Date post: | 16-Nov-2014 |
Category: |
Documents |
Upload: | sadownloader |
View: | 317 times |
Download: | 3 times |
NIST Information Security Documents
Guide to
Table of ContentsIntroduction 1TopicClusters 2 AnnualReports 2
Audit&Accountability 2
Authentication 3
Awareness&Training 4
Biometrics 4
Certification&Accreditation(C&A) 5
Communications&Wireless 6
ContingencyPlanning 6
Cryptography 7
DigitalSignatures 8
Forensics 8
GeneralITSecurity 8
IncidentResponse 9
Maintenance 9
PersonalIdentityVerification(PIV) 10
PKI 11
Planning 11
Research 13
RiskAssessment 13
Services&Acquisitions 14
SmartCards 15
Viruses&Malware 15
HistoricalArchives 16
Families 18 AccessControl 18
Awareness&Training 19
Audit&Accountability 19
Certification,Accreditation&SecurityAssessments 19
ConfigurationManagement 20
ContingencyPlanning 21
Identification&Authentication 21
IncidentResponse 22
Maintenance 22
MediaProtection 23
Physical&EnvironmentalProtection 23
Planning 23
PersonnelSecurity 24
RiskAssessment 25
System&ServicesAcquisition 26
System&CommunicationProtection 26
System&InformationIntegrity 28
LegalRequirements 29 FederalInformationSecurityManagementActof2002(FISMA) 29
OMBCircularA-130:ManagementofFederalInformationResources,AppendixIII:SecurityofFederalAutomatedInformationResources 30
E-GovernmentActof2002 31
HomelandSecurityPresidentialDirective-12(HSPD-12),CommonIdentificationStandardforFederalEmployeesandContractors 31
OMBCircularA–11:Preparation,Submission,andExecutionoftheBudget 31
OtherRequirementswithSupportingDocuments 32
HealthInsurancePortabilityandAccountabilityAct(HIPAA) 32
HomelandSecurityPresidentialDirective-7(HSPD-7),CriticalInfrastructureIdentification,Prioritization,andProtection 32
Page �A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
For many years, the Computer Security Division has made
greatcontributionstohelpsecureournation’sinformation
and information systems. Our work has paralleled the
evolution of information technology (IT), initially focused
principallyonmainframecomputers,tonowencompasstoday’swide
gamutof(IT)devices.
Currently, thereareover250NIST informationsecuritydocuments.
This number includes Federal Information Processing Standards
(FIPS),theSpecialPublication(SP)800series,InformationTechnology
Laboratory (ITL) Bulletins, and NIST Interagency Reports (NISTIR).
Thesedocumentsaretypicallylistedbypublicationtypeandnumber
orbymonthandyearinthecaseoftheITLBulletins.Thiscanmake
findingadocumentdifficultifthenumberordateisnotknown.
InordertomakeNISTinformationsecuritydocumentsmoreaccessible,
especially to those just entering the security field or with limited
needsforthedocuments,wearepresentingthisGuide.Inaddition
tobeinglistedbytypeandnumber,thiswillpresentthedocuments
usingthreeapproachestoeasesearching:
byTopicCluster
byFamily
byLegalRequirement
Several people looking for documents regarding Federal employee
identification badges might approach their search in drastically
different ways. One person might look for the legal basis behind
thebadges,HSPD-12(HomelandSecurityPresidentialDirective12).
HSPD-12is listedinthelegalrequirement list. Anothermight look
for“PIV”(personalidentificationverification),andtheycouldfindit
underthetopicclusters.Anothermightlookfor“Identificationand
Authentication,” and they would find it under the family list. Yet
anotherpersonmightlookfor“smartcard”or“biometrics,”bothof
whichareunderthetopicclusters.
Itneedstobeunderstood,however,thatdocumentsarenotgenerally
mappedtoeverytopicmentionedinthedocument.Forinstance,SP
800-66,AnIntroductoryResourceGuideforimplementingtheHealth
Insurance Portability and Accountability Act (HIPAA) Security Rule
dealswithtopicssuchascontingencyplansand incident response.
However,SP800-66isnotconsideredanessentialdocumentwhen
lookingfordocumentsaboutcontingencyplansorincidentresponse.
The Guide will be updated on a bi-annual basis to include new
documents, topic clusters, and legal requirements, as well as to
updateanyshiftsindocumentmappingthatisappropriate.
NIST INformaTIoN SecurITy DocumeNTS
Thefederal information Processing Standards(FIPS)Publication
Seriesistheofficialseriesofpublicationsrelatingtostandardsand
guidelines adopted and promulgated under the provisions of the
FederalInformationSecurityManagementAct(FISMA)of2002.
The Special Publication 800-series reports on ITL’s research,
guidelines,andoutreachefforts in informationsystemsecurityand
itscollaborativeactivitieswith industry,government,andacademic
organizations.
itL BulletinsarepublishedbytheInformationTechnologyLaboratory.
Each bulletin presents an in-depth discussion of a single topic of
significant interesttotheinformationsystemscommunity.Bulletins
areissuedonanas-neededbasis.
TheNISTinteragency report seriesmayreportresultsofprojects
of transitory or limited interest. They may also include interim or
finalreportsonworkperformedbyNISTforoutsidesponsors(both
governmentandnon-government).
Introduction
Page � A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
Topic Clusters
aNNual reporTS
TheAnnualReportsarethemethodthattheNISTComputerSecurityDivisionusestopubliclyreportonthepastyear’saccomplishmentsandplansforthenextyear.
NISTIR7285 ComputerSecurityDivision-2005AnnualReport
NISTIR7219 ComputerSecurityDivision-2004AnnualReport
NISTIR7111 ComputerSecurityDivision-2003AnnualReport
auDIT & accouNTabIlITy
Acollectionofdocumentsthatrelatestoreviewandexaminationofrecordsandactivitiesinordertoassesstheadequacyofsystemcontrols,toensurecompliancewithestablishedpoliciesandoperationalprocedures,andtoprovidethesupportingrequirementforactionsofanentitytobetraceduniquelytothatentity.
FIPS200 SecurityControlsforFederalInformationSystems
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
FIPS191 GuidelineforTheAnalysisofLocalAreaNetworkSecurity
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-92 GuidetoComputerSecurityLogManagement
SP800-55 SecurityMetricsGuideforInformationTechnologySystems
SP800-53A GuideforAssessingtheSecurityControlsinFederalInformationSystems
SP800-53 SecurityControlsforFederalInformationSystems
SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram
SP800-42 GuidelineonNetworkSecurityTesting
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems
SP800-16 InformationTechnologySecurityTrainingRequirements:ARole-andPerformance-BasedModel
NISTIR7316 AssessmentofAccessControlSystems
NISTIR7284 PersonalIdentityVerificationCardManagementReport
NISTIR6981 PolicyExpressionandEnforcementforHandheldDevices
(continued on next page)
t o P i c c L u S t e r S
Page �A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
Audit & AccountAbility continued
March2006 Minimum Security Requirements For Federal Information And Information Systems: Federal Information ProcessingStandard(FIPS)200ApprovedByTheSecretaryOfCommerce
January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
May2005 RecommendedSecurityControlsForFederalInformationSystems:GuidanceForSelectingCost-EffectiveControlsUsingARisk-BasedProcess
November2004 Understanding the New NIST Standards and Guidelines Required by FISMA: HowThree Mandated Documents areChangingtheDynamicofInformationSecurityfortheFederalGovernment
March2004 FederalInformationProcessingStandard(FIPS)199,StandardsForSecurityCategorizationOfFederalInformationAndInformationSystems
August2003 ITSecurityMetrics
June2003 ASSET:SecurityAssessmentToolForFederalAgencies
January2002 GuidelinesonFirewallsandFirewallPolicy
September2001 SecuritySelf-AssessmentGuideforInformationTechnologySystems
February2000 GuidelineforImplementingCryptographyintheFederalGovernment
auTheNTIcaTIoN
FIPS198 TheKeyed-HashMessageAuthenticationCode(HMAC)
FIPS196 EntityAuthenticationUsingPublicKeyCryptography
FIPS190 GuidelinefortheUseofAdvancedAuthenticationTechnologyAlternatives
FIPS186-3 DigitalSignatureStandard(DSS)
FIPS181 AutomatedPasswordGenerator
FIPS180-2 SecureHashStandard(SHS)
SP800-89 RecommendationforObtainingAssurancesforDigitalSignatureApplications
SP800-63 RecommendationforElectronicAuthentication
SP800-57 RecommendationonKeyManagement
SP800-38C RecommendationforBlockCipherModesofOperation:theCCMModeforAuthenticationandConfidentiality
SP800-38B RecommendationforBlockCipherModesofOperation:TheRMACAuthenticationMode
SP800-38A RecommendationforBlockCipherModesofOperation-MethodsandTechniques
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-17 ModesofOperationValidationSystem(MOVS):RequirementsandProcedures
NISTIR7290 FingerprintIdentificationandMobileHandheldDevices:AnOverviewandImplementation
NISTIR7206 SmartCardsandMobileDeviceAuthentication:AnOverviewandImplementation
NISTIR7200 ProximityBeaconsandMobileHandheldDevices:OverviewandImplementation
NISTIR7046 FrameworkforMulti-ModeAuthentication:OverviewandImplementationGuide
(continued on next page)
Page �
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
AuthenticAtion continued
NISTIR7030 PicturePassword:AVisualLoginTechniqueforMobileDevices
September2005 BiometricTechnologies:HelpingToProtectInformationAndAutomatedTransactionsInInformationTechnologySystems
July2005 ProtectingSensitiveInformationThatIsTransmittedAcrossNetworks:NISTGuidanceForSelectingAndUsingTransportLayerSecurityImplementations
August2004 ElectronicAuthentication:GuidanceForSelectingSecureTechniques
March2003 SecurityForWirelessNetworksAndDevices
May2001 Biometrics-TechnologiesforHighlySecurePersonalAuthentication
March2001 AnIntroductiontoIPsec(InternetProtocolSecurity)
awareNeSS & TraININg
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-16 InformationTechnologySecurityTrainingRequirements:ARole-andPerformance-BasedModel
NISTIR7284 PersonalIdentityVerificationCardManagementReport
October2003 InformationTechnologySecurityAwareness,Training,Education,andCertification
November2002 SecurityForTelecommutingAndBroadbandCommunications
bIomeTrIcS
Acollectionofdocumentsthatdetailssecurityissuesandpotentialcontrolsusingameasurable,physicalcharacteristicorpersonalbehavioraltraitusedtorecognizetheidentity,orverifytheclaimedidentity,ofaperson.
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
NISTIR7290 FingerprintIdentificationandMobileHandheldDevices:AnOverviewandImplementation
NISTIR7284 PersonalIdentityVerificationCardManagementReport
NISTIR7206 SmartCardsandMobileDeviceAuthentication:AnOverviewandImplementation
NISTIR7056 CardTechnologyDevelopmentandGapAnalysisInteragencyReport
NISTIR6887 GovernmentSmartCardInteroperabilitySpecification(GSC-IS),v2.1
NISTIR6529-A CommonBiometricExchangeFileFormat(CBEFF)
September2005 BiometricTechnologies:HelpingToProtectInformationAndAutomatedTransactionsInInformationTechnologySystems
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
March2005 PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors:FederalInformationProcessingStandard(FIPS)201
July2002 Overview:TheGovernmentSmartCardInteroperabilitySpecification
May2001 Biometrics-TechnologiesforHighlySecurePersonalAuthentication
Page �A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
cerTIfIcaTIoN & accreDITaTIoN (c&a)
CertificationandAccreditation(C&A)isacollectionofdocumentsthatcanbeusedtoconducttheC&AofaninformationsysteminaccordancewithOMBA130-III.
FIPS200 SecurityControlsforFederalInformationSystems
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
FIPS191 GuidelineforTheAnalysisofLocalAreaNetworkSecurity
SP800-88 MediaSanitizationGuide
SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities
SP800-60 GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
SP800-59 GuidelineforIdentifyinganInformationSystemasaNationalSecuritySystem
SP800-55 SecurityMetricsGuideforInformationTechnologySystems
SP800-53A GuideforAssessingtheSecurityControlsinFederalInformationSystems
SP800-53 SecurityControlsforFederalInformationSystems
SP800-47 SecurityGuideforInterconnectingInformationTechnologySystems
SP800-42 GuidelineonNetworkSecurityTesting
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SP800-23 GuidelinetoFederalOrganizationsonSecurityAssuranceandAcquisition/UseofTested/EvaluatedProducts
SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems
March2006 Minimum Security Requirements For Federal Information And Information Systems: Federal Information ProcessingStandard(FIPS)200ApprovedByTheSecretaryOfCommerce
May2005 RecommendedSecurityControlsForFederalInformationSystems:GuidanceForSelectingCost-EffectiveControlsUsingARisk-BasedProcess
November2004 Understanding the New NIST Standards and Guidelines Required by FISMA: HowThree Mandated Documents areChangingtheDynamicofInformationSecurityfortheFederalGovernment
July2004 GuideForMappingTypesOfInformationAndInformationSystemsToSecurityCategories
May2004 GuideForTheSecurityCertificationAndAccreditationOfFederalInformationSystems
March2004 FederalInformationProcessingStandard(FIPS)199,StandardsForSecurityCategorizationOfFederalInformationAndInformationSystems
August2003 ITSecurityMetrics
June2003 ASSET:SecurityAssessmentToolForFederalAgencies
February2003 SecureInterconnectionsforInformationTechnologySystems
September2001 SecuritySelf-AssessmentGuideforInformationTechnologySystems
Page �
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
commuNIcaTIoNS & wIreleSS
Acollectionofdocumentsthatdetailssecurityissuesassociatedwiththetransmissionofinformationovermultiplemediatoincludesecurityconsiderationswiththeuseofwireless.
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-82 GuidetoSupervisoryControlandDataAcquisition(SCADA)andIndustrialControlSystemSecurity
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-77 GuidetoIPsecVPNs
SP800-58 SecurityConsiderationsforVoiceOverIPSystems
SP800-52 GuidelinesfortheSelectionandUseofTransportLayerSecurity
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
NISTIR7206 SmartCardsandMobileDeviceAuthentication:AnOverviewandImplementation
NISTIR7046 FrameworkforMulti-ModeAuthentication:OverviewandImplementationGuide
October2004 SecuringVoiceOverInternetProtocol(IP)Networks
March2003 SecurityForWirelessNetworksAndDevices
January2003 SecurityOfElectronicMail
November2002 SecurityForTelecommutingAndBroadbandCommunications
January2002 GuidelinesonFirewallsandFirewallPolicy
March2001 AnIntroductiontoIPsec(InternetProtocolSecurity)
August2000 SecurityforPrivateBranchExchangeSystems
coNTINgeNcy plaNNINg
A collection of documents that details management policy and procedures designed to maintain or restore business operations, includingcomputeroperations,possiblyatanalternatelocation,intheeventofemergencies,systemfailures,ordisaster.
SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
January2004 ComputerSecurityIncidents:Assessing,Managing,AndControllingTheRisks
June2002 ContingencyPlanningGuideForInformationTechnologySystems
April2002 TechniquesforSystemandDataRecovery
Page �A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
crypTography
Acollectionofdocuments thatdiscusses themultipleusesandsecurity issuesofencryption,decryption,keymanagement,andthescienceand technologiesused toassure the confidentialityof informationbyhiding semantic content,preventingunauthorizeduse,orpreventingundetectedmodification.
FIPS198 TheKeyed-HashMessageAuthenticationCode(HMAC)
FIPS197 AdvancedEncryptionStandard
FIPS196 EntityAuthenticationUsingPublicKeyCryptography
FIPS190 GuidelinefortheUseofAdvancedAuthenticationTechnologyAlternatives
FIPS186-3 DigitalSignatureStandard(DSS)
FIPS185 EscrowedEncryptionStandard
FIPS181 AutomatedPasswordGenerator
FIPS180-2 SecureHashStandard(SHS)
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-90 RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators
SP800-67 RecommendationfortheTripleDataEncryptionAlgorithm(TDEA)BlockCipher
SP800-57 RecommendationonKeyManagement
SP800-56A RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography
SP800-52 GuidelinesontheSelectionandUseofTransportLayerSecurity
SP800-49 FederalS/MIMEV3ClientProfile
SP800-38C RecommendationforBlockCipherModesofOperation:theCCMModeforAuthenticationandConfidentiality
SP800-38B RecommendationforBlockCipherModesofOperation:TheRMACAuthenticationMode
SP800-38A RecommendationforBlockCipherModesofOperation-MethodsandTechniques
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-22 AStatisticalTestSuiteforRandomandPseudorandomNumberGeneratorsforCryptographicApplications
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-17 ModesofOperationValidationSystem(MOVS):RequirementsandProcedures
SP800-15 MinimumInteroperabilitySpecificationforPKIComponents(MISPC),Version1
NISTIR7206 SmartCardsandMobileDeviceAuthentication:AnOverviewandImplementation
NISTIR7046 FrameworkforMulti-ModeAuthentication:OverviewandImplementationGuide
September2002 CryptographicStandardsandGuidelines:AStatusReport
December2000 AStatisticalTestSuiteForRandomAndPseudorandomNumberGeneratorsForCryptographicApplications
February2000 GuidelineforImplementingCryptographyintheFederalGovernment
Page �
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
DIgITal SIgNaTureS
Acollectionofdocumentsthatdiscussesthemultipleusesandsecurityissuesofdigitalsignatures.
FIPS198 TheKeyed-HashMessageAuthenticationCode(HMAC)
FIPS186-3 DigitalSignatureStandard(DSS)
FIPS180-2 SecureHashStandard(SHS)
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-57 RecommendationonKeyManagement
SP800-52 GuidelinesontheSelectionandUseofTransportLayerSecurity
SP800-49 FederalS/MIMEV3ClientProfile
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-15 MinimumInteroperabilitySpecificationforPKIComponents(MISPC),Version1
February2000 GuidelineforImplementingCryptographyintheFederalGovernment
foreNSIcS
Acollectionofdocumentsthatdiscussesthepracticeofgathering,retaining,andanalyzingcomputer-relateddataforinvestigativepurposesinamannerthatmaintainstheintegrityofthedata.
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-72 GuidelinesonPDAForensics
SP800-31 IntrusionDetectionSystems(IDSs)
NISTIR7250 CellPhoneForensicTools:AnOverviewandAnalysis
NISTIR7100 PDAForensicTools:AnOverviewandAnalysis
September2006 ForensicTechniques:HelpingOrganizationsImproveTheirResponsesToInformationSecurityIncidents
November2001 ComputerForensicsGuidance
geNeral IT SecurITy
Acollectionofdocumentsthatspansmultipletopicareasandcoversaverybroadrangeofsecuritysubjects.ThesedocumentsarenottypicallylistedinTopicClustersbecausetheyaregenerallyapplicabletoalmostallofthem.
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-64 SecurityConsiderationsintheInformationSystemDevelopmentLifeCycle
SP800-47 SecurityGuideforInterconnectingInformationTechnologySystems
SP800-33 UnderlyingTechnicalModelsforInformationTechnologySecurity
SP800-27 EngineeringPrinciplesforInformationTechnologySecurity(ABaselineforAchievingSecurity)
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
NISTIR7298 GlossaryofKeyInformationSecurityTerms
Page �A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
INcIDeNT reSpoNSe
A collection of documents to assist in the creation of a pre-determined set of instructions or procedures to detect, respond to, and limitconsequencesofamaliciouscyberattackagainstanorganization’sITsystem(s).
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-61 ComputerSecurityIncidentHandlingGuide
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
SP800-40 ProceduresforHandlingSecurityPatches
SP800-31 IntrusionDetectionSystems(IDSs)
NISTIR7250 CellPhoneForensicTools:AnOverviewandAnalysis
NISTIR7100 PDAForensicTools:AnOverviewandAnalysis
NISTIR6981 PolicyExpressionandEnforcementforHandheldDevices
NISTIR6416 ApplyingMobileAgentstoIntrusionDetectionandResponse
September2006 ForensicTechniques:HelpingOrganizationsImproveTheirResponsesToInformationSecurityIncidents
February2006 CreatingAProgramToManageSecurityPatchesAndVulnerabilities:NISTRecommendationsForImprovingSystemSecurity
December2005 PreventingAndHandlingMalwareIncidents:HowToProtectInformationTechnologySystemsFromMaliciousCodeAndSoftware
October2005 National Vulnerability Database: Helping Information Technology System Users And Developers Find CurrentInformationAboutCyberSecurityVulnerabilities
January2004 ComputerSecurityIncidents:Assessing,Managing,AndControllingTheRisks
October2002 SecurityPatchesAndTheCVEVulnerabilityNamingScheme:ToolsToAddressComputerSystemVulnerabilities
April2002 TechniquesforSystemandDataRecovery
November2001 ComputerForensicsGuidance
maINTeNaNce
AcollectionofdocumentsdiscussingsecurityconcernswithsystemsinthemaintenancephaseoftheSystemDevelopmentLifeCycle.
SP800-88 MediaSanitizationGuide
SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-70 SecurityConfigurationChecklistsProgramforITProducts
SP800-69 GuidanceforSecuringMicrosoftWindowsXPHomeEdition:aNISTSecurityConfigurationChecklist
SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist
SP800-55 SecurityMetricsGuideforInformationTechnologySystems
SP800-53 SecurityControlsforFederalInformationSystems
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem
SP800-41 GuidelinesonFirewallsandFirewallPolicy
(continued on next page)
Page �0
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
MAintenAnce continued
SP800-40 ProceduresforHandlingSecurityPatches
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
NISTIR7284 PersonalIdentityVerificationCardManagementReport
NISTIR7275 SpecificationfortheExtensibleConfigurationChecklistDescriptionFormat(XCCDF)
NISTIR6985 COTSSecurityProtectionProfile-OperatingSystems(CSPP-OS)(WorkedExampleApplyingGuidanceofNISTIR-6462,CSPP)
NISTIR6462 CSPP-GuidanceforCOTSSecurityProtectionProfiles
FIPS191 GuidelineforTheAnalysisofLocalAreaNetworkSecurity
FIPS188 StandardSecurityLabelsforInformationTransfer
December2005 PreventingAndHandlingMalwareIncidents:HowToProtectInformationTechnologySystemsFromMaliciousCodeAndSoftware
February2006 CreatingA ProgramTo Manage Security PatchesAndVulnerabilities: NIST Recommendations For Improving SystemSecurity
November2005 SecuringMicrosoftWindowsXPSystems:NISTRecommendationsForUsingASecurityConfigurationChecklist
October2005 NationalVulnerabilityDatabase:HelpingInformationTechnologySystemUsersAndDevelopersFindCurrentInformationAboutCyberSecurityVulnerabilities
October2004 SecuringVoiceOverInternetProtocol(IP)Networks
January2004 ComputerSecurityIncidents:Assessing,Managing,AndControllingTheRisks
November2003 NetworkSecurityTesting
December2002 SecurityofPublicWebServers
October2002 SecurityPatchesAndTheCVEVulnerabilityNamingScheme:ToolsToAddressComputerSystemVulnerabilities
January2002 GuidelinesonFirewallsandFirewallPolicy
perSoNal IDeNTITy VerIfIcaTIoN (pIV)
PersonalIdentityVerification(PIV)isasuiteofstandardsandguidesthataredevelopedinresponsetoHSPD-12forimprovingtheidentificationandauthenticationofFederalemployeesandcontractorsforaccesstoFederalfacilitiesandinformationsystems.
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
SP800-85B PIVDataModelTestGuidelines
SP800-85A PIVCardApplicationandMiddlewareInterfaceTestGuidelines(SP800-73compliance)
SP800-79 GuidelinesfortheCertificationandAccreditationofPIVCardIssuingOrganizations
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
NISTIR7337 PersonalIdentityVerificationDemonstrationSummary
NISTIR7284 PersonalIdentityVerificationCardManagementReport
January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
March2005 Personal Identity Verification (PIV) Of Federal Employees And Contractors: Federal Information Processing Standard(FIPS)201
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
pKI
AcollectionofdocumentstoassistwiththeunderstandingofPublicKeycryptography.
FIPS196 EntityAuthenticationUsingPublicKeyCryptography
SP800-89 RecommendationforObtainingAssurancesforDigitalSignatureApplications
SP800-57 RecommendationonKeyManagement
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-15 MinimumInteroperabilitySpecificationforPKIComponents(MISPC),Version1
plaNNINg
Acollectionofdocumentsdealingwithsecurityplansandforidentifying,documenting,andpreparingsecurityforsystems.
FIPS200 SecurityControlsforFederalInformationSystems
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
FIPS191 GuidelineforTheAnalysisofLocalAreaNetworkSecurity
FIPS188 StandardSecurityLabelsforInformationTransfer
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-57 RecommendationonKeyManagement
SP800-55 SecurityMetricsGuideforInformationTechnologySystems
SP800-53 SecurityControlsforFederalInformationSystems
SP800-47 SecurityGuideforInterconnectingInformationTechnologySystems
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-40,Ver2 CreatingaPatchandVulnerabilityManagementProgram
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-35 GuidetoInformationTechnologySecurityServices
SP800-33 UnderlyingTechnicalModelsforInformationTechnologySecurity
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-27 EngineeringPrinciplesforInformationTechnologySecurity(ABaselineforAchievingSecurity)
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-19 MobileAgentSecurity
(continued on next page)
Page ��
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
PlAnning continued
SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems
NISTIR7316 AssessmentofAccessControlSystems
NISTIR7284 PersonalIdentityVerificationCardManagementReport
NISTIR6985 COTSSecurityProtectionProfile-OperatingSystems(CSPP-OS)(WorkedExampleApplyingGuidanceofNISTIR-6462,CSPP)
NISTIR6981 PolicyExpressionandEnforcementforHandheldDevices
NISTIR6887 GovernmentSmartCardInteroperabilitySpecification(GSC-IS),v2.1
NISTIR6462 CSPP-GuidanceforCOTSSecurityProtectionProfiles
December2005 PreventingAndHandlingMalwareIncidents:HowToProtectInformationTechnologySystemsFromMaliciousCodeAndSoftware
March2006 Minimum Security Requirements For Federal Information And Information Systems: Federal Information ProcessingStandard(FIPS)200ApprovedByTheSecretaryOfCommerce
February2006 CreatingAProgramToManageSecurityPatchesAndVulnerabilities:NISTRecommendationsForImprovingSystemSecurity
January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201
November2005 SecuringMicrosoftWindowsXPSystems:NISTRecommendationsForUsingASecurityConfigurationChecklist
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
July2005 ProtectingSensitiveInformationThatIsTransmittedAcrossNetworks:NISTGuidanceForSelectingAndUsingTransportLayerSecurityImplementations
June2005 NIST’sSecurityConfigurationChecklistsProgramForITProducts
May2005 RecommendedSecurityControlsForFederalInformationSystems:GuidanceForSelectingCost-EffectiveControlsUsingARisk-BasedProcess
January2005 IntegratingItSecurityIntoTheCapitalPlanningAndInvestmentControlProcess
November2004 Understanding the New NIST Standards and Guidelines Required by FISMA: HowThree Mandated Documents areChangingtheDynamicofInformationSecurityfortheFederalGovernment
July2004 GuideForMappingTypesOfInformationAndInformationSystemsToSecurityCategories
May2004 GuideForTheSecurityCertificationAndAccreditationOfFederalInformationSystems
March2004 FederalInformationProcessingStandard(FIPS)199,StandardsForSecurityCategorizationOfFederalInformationAndInformationSystems
February2003 SecureInterconnectionsforInformationTechnologySystems
December2002 SecurityofPublicWebServers
July2002 Overview:TheGovernmentSmartCardInteroperabilitySpecification
February2002 RiskManagementGuidanceForInformationTechnologySystems
January2002 GuidelinesonFirewallsandFirewallPolicy
February2000 GuidelineforImplementingCryptographyintheFederalGovernment
April1999 GuideforDevelopingSecurityPlansforInformationTechnologySystems
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
reSearch
Acollectionofdocumentsthatreportsonthetechniquesandresultsofsecurityresearchsubjects,topics,forumsorworkshops.
NISTIR7224 4thAnnualPKIR&DWorkshop:MultiplePathstoTrust–Proceedings
NISTIR7200 ProximityBeaconsandMobileHandheldDevices:OverviewandImplementation
NISTIR7056 CardTechnologyDevelopmentandGapAnalysisInteragencyReport
NISTIR7007 AnOverviewofIssuesinTestingIntrusionDetectionSystems
NISTIR6068 ReportontheTMACHExperiment
NISTIR5810 TheTMACHExperimentPhase1-PreliminaryDevelopmentalEvaluation
NISTIR5788 PublicKeyInfrastructureInvitationalWorkshopSeptember28,1995,MITRECorporation,McLean,Virginia
July2003 TestingIntrusionDetectionSystems
rISK aSSeSSmeNT
Acollectionofdocuments thatassists in identifying risks toagencyoperations (includingmission, functions, image,or reputation),agencyassets,orindividualsbydeterminingtheprobabilityofoccurrence,theresultingimpact,andadditionalsecuritycontrolsthatwouldmitigatethisimpact.
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
FIPS191 GuidelineforTheAnalysisofLocalAreaNetworkSecurity
SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities
SP800-60 GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-47 SecurityGuideforInterconnectingInformationTechnologySystems
SP800-42 GuidelineonNetworkSecurityTesting
SP800-40,Ver2 CreatingaPatchandVulnerabilityManagementProgram
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-28 GuidelinesonActiveContentandMobileCode
SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SP800-23 GuidelinetoFederalOrganizationsonSecurityAssuranceandAcquisition/UseofTested/EvaluatedProducts
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-19 MobileAgentSecurity
NISTIR7316 AssessmentofAccessControlSystems
NISTIR6981 PolicyExpressionandEnforcementforHandheldDevices
February2006 CreatingA ProgramTo Manage Security PatchesAndVulnerabilities: NIST Recommendations For Improving SystemSecurity
October2005 NationalVulnerabilityDatabase:HelpingInformationTechnologySystemUsersAndDevelopersFindCurrentInformationAboutCyberSecurityVulnerabilities
May2005 RecommendedSecurityControlsForFederalInformationSystems:GuidanceForSelectingCost-EffectiveControlsUsingARisk-BasedProcess
(continued on next page)
Page ��
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
Risk AssessMent continued
July2004 GuideForMappingTypesOfInformationAndInformationSystemsToSecurityCategories
May2004 GuideForTheSecurityCertificationAndAccreditationOfFederalInformationSystems
March2004 FederalInformationProcessingStandard(FIPS)199,StandardsForSecurityCategorizationOfFederalInformationAndInformationSystems
January2004 ComputerSecurityIncidents:Assessing,Managing,AndControllingTheRisks
November2003 NetworkSecurityTesting
February2003 SecureInterconnectionsforInformationTechnologySystems
October2002 SecurityPatchesAndTheCVEVulnerabilityNamingScheme:ToolsToAddressComputerSystemVulnerabilities
February2002 RiskManagementGuidanceForInformationTechnologySystems
September2001 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SerVIceS & acquISITIoNS
Acollectionofdocumentstoassistwithunderstandingsecurityissuesconcerningpurchasingandobtainingitems.Alsocoversconsiderationsforacquiringservices,includingassistancewithasystematanypointinitslifecycle,fromexternalsources.
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-97 GuidetoIEEE802.11i:RobustSecurityNetworks
SP800-85 PIVMiddlewareandPIVCardApplicationConformanceTestGuidelines
SP800-79 GuidelinesfortheCertificationandAccreditationofPIVCardIssuingOrganizations
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
SP800-70 SecurityConfigurationChecklistsProgramforITProducts
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-65 IntegratingSecurityintotheCapitalPlanningandInvestmentControlProcess
SP800-58 SecurityConsiderationsforVoiceOverIPSystems
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-35 GuidetoInformationTechnologySecurityServices
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-15 MinimumInteroperabilitySpecificationforPKIComponents(MISPC),Version1
NISTIR7284 PersonalIdentityVerificationCardManagementReport
NISTIR7250 CellPhoneForensicTools:AnOverviewandAnalysis
NISTIR7100 PDAForensicTools:AnOverviewandAnalysis
NISTIR6887 GovernmentSmartCardInteroperabilitySpecification(GSC-IS),v2.1
(continued on next page)
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
seRvices & Acquisitions continued
January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
June2005 NIST’sSecurityConfigurationChecklistsProgramForITProducts
March2005 PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors:FederalInformationProcessingStandard(FIPS)201
January2005 IntegratingItSecurityIntoTheCapitalPlanningAndInvestmentControlProcess
October2004 SecuringVoiceOverInternetProtocol(IP)Networks
June2004 InformationTechnologySecurityServices:HowToSelect,Implement,AndManage
April2004 SelectingInformationTechnologySecurityProducts
July2002 Overview:TheGovernmentSmartCardInteroperabilitySpecification
February2000 GuidelineforImplementingCryptographyintheFederalGovernment
SmarT carDS
Acollectionofdocumentsthatprovides informationoncardswithbuilt-inmicroprocessorsandmemorythatcanbeusedfor identificationpurposes.
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
SP800-85A PIVCardApplicationandMiddlewareInterfaceTestGuidelines(SP800-73compliance)
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
NISTIR7284 PersonalIdentityVerificationCardManagementReport
NISTIR7206 SmartCardsandMobileDeviceAuthentication:AnOverviewandImplementation
NISTIR7056 CardTechnologyDevelopmentandGapAnalysisInteragencyReport
NISTIR6887 GovernmentSmartCardInteroperabilitySpecification(GSC-IS),v2.1
January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
March2005 PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors:FederalInformationProcessingStandard(FIPS)201
July2002 Overview:TheGovernmentSmartCardInteroperabilitySpecification
VIruSeS & malware
Acollectionofdocumentsthatdealswithviruses,malware,andhowtohandlethem.
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-61 ComputerSecurityIncidentHandlingGuide
SP800-28 GuidelinesonActiveContentandMobileCode
SP800-19 MobileAgentSecurity
Page ��
t o P i c c L u S t e r S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
hISTorIcal archIVeS
NISTdocumentsthatarenowobsoleteornearlyobsolete,duetochangesintechnologiesand/orenvironments,ordocumentsthathavehadnewerversionspublished,therebymakingtheseobsolete.Thesearelistedheremostlyforacademicandhistoricalpurposes.
SP800-29 AComparisonoftheSecurityRequirementsforCryptographicModulesinFIPS140-1andFIPS140-2
SP800-13 TelecommunicationsSecurityGuidelinesforTelecommunicationsManagementNetwork
SP800-11 TheImpactoftheFCC’sOpenNetworkArchitectureonNS/EPTelecommunicationsSecurity
SP800-10 KeepingYourSiteComfortablySecure:AnIntroductiontoInternetFirewalls
SP800-09 GoodSecurityPracticesforElectronicCommerce,IncludingElectronicDataInterchange
SP800-08 SecurityIssuesintheDatabaseLanguageSQL
SP800-07 SecurityinOpenSystems
SP800-06 AutomatedToolsforTestingComputerSystemVulnerability
SP800-05 AGuidetotheSelectionofAnti-VirusToolsandTechniques
SP800-04 ComputerSecurityConsiderationsinFederalProcurements:AGuideforProcurementInitiators
SP800-03 EstablishingaComputerSecurityIncidentResponseCapability(CSIRC)
SP800-02 Public-KeyCryptography
NISTIR6483 RandomnessTestingoftheAdvancedEncryptionStandardFinalistCandidates
NISTIR6390 RandomnessTestingoftheAdvancedEncryptionStandardCandidateAlgorithms
NISTIR5590 ProceedingsReportoftheInternationalInvitationWorkshoponDevelopmentalAssurance
NISTIR5570 AnAssessmentoftheDODGoalSecurityArchitecture(DGSA)forNon-MilitaryUse
NISTIR5540 Multi-AgencyCertificationandAccreditation(C&A)Process:AWorkedExample
NISTIR5495 ComputerSecurityTraining&AwarenessCourseCompendium
NISTIR5472 A Head Start onAssurance Proceedings of an InvitationalWorkshop on InformationTechnology (IT)Assurance andTrustworthiness
NISTIR5308 GeneralProceduresforRegisteringComputerSecurityObjects
NISTIR5283 SecurityofSQL-BasedImplementationsofProductDataExchangeUsingStep
NISTIR5234 ReportoftheNISTWorkshoponDigitalSignatureCertificateManagement,December10-11,1992
NISTIR5232 ReportoftheNSF/NISTWorkshoponNSFNET/NRENSecurity,July6-7,1992
NISTIR5153 MinimumSecurityRequirementsforMulti-UserOperatingSystems
NISTIR4976 AssessingFederalandCommercialInformationSecurityNeeds
NISTIR4939 ThreatAssessmentofMaliciousCodeandExternalAttacks
NISTIR4774 AReviewofU.S.andEuropeanSecurityEvaluationCriteria
NISTIR4749 SampleStatementsofWorkforFederalComputerSecurityServices:ForuseIn-HouseorContractingOut
NISTIR4734 FoundationsofaSecurityPolicyforuseoftheNationalResearchandEducationalNetwork
July2001 AComparisonoftheSecurityRequirementsforCryptographicModulesinFIPS140-1andFIPS140-2
October2000 AnOverviewOfTheCommonCriteriaEvaluationAndValidationScheme
July2000 IdentifyingCriticalPatchesWithICat
June2000 MitigatingEmergingHackerThreats
December1999 OperatingSystemSecurity:AddingtotheArsenalofSecurityTechniques
November1999 AcquiringandDeployingIntrusionDetectionSystems
September1999 SecuringWebServers
(continued on next page)
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
t o P i c c L u S t e r S
histoRicAl ARchives continued
August1999 TheAdvancedEncryptionStandard:AStatusReport
May1999 ComputerAttacks:WhatTheyAreandHowtoDefendAgainstThem
February1999 EnhancementstoDataEncryptionandDigitalSignatureFederalStandards
January1999 SecureWeb-BasedAccesstoHighPerformanceComputingResources
November1998 CommonCriteria:LaunchingtheInternationalStandard
September1998 CryptographyStandardsandInfrastructuresfortheTwenty-FirstCentury
June1998 TrainingforInformationTechnologySecurity:EvaluatingtheEffectivenessofResults-BasedLearning
April1998 TrainingRequirementsforInformationTechnologySecurity:AnIntroductiontoResults-BasedLearning
March1998 ManagementofRisksinInformationSystems:PracticesofSuccessfulOrganizations
February1998 InformationSecurityandtheWorldWideWeb(WWW)
November1997 InternetElectronicMail
July1997 PublicKeyInfrastructureTechnology
April1997 SecurityConsiderationsInComputerSupportAndOperations
March1997 AuditTrails
February1997 AdvancedEncryptionStandard
January1997 SecurityIssuesforTelecommuting
October1996 GenerallyAcceptedSystemSecurityPrinciples(GSSPs):GuidanceOnSecuringInformationTechnology(IT)Systems
August1996 ImplementationIssuesforCryptography
June1996 InformationSecurityPoliciesForChangingInformationTechnologyEnvironments
May1996 TheWorldWideWeb:ManagingSecurityRisks
February1996 Human/ComputerInterfaceSecurityIssue
September1995 PreparingforContingenciesandDisasters
August1995 FIPS140-1:AFrameworkforCryptographicStandards
February1995 TheDataEncryptionStandard:AnUpdate
November1994 DigitalSignatureStandard
May1994 ReducingtheRisksofInternetConnectionandUse
March1994 ThreatstoComputerSystems:AnOverview
January1994 ComputerSecurityPolicy
November1993 People:AnImportantAssetinComputerSecurity
August1993 SecurityProgramManagement
July1993 ConnectingtotheInternet:SecurityConsiderations
May1993 SecurityIssuesinPublicAccessSystems
November1992 SensitivityofInformation
October1992 DispositionofSensitiveAutomatedInformation
February1992 EstablishingaComputerSecurityIncidentHandlingCapability
November1991 AdvancedAuthenticationTechnology
February1991 ComputerSecurityRolesofNISTandNSA
August1990 ComputerVirusAttacks
Page ��
f A m i L i e S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
TheFamilycategoriesareidenticaltothecontrolfamiliesfoundinFIPS200,SP800-53,andotherrelateddocuments.TheseFamilylistsmirror
thedocumentcrosswalkfromSP800-53,Revision1.
acceSS coNTrol
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
FIPS200 SecurityControlsforFederalInformationSystems
FIPS188 StandardSecurityLabelsforInformationTransfer
SP800-100 InformationSecurityHandbookforManagers
SP800-97 GuidetoIEEE802.11i:RobustSecurityNetworks
SP800-96 PIVCard/ReaderInteroperabilityGuidelines
SP800-87 CodesfortheIdentificationofFederalandFederallyAssistedOrganizations
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-77 GuidetoIPSecVPNs
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability andAccountabilityAct (HIPAA)SecurityRule
SP800-58 SecurityConsiderationsforVoiceOverIPSystems
SP800-57 RecommendationonKeyManagement
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-28 GuidelinesonActiveContentandMobileCode
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-19 MobileAgentSecurity
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Families
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
f A m i L i e S
awareNeSS & TraININg
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram
SP800-40 ProceduresforHandlingSecurityPatches
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-16 InformationTechnologySecurityTrainingRequirements:ARole-andPerformance-BasedModel
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
auDIT & accouNTabIlITy
FIPS200 SecurityControlsforFederalInformationSystems
FIPS198 TheKeyed-HashMessageAuthenticationCode(HMAC)
SP800-100 InformationSecurityHandbookforManagers
SP800-92 GuidetoComputerSecurityLogManagement
SP800-89 RecommendationforObtainingAssurancesforDigitalSignatureApplications
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-72 GuidelinesonPDAForensics
SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-57 RecommendationonKeyManagement
SP800-52 GuidelinesontheSelectionandUseofTransportLayerSecurity
SP800-49 FederalS/MIMEV3ClientProfile
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-42 GuidelineonNetworkSecurityTesting
SP800-19 MobileAgentSecurity
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
cerTIfIcaTIoN, accreDITaTIoN & SecurITy aSSeSSmeNTS
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-85 PIVMiddlewareandPIVCardApplicationConformanceTestGuidelines
SP800-79 GuidelinesfortheCertificationandAccreditationofPIVCardIssuingOrganizations
(continued on next page)
Page �0
f A m i L i e S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
ceRtificAtion, AccReditAtion & secuRity AssessMents continued
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-65 IntegratingSecurityintotheCapitalPlanningandInvestmentControlProcess
SP800-55 SecurityMetricsGuideforInformationTechnologySystems
SP800-53A GuideforAssessingtheSecurityControlsinFederalInformationSystems
SP800-47 SecurityGuideforInterconnectingInformationTechnologySystems
SP800-42 GuidelineonNetworkSecurityTesting
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-35 GuidetoInformationTechnologySecurityServices
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SP800-23 GuidelinetoFederalOrganizationsonSecurityAssuranceandAcquisition/UseofTested/EvaluatedProducts
SP800-22 AStatisticalTestSuiteforRandomandPseudorandomNumberGeneratorsforCryptographicApplications
SP800-20 ModesofOperationValidationSystemfortheTripleDataEncryptionAlgorithm(TMOVS):RequirementsandProcedures
SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems
SP800-17 ModesofOperationValidationSystem(MOVS):RequirementsandProcedures
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
coNfIguraTIoN maNagemeNT
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-70 SecurityConfigurationChecklistsProgramforITProducts
SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem
SP800-40 ProceduresforHandlingSecurityPatches
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-35 GuidetoInformationTechnologySecurityServices
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
f A m i L i e S
coNTINgeNcy plaNNINg
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-57 RecommendationonKeyManagement
SP800-56A RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography
SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-13 TelecommunicationsSecurityGuidelinesforTelecommunicationsManagementNetwork
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
IDeNTIfIcaTIoN aND auTheNTIcaTIoN
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
FIPS200 SecurityControlsforFederalInformationSystems
FIPS190 GuidelinefortheUseofAdvancedAuthenticationTechnologyAlternatives
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-100 InformationSecurityHandbookforManagers
SP800-97 GuidetoIEEE802.11i:RobustSecurityNetworks
SP800-96 PIVCard/ReaderInteroperabilityGuidelines
SP800-87 CodesfortheIdentificationofFederalandFederallyAssistedOrganizations
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-77 GuidetoIPSecVPNs
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
SP800-72 GuidelinesonPDAForensics
(continued on next page)
Page ��
f A m i L i e S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
identificAtion And AuthenticAtion continued
SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-63 RecommendationforElectronicAuthentication
SP800-52 GuidelinesontheSelectionandUseofTransportLayerSecurity
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
INcIDeNT reSpoNSe
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-92 GuidetoComputerSecurityLogManagement
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability andAccountabilityAct (HIPAA)SecurityRule
SP800-61 ComputerSecurityIncidentHandlingGuide
SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
maINTeNaNce
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-88 MediaSanitizationGuide
SP800-77 GuidetoIPSecVPNs
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
f A m i L i e S
meDIa proTecTIoN
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-92 GuidetoComputerSecurityLogManagement
SP800-88 MediaSanitizationGuide
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-72 GuidelinesonPDAForensics
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-57 RecommendationonKeyManagement
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
phySIcal & eNVIroNmeNTal proTecTIoN
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-96 PIVCard/ReaderInteroperabilityGuidelines
SP800-92 GuidetoComputerSecurityLogManagement
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-58 SecurityConsiderationsforVoiceOverIPSystems
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
plaNNINg
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
FIPS200 SecurityControlsforFederalInformationSystems
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-89 RecommendationforObtainingAssurancesforDigitalSignatureApplications
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
(continued on next page)
Page ��
f A m i L i e S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
PlAnning continued
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-65 IntegratingSecurityintotheCapitalPlanningandInvestmentControlProcess
SP800-64 SecurityConsiderationsintheInformationSystemDevelopmentLifeCycle
SP800-58 SecurityConsiderationsforVoiceOverIPSystems
SP800-57 RecommendationonKeyManagement
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-42 GuidelineonNetworkSecurityTesting
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-40,Ver2 CreatingaPatchandVulnerabilityManagementProgram
SP800-40 ProceduresforHandlingSecurityPatches
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-33 UnderlyingTechnicalModelsforInformationTechnologySecurity
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-27 EngineeringPrinciplesforInformationTechnologySecurity(ABaselineforAchievingSecurity)
SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-19 MobileAgentSecurity
SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
perSoNNel SecurITy
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
f A m i L i e S
rISK aSSeSSmeNT
FIPS200 SecurityControlsforFederalInformationSystems
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-65 IntegratingSecurityintotheCapitalPlanningandInvestmentControlProcess
SP800-63 RecommendationforElectronicAuthentication
SP800-60 GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
SP800-59 GuidelineforIdentifyinganInformationSystemasaNationalSecuritySystem
SP800-53A GuideforAssessingtheSecurityControlsinFederalInformationSystems
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-42 GuidelineonNetworkSecurityTesting
SP800-40,Ver2 CreatingaPatchandVulnerabilityManagementProgram
SP800-40 ProceduresforHandlingSecurityPatches
SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-28 GuidelinesonActiveContentandMobileCode
SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes
SP800-23 GuidelinetoFederalOrganizationsonSecurityAssuranceandAcquisition/UseofTested/EvaluatedProducts
SP800-19 MobileAgentSecurity
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-13 TelecommunicationsSecurityGuidelinesforTelecommunicationsManagementNetwork
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��
f A m i L i e S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
SySTem & SerVIceS acquISITIoN
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-97 GuidetoIEEE802.11i:RobustSecurityNetworks
SP800-85 PIVMiddlewareandPIVCardApplicationConformanceTestGuidelines
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-65 IntegratingSecurityintotheCapitalPlanningandInvestmentControlProcess
SP800-64 SecurityConsiderationsintheInformationSystemDevelopmentLifeCycle
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-35 GuidetoInformationTechnologySecurityServices
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-33 UnderlyingTechnicalModelsforInformationTechnologySecurity
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-27 EngineeringPrinciplesforInformationTechnologySecurity(ABaselineforAchievingSecurity)
SP800-23 GuidelinetoFederalOrganizationsonSecurityAssuranceandAcquisition/UseofTested/EvaluatedProducts
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
SySTem & commuNIcaTIoN proTecTIoN
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
FIPS200 SecurityControlsforFederalInformationSystems
FIPS198 TheKeyed-HashMessageAuthenticationCode(HMAC)
FIPS197 AdvancedEncryptionStandard
FIPS190 GuidelinefortheUseofAdvancedAuthenticationTechnologyAlternatives
FIPS186-3 DigitalSignatureStandard(DSS)
FIPS180-2 SecureHashStandard(SHS)
FIPS140-2 SecurityRequirementsforCryptographicModules
SP800-100 InformationSecurityHandbookforManagers
SP800-97 GuidetoIEEE802.11i:RobustSecurityNetworks
SP800-90 RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators
SP800-89 RecommendationforObtainingAssurancesforDigitalSignatureApplications
(continued on next page)
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
f A m i L i e S
systeM & coMMunicAtion PRotection continued
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-77 GuidetoIPSecVPNs
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
SP800-70 SecurityConfigurationChecklistsProgramforITProducts
SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist
SP800-67 RecommendationfortheTripleDataEncryptionAlgorithm(TDEA)BlockCipher
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-58 SecurityConsiderationsforVoiceOverIPSystems
SP800-57 RecommendationonKeyManagement
SP800-56A RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography
SP800-52 GuidelinesontheSelectionandUseofTransportLayerSecurity
SP800-49 FederalS/MIMEV3ClientProfile
SP800-46 SecurityforTelecommutingandBroadbandCommunications
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-41 GuidelinesonFirewallsandFirewallPolicy
SP800-38D RecommendationforBlockCipherModesofOperation:Galois/CounterMode(GCM)forConfidentialityandAuthentication
SP800-38C RecommendationforBlockCipherModesofOperation:theCCMModeforAuthenticationandConfidentiality
SP800-38B RecommendationforBlockCipherModesofOperation:TheRMACAuthenticationMode
SP800-38A RecommendationforBlockCipherModesofOperation-MethodsandTechniques
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure
SP800-29 AComparisonoftheSecurityRequirementsforCryptographicModulesinFIPS140-1andFIPS140-2
SP800-28 GuidelinesonActiveContentandMobileCode
SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication
SP800-22 AStatisticalTestSuiteforRandomandPseudorandomNumberGeneratorsforCryptographicApplications
SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment
SP800-20 ModesofOperationValidationSystemfortheTripleDataEncryptionAlgorithm(TMOVS):RequirementsandProcedures
SP800-19 MobileAgentSecurity
SP800-17 ModesofOperationValidationSystem(MOVS):RequirementsandProcedures
SP800-15 MinimumInteroperabilitySpecificationforPKIComponents(MISPC),Version1
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��
f A m i L i e S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
SySTem & INformaTIoN INTegrITy
FIPS200 SecurityControlsforFederalInformationSystems
SP800-100 InformationSecurityHandbookforManagers
SP800-92 GuidetoComputerSecurityLogManagement
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-85 PIVMiddlewareandPIVCardApplicationConformanceTestGuidelines
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule
SP800-61 ComputerSecurityIncidentHandlingGuide
SP800-57 RecommendationonKeyManagement
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices
SP800-45 GuidelinesonElectronicMailSecurity
SP800-44 GuidelinesonSecuringPublicWebServers
SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem
SP800-42 GuidelineonNetworkSecurityTesting
SP800-36 GuidetoSelectingInformationTechnologySecurityProducts
SP800-31 IntrusionDetectionSystems(IDSs)
SP800-28 GuidelinesonActiveContentandMobileCode
SP800-19 MobileAgentSecurity
SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
L e G A L r e q u i r e m e N t S
TherearecertainlegalrequirementsregardingITsecuritytowhichFederalagenciesmustadhere.Manycomefromlegislation,whileotherscome
fromPresidentialDirectivesortheOfficeofBudgetandManagement(OMB)Circulars.Hereisalistofthemajorsourcesoftheserequirements
withsupportingdocumentsfromNIST.SomeofthedocumentsareadirectresultofmandatesgiventoNIST.Othersaredocumentsdeveloped
inordertogiveguidancetoFederalagenciesinhowtocarryoutlegalrequirements.
feDeral INformaTIoN SecurITy maNagemeNT acT of 2002 (fISma)
TitleIIIoftheE-GovActof2002[PublicLaw107-347]
categorization of all information and information systems and minimum
information security requirements for each category
FIPS200 SecurityControlsforFederalInformationSystems
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
SP800-70 SecurityConfigurationChecklistsProgramforITProducts
SP800-60 GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
SP800-53 RecommendedSecurityControlsforFederalInformationSystems
SP800-53A GuideforAssessingtheSecurityControlsinFederalInformationSystems
SP800-37 GuidefortheSecurityCertificationandAccreditationofFederalInformationSystems
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-30 RiskmanagementGuideforInformationTechnologySystems
SP800-26Rev1 GuideforInformationSecurityProgramAssessmentsandSystemReportingForm
SP800-18Rev1 GuideforDevelopingSecurityPlansforInformationSystems
identification of an information system as a national security system
SP800-59 GuideforIdentifyinganInformationSystemasaNationalSecuritySystem
detection and handling of information security incidents
SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities
SP800-61 ComputerSecurityIncidentHandlingGuide
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
December2005 PreventingAndHandlingMalwareIncidents:HowToProtectInformationTechnologySystemsFromMaliciousCodeAndSoftware
Legal Requirements
Page �0
L e G A L r e q u i r e m e N t S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
Manage security incidents
SP800-61 ComputerSecurityIncidentHandlingGuide
SP800-83 GuidetoMalwareIncidentPreventionandHandling
SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse
SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme
Annual public report on activities undertaken in the previous year
NISTIR7285 ComputerSecurityDivision2005AnnualReport
NISTIR7219 ComputerSecurityDivision2004AnnualReport
NISTIR7111 ComputerSecurityDivision2003AnnualReport
omb cIrcular a-130: maNagemeNT of feDeral INformaTIoN reSourceS, appeNDIx III: SecurITy of feDeral auTomaTeD INformaTIoN reSourceS
Assess risks
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
certify and accredit systems
FIPS200 SecurityControlsforFederalInformationSystems
SP800-37 GuidefortheSecurityCertificationandAccreditationofFederalInformationSystems
develop contingency plans and procedures
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
SP800-46 SecurityforTelecommutingandBroadbandCommunications
Manage system configurations and security throughout the system development life cycle
SP800-64Rev1 SecurityConsiderationsintheInformationSystemDevelopmentLifeCycle
SP800-70 SecurityConfigurationChecklistsProgramforITProducts
SP800-34 ContingencyPlanningGuideforInformationTechnologySystems
NISTIR7316 AssessmentofAccessControlSystems
Mandates agency-wide information security program development and implementation
SP800-18,Rev1 GuideforDevelopingSecurityPlansforInformationSystems
SP800-100 InformationSecurityHandbook:AGuideforManagers
SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook
Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
L e G A L r e q u i r e m e N t S
conduct security awareness training
SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram
SP800-16 InformationTechnologySecurityTrainingRequirements:ARole-andPerformance-BasedModel
SP800-46 SecurityforTelecommutingandBroadbandCommunications
e-goVerNmeNT acT of 2002
[PublicLaw107-347]
Mandates nist development of security standards
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
FIPS200 SecurityControlsforFederalInformationSystems
homelaND SecurITy preSIDeNTIal DIrecTIVe-12 (hSpD-12), commoN IDeNTIfIcaTIoN STaNDarD for feDeral employeeS aND coNTracTorS
establishes a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors
FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors
SP800-85B PIVDataModelTestGuidelines
SP800-85A PIVCardApplicationandMiddlewareInterfaceTestGuidelines(SP800-73compliance)
SP800-79 GuidelinesfortheCertificationandAccreditationofPIVCardIssuingOrganizations
SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification
SP800-76 BiometricDataSpecificationforPersonalIdentityVerification
SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification
NISTIR7337 PersonalIdentityVerificationDemonstrationSummary
NISTIR7284 PersonalIdentityVerificationCardManagementReport
January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201
August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors
March2005 Personal IdentityVerification (PIV) Of Federal EmployeesAnd Contractors: Federal Information Processing Standard(FIPS)201
omb cIrcular a–11: preparaTIoN, SubmISSIoN, aND execuTIoN of The buDgeT
capital Planning
SP800-65 IntegratingITSecurityintotheCapitalPlanningandInvestmentControlProcess
Page ��
L e G A L r e q u i r e m e N t S
A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S
oTher requIremeNTS wITh SupporTINg DocumeNTS
health Insurance portability and accountability act (hIpaa)FormoreinformationaboutHIPAArequirements,pleasevisitwww.cms.hhs.gov.
Assure health information privacy and security
standardize electronic data interchange in health care transactions
SP800-66 AnIntroductoryResourceGuideforImplementingtheHealthInsurancePortabilityandAccountabilityActSecurityRule
homeland Security presidential Directive-7 (hSpD-7), critical Infrastructure Identification, prioritization, and protection FormoreinformationaboutHSPD-7,pleasevisitwww.dhs.gov.
Protect critical infrastructure
FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems
FIPS200 SecurityControlsforFederalInformationSystems
SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems
SP800-30 RiskManagementGuideforInformationTechnologySystems
SP800-37 GuideforSecurityCertificationandAccreditationofFederalInformationSystems
SP800-53 RecommendedSecurityControlsforFederalInformationSystems
SP800-60 GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories
SP800-59 GuidelineforIdentifyinganInformationSystemasaNationalSecuritySystem
SP800-82 GuidetoSupervisoryControlandDataAcquisition(SCADA)andIndustrialControlSystemSecurity
TanyaBrewer,Editor
MatthewScholl,Editor
March 2007
disclaimer: Anymentionofcommercialproductsisforinformationonly;itdoesnotimplyNISTrecommendationorendorsement,nordoesitimplythattheproductsmentionedarenecessarilythebestavailableforthepurpose.
MichaelJames,Design/Production
TheDesignPond
March 2007