security
I/O input/output
IOC initial operational capability
ISSO Information Systems Security Officer
ISSWG information systems security working group
IV&V independent validation and verification
LAN local area network
MAC mandatory access control
MOA memorandum of agreement
NASA National Aeronautics and Space Administration
NIST National Institute of Standards and Technology
NSA National Security Agency
34. Paper by Faisal Shirazee 31
NSO network security officer
OI operating instruction
OMB Office of Management and Budget
OPSEC operations security
OT&E operational test and evaluation
PC personal computer
PCA physical configuration audit
PM program manager
RFP request for proposal
ROM rough order of magnitude
SCI sensitive compartmented information
SCIF sensitive compartmented information facility
SFUG security features user’s guide
SOW statement of work
ST&E security test and evaluation
TASO terminal area security officer
TCB trusted computing base
TFM trusted computing base
TRANSEC transmission security
TS top secret
WAN wide area network
35. Paper by Faisal Shirazee 32
REFERENCES
1) National Institute Standard and Technology (NIST), Guide for the Security
Certification and Accreditation of Federal Information Systems,
Version 1.2, May 24, 2004.
2) National Computer Security Center, Introduction to Certification and
Accreditation (NCSC-TG-029), January 1994.
3) National Security Telecommunications and Information Systems Security
Committee National Information Systems Security (INFOSEC) Glossary
(NSTISSI No. 4009), 5 June 1992.
4) INFOSEC Management Panel Committee Working Group (IMP CWG) Report, A
Proposed DOD Certification and Accreditation Standard (IW CWG Publication
92- 1, Version 1.0), 16 October 1992.
5) Report Security System Engineering: Composite Analysis Report, Volume 2 -
Architect's Handbook (draft) xxxxx), 6 October 1993.
6) DoD Computer Security Center, Guidance for Applying the Department of
Defense Trusted Computer System Evaluation Criteria in Specific Environments
(CSC-STD-00385), 25 June 1985.
7) DoD, Information Technology Security Certification and Accreditation Process
(DITSCAP) (draft), 30 November 1995.
8) NASA Handbook 2410.9, NASA Automated Information Security Handbook,
September 1990.
9) National Institute of Standards and Technology/U.S. Department of Health and
Human Services: U.S. Department of Health and Human Services Automated
Information Systems Security Program Handbook (NISTIR 4635), July 1991.
10) Office of the Auditor General of Canada: Information Sensitivity and Security
Assessment for Computer Information Holdings.
11) National Institute of Standards and Technology, Guideline for Automated Data
Processing Risk Analysis (FIPS PUB 65), August 1985.
12) National Computer Security Center, A Guide to Procurement of Trusted Systems:
An Introduction to Procurement Initiators on Computer Security Requirements
(NCSC-TG024, Version 1), December 1992.
13) Arca Systems, Inc. Guidance for Developing a Certification and Accreditation
Plan (draft), 28 April 1993.
36. Paper by Faisal Shirazee 33
14) Information Systems Security Organization, Information System Security Policy
Guideline (draft), 1 April 1993.
15) DoD Computer Security Center, Computer Security Requirements, Guidance for
Applying the Department of Defense Trusted Computer System Evaluation
Criteria in Specific Environments (CSC-STD-003-85), 25 June 1985.
16) MITRE Report, Guidelines for Certification of Existing Sensitive Systems (MTR-
WI8), July 1982.
17) Information Systems Security Organization, DAA Handbook (draft) (CA-003), 10
April 1993.
18) Dr. Dixie Baker, Dr. Deborah Downs, Frank Belvin, Dr. Santosh Chokhani,
James L. Arnold Jr., and Ronald J. Bottomly, Trusted Computer System
Architecture: Assessing Modularity, 18 December 1992.
19) Office of Security Information Systems Group, Elements of Secure Computing,
August 1992.
20) National Computer Security Center, Department of Defense Trusted Computer
System Evaluation Criteria (DoD 5200.28-STD), December 1985.
21) U.S. General Services Administration, Office of Technical Assistance:
Information Technology Installation Security. Defense Logistics Agency (DLA)
Regulation No. 5200.17, 9 October 1991. Department of the Navy Automated
Information Systems Security Guidelines.
22) Management of Federal Information Resource (OMB Circular A-130), Feb. 8,
1996.
23) Management Accountability and Control (OMB Circular A-123), 21 June 1995.
24) Financial Management Systems (OMB Circular A-127), 23 July 1993.