NIST Docs Guide

NIST Information Security Documents

Guide to

Table of ContentsIntroduction 1TopicClusters 2 AnnualReports 2

Audit&Accountability 2

Authentication 3

Awareness&Training 4

Biometrics 4

Certification&Accreditation(C&A) 5

Communications&Wireless 6

ContingencyPlanning 6

Cryptography 7

DigitalSignatures 8

Forensics 8

GeneralITSecurity 8

IncidentResponse 9

Maintenance 9

PersonalIdentityVerification(PIV) 10

PKI 11

Planning 11

Research 13

RiskAssessment 13

Services&Acquisitions 14

SmartCards 15

Viruses&Malware 15

HistoricalArchives 16

Families 18 AccessControl 18

Awareness&Training 19

Audit&Accountability 19

Certification,Accreditation&SecurityAssessments 19

ConfigurationManagement 20

ContingencyPlanning 21

Identification&Authentication 21

IncidentResponse 22

Maintenance 22

MediaProtection 23

Physical&EnvironmentalProtection 23

Planning 23

PersonnelSecurity 24

RiskAssessment 25

System&ServicesAcquisition 26

System&CommunicationProtection 26

System&InformationIntegrity 28

LegalRequirements 29 FederalInformationSecurityManagementActof2002(FISMA) 29

OMBCircularA-130:ManagementofFederalInformationResources,AppendixIII:SecurityofFederalAutomatedInformationResources 30

E-GovernmentActof2002 31

HomelandSecurityPresidentialDirective-12(HSPD-12),CommonIdentificationStandardforFederalEmployeesandContractors 31

OMBCircularA–11:Preparation,Submission,andExecutionoftheBudget 31

OtherRequirementswithSupportingDocuments 32

HealthInsurancePortabilityandAccountabilityAct(HIPAA) 32

HomelandSecurityPresidentialDirective-7(HSPD-7),CriticalInfrastructureIdentification,Prioritization,andProtection 32

Page �A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S

For many years, the Computer Security Division has made

greatcontributionstohelpsecureournation’sinformation

and information systems. Our work has paralleled the

evolution of information technology (IT), initially focused

principallyonmainframecomputers,tonowencompasstoday’swide

gamutof(IT)devices.

Currently, thereareover250NIST informationsecuritydocuments.

This number includes Federal Information Processing Standards

(FIPS),theSpecialPublication(SP)800series,InformationTechnology

Laboratory (ITL) Bulletins, and NIST Interagency Reports (NISTIR).

Thesedocumentsaretypicallylistedbypublicationtypeandnumber

orbymonthandyearinthecaseoftheITLBulletins.Thiscanmake

findingadocumentdifficultifthenumberordateisnotknown.

InordertomakeNISTinformationsecuritydocumentsmoreaccessible,

especially to those just entering the security field or with limited

needsforthedocuments,wearepresentingthisGuide.Inaddition

tobeinglistedbytypeandnumber,thiswillpresentthedocuments

usingthreeapproachestoeasesearching:

byTopicCluster

byFamily

byLegalRequirement

Several people looking for documents regarding Federal employee

identification badges might approach their search in drastically

different ways. One person might look for the legal basis behind

thebadges,HSPD-12(HomelandSecurityPresidentialDirective12).

HSPD-12is listedinthelegalrequirement list. Anothermight look

for“PIV”(personalidentificationverification),andtheycouldfindit

underthetopicclusters.Anothermightlookfor“Identificationand

Authentication,” and they would find it under the family list. Yet

anotherpersonmightlookfor“smartcard”or“biometrics,”bothof

whichareunderthetopicclusters.

Itneedstobeunderstood,however,thatdocumentsarenotgenerally

mappedtoeverytopicmentionedinthedocument.Forinstance,SP

800-66,AnIntroductoryResourceGuideforimplementingtheHealth

Insurance Portability and Accountability Act (HIPAA) Security Rule

dealswithtopicssuchascontingencyplansand incident response.

However,SP800-66isnotconsideredanessentialdocumentwhen

lookingfordocumentsaboutcontingencyplansorincidentresponse.

The Guide will be updated on a bi-annual basis to include new

documents, topic clusters, and legal requirements, as well as to

updateanyshiftsindocumentmappingthatisappropriate.

NIST INformaTIoN SecurITy DocumeNTS

Thefederal information Processing Standards(FIPS)Publication

Seriesistheofficialseriesofpublicationsrelatingtostandardsand

guidelines adopted and promulgated under the provisions of the

FederalInformationSecurityManagementAct(FISMA)of2002.

The Special Publication 800-series reports on ITL’s research,

guidelines,andoutreachefforts in informationsystemsecurityand

itscollaborativeactivitieswith industry,government,andacademic

organizations.

itL BulletinsarepublishedbytheInformationTechnologyLaboratory.

Each bulletin presents an in-depth discussion of a single topic of

significant interesttotheinformationsystemscommunity.Bulletins

areissuedonanas-neededbasis.

TheNISTinteragency report seriesmayreportresultsofprojects

of transitory or limited interest. They may also include interim or

finalreportsonworkperformedbyNISTforoutsidesponsors(both

governmentandnon-government).

Introduction

Page � A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S

Topic Clusters

aNNual reporTS

TheAnnualReportsarethemethodthattheNISTComputerSecurityDivisionusestopubliclyreportonthepastyear’saccomplishmentsandplansforthenextyear.

NISTIR7285 ComputerSecurityDivision-2005AnnualReport



auDIT & accouNTabIlITy

Acollectionofdocumentsthatrelatestoreviewandexaminationofrecordsandactivitiesinordertoassesstheadequacyofsystemcontrols,toensurecompliancewithestablishedpoliciesandoperationalprocedures,andtoprovidethesupportingrequirementforactionsofanentitytobetraceduniquelytothatentity.

FIPS200 SecurityControlsforFederalInformationSystems

FIPS199 StandardsforSecurityCategorizationofFederalInformationandInformationSystems

FIPS191 GuidelineforTheAnalysisofLocalAreaNetworkSecurity

FIPS140-2 SecurityRequirementsforCryptographicModules

SP800-92 GuidetoComputerSecurityLogManagement

SP800-55 SecurityMetricsGuideforInformationTechnologySystems

SP800-53A GuideforAssessingtheSecurityControlsinFederalInformationSystems

SP800-53 SecurityControlsforFederalInformationSystems

SP800-50 BuildinganInformationTechnologySecurityAwarenessandTrainingProgram

SP800-42 GuidelineonNetworkSecurityTesting

SP800-41 GuidelinesonFirewallsandFirewallPolicy

SP800-37 GuidelinesfortheSecurityCertificationandAccreditationofFederalInformationTechnologySystems

SP800-30 RiskManagementGuideforInformationTechnologySystems

SP800-26 SecuritySelf-AssessmentGuideforInformationTechnologySystems

SP800-18 GuideforDevelopingSecurityPlansforInformationTechnologySystems

SP800-16 InformationTechnologySecurityTrainingRequirements:ARole-andPerformance-BasedModel

NISTIR7316 AssessmentofAccessControlSystems

NISTIR7284 PersonalIdentityVerificationCardManagementReport

NISTIR6981 PolicyExpressionandEnforcementforHandheldDevices

(continued on next page)

t o P i c c L u S t e r S



Audit & AccountAbility continued

March2006 Minimum Security Requirements For Federal Information And Information Systems: Federal Information ProcessingStandard(FIPS)200ApprovedByTheSecretaryOfCommerce

January2006 TestingAndValidationOfPersonalIdentityVerification(PIV)ComponentsAndSubsystemsForConformanceToFederalInformationProcessingStandard201

August2005 ImplementationOfFIPS201,PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors

May2005 RecommendedSecurityControlsForFederalInformationSystems:GuidanceForSelectingCost-EffectiveControlsUsingARisk-BasedProcess

November2004 Understanding the New NIST Standards and Guidelines Required by FISMA: HowThree Mandated Documents areChangingtheDynamicofInformationSecurityfortheFederalGovernment

March2004 FederalInformationProcessingStandard(FIPS)199,StandardsForSecurityCategorizationOfFederalInformationAndInformationSystems

August2003 ITSecurityMetrics

June2003 ASSET:SecurityAssessmentToolForFederalAgencies

January2002 GuidelinesonFirewallsandFirewallPolicy

September2001 SecuritySelf-AssessmentGuideforInformationTechnologySystems

February2000 GuidelineforImplementingCryptographyintheFederalGovernment

auTheNTIcaTIoN

FIPS198 TheKeyed-HashMessageAuthenticationCode(HMAC)

FIPS196 EntityAuthenticationUsingPublicKeyCryptography

FIPS190 GuidelinefortheUseofAdvancedAuthenticationTechnologyAlternatives

FIPS186-3 DigitalSignatureStandard(DSS)

FIPS181 AutomatedPasswordGenerator

FIPS180-2 SecureHashStandard(SHS)

SP800-89 RecommendationforObtainingAssurancesforDigitalSignatureApplications

SP800-63 RecommendationforElectronicAuthentication

SP800-57 RecommendationonKeyManagement

SP800-38C RecommendationforBlockCipherModesofOperation:theCCMModeforAuthenticationandConfidentiality

SP800-38B RecommendationforBlockCipherModesofOperation:TheRMACAuthenticationMode

SP800-38A RecommendationforBlockCipherModesofOperation-MethodsandTechniques

SP800-32 IntroductiontoPublicKeyTechnologyandtheFederalPKIInfrastructure

SP800-25 FederalAgencyUseofPublicKeyTechnologyforDigitalSignaturesandAuthentication

SP800-21Rev1 GuidelineforImplementingCryptographyintheFederalGovernment

SP800-17 ModesofOperationValidationSystem(MOVS):RequirementsandProcedures

NISTIR7290 FingerprintIdentificationandMobileHandheldDevices:AnOverviewandImplementation

NISTIR7206 SmartCardsandMobileDeviceAuthentication:AnOverviewandImplementation

NISTIR7200 ProximityBeaconsandMobileHandheldDevices:OverviewandImplementation

NISTIR7046 FrameworkforMulti-ModeAuthentication:OverviewandImplementationGuide


Page �


A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S

AuthenticAtion continued

NISTIR7030 PicturePassword:AVisualLoginTechniqueforMobileDevices

September2005 BiometricTechnologies:HelpingToProtectInformationAndAutomatedTransactionsInInformationTechnologySystems

July2005 ProtectingSensitiveInformationThatIsTransmittedAcrossNetworks:NISTGuidanceForSelectingAndUsingTransportLayerSecurityImplementations

August2004 ElectronicAuthentication:GuidanceForSelectingSecureTechniques

March2003 SecurityForWirelessNetworksAndDevices

May2001 Biometrics-TechnologiesforHighlySecurePersonalAuthentication

March2001 AnIntroductiontoIPsec(InternetProtocolSecurity)

awareNeSS & TraININg

SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)SecurityRule


SP800-46 SecurityforTelecommutingandBroadbandCommunications



October2003 InformationTechnologySecurityAwareness,Training,Education,andCertification

November2002 SecurityForTelecommutingAndBroadbandCommunications

bIomeTrIcS

Acollectionofdocumentsthatdetailssecurityissuesandpotentialcontrolsusingameasurable,physicalcharacteristicorpersonalbehavioraltraitusedtorecognizetheidentity,orverifytheclaimedidentity,ofaperson.

FIPS201-1 PersonalIdentityVerificationforFederalEmployeesandContractors

SP800-76 BiometricDataSpecificationforPersonalIdentityVerification

NISTIR7290 FingerprintIdentificationandMobileHandheldDevices:AnOverviewandImplementation



NISTIR7056 CardTechnologyDevelopmentandGapAnalysisInteragencyReport

NISTIR6887 GovernmentSmartCardInteroperabilitySpecification(GSC-IS),v2.1

NISTIR6529-A CommonBiometricExchangeFileFormat(CBEFF)

September2005 BiometricTechnologies:HelpingToProtectInformationAndAutomatedTransactionsInInformationTechnologySystems


March2005 PersonalIdentityVerification(PIV)OfFederalEmployeesAndContractors:FederalInformationProcessingStandard(FIPS)201

July2002 Overview:TheGovernmentSmartCardInteroperabilitySpecification

May2001 Biometrics-TechnologiesforHighlySecurePersonalAuthentication



cerTIfIcaTIoN & accreDITaTIoN (c&a)

CertificationandAccreditation(C&A)isacollectionofdocumentsthatcanbeusedtoconducttheC&AofaninformationsysteminaccordancewithOMBA130-III.




SP800-88 MediaSanitizationGuide

SP800-84 GuidetoTest,Training,andExerciseProgramsforITPlansandCapabilities

SP800-60 GuideforMappingTypesofInformationandInformationSystemstoSecurityCategories

SP800-59 GuidelineforIdentifyinganInformationSystemasaNationalSecuritySystem




SP800-47 SecurityGuideforInterconnectingInformationTechnologySystems



SP800-34 ContingencyPlanningGuideforInformationTechnologySystems



SP800-23 GuidelinetoFederalOrganizationsonSecurityAssuranceandAcquisition/UseofTested/EvaluatedProducts





July2004 GuideForMappingTypesOfInformationAndInformationSystemsToSecurityCategories

May2004 GuideForTheSecurityCertificationAndAccreditationOfFederalInformationSystems


August2003 ITSecurityMetrics

June2003 ASSET:SecurityAssessmentToolForFederalAgencies

February2003 SecureInterconnectionsforInformationTechnologySystems


Page �



commuNIcaTIoNS & wIreleSS

Acollectionofdocumentsthatdetailssecurityissuesassociatedwiththetransmissionofinformationovermultiplemediatoincludesecurityconsiderationswiththeuseofwireless.


SP800-82 GuidetoSupervisoryControlandDataAcquisition(SCADA)andIndustrialControlSystemSecurity

SP800-81 SecureDomainNameSystem(DNS)DeploymentGuide

SP800-77 GuidetoIPsecVPNs

SP800-58 SecurityConsiderationsforVoiceOverIPSystems

SP800-52 GuidelinesfortheSelectionandUseofTransportLayerSecurity

SP800-48 WirelessNetworkSecurity:802.11,Bluetooth,andHandheldDevices


SP800-45 GuidelinesonElectronicMailSecurity


SP800-24 PBXVulnerabilityAnalysis:FindingHolesinYourPBXBeforeSomeoneElseDoes



October2004 SecuringVoiceOverInternetProtocol(IP)Networks

March2003 SecurityForWirelessNetworksAndDevices

January2003 SecurityOfElectronicMail

November2002 SecurityForTelecommutingAndBroadbandCommunications


March2001 AnIntroductiontoIPsec(InternetProtocolSecurity)

August2000 SecurityforPrivateBranchExchangeSystems

coNTINgeNcy plaNNINg

A collection of documents that details management policy and procedures designed to maintain or restore business operations, includingcomputeroperations,possiblyatanalternatelocation,intheeventofemergencies,systemfailures,ordisaster.




January2004 ComputerSecurityIncidents:Assessing,Managing,AndControllingTheRisks

June2002 ContingencyPlanningGuideForInformationTechnologySystems

April2002 TechniquesforSystemandDataRecovery



crypTography

Acollectionofdocuments thatdiscusses themultipleusesandsecurity issuesofencryption,decryption,keymanagement,andthescienceand technologiesused toassure the confidentialityof informationbyhiding semantic content,preventingunauthorizeduse,orpreventingundetectedmodification.


FIPS197 AdvancedEncryptionStandard




FIPS185 EscrowedEncryptionStandard

FIPS181 AutomatedPasswordGenerator



SP800-90 RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators

SP800-67 RecommendationfortheTripleDataEncryptionAlgorithm(TDEA)BlockCipher


SP800-56A RecommendationforPair-WiseKeyEstablishmentSchemesUsingDiscreteLogarithmCryptography

SP800-52 GuidelinesontheSelectionandUseofTransportLayerSecurity

SP800-49 FederalS/MIMEV3ClientProfile






SP800-22 AStatisticalTestSuiteforRandomandPseudorandomNumberGeneratorsforCryptographicApplications



SP800-15 MinimumInteroperabilitySpecificationforPKIComponents(MISPC),Version1



September2002 CryptographicStandardsandGuidelines:AStatusReport

December2000 AStatisticalTestSuiteForRandomAndPseudorandomNumberGeneratorsForCryptographicApplications


Page �



DIgITal SIgNaTureS

Acollectionofdocumentsthatdiscussesthemultipleusesandsecurityissuesofdigitalsignatures.













foreNSIcS

Acollectionofdocumentsthatdiscussesthepracticeofgathering,retaining,andanalyzingcomputer-relateddataforinvestigativepurposesinamannerthatmaintainstheintegrityofthedata.

SP800-86 GuidetoIntegratingForensicTechniquesintoIncidentResponse

SP800-72 GuidelinesonPDAForensics

SP800-31 IntrusionDetectionSystems(IDSs)

NISTIR7250 CellPhoneForensicTools:AnOverviewandAnalysis

NISTIR7100 PDAForensicTools:AnOverviewandAnalysis

September2006 ForensicTechniques:HelpingOrganizationsImproveTheirResponsesToInformationSecurityIncidents

November2001 ComputerForensicsGuidance

geNeral IT SecurITy

Acollectionofdocumentsthatspansmultipletopicareasandcoversaverybroadrangeofsecuritysubjects.ThesedocumentsarenottypicallylistedinTopicClustersbecausetheyaregenerallyapplicabletoalmostallofthem.


SP800-100 InformationSecurityHandbookforManagers

SP800-64 SecurityConsiderationsintheInformationSystemDevelopmentLifeCycle


SP800-33 UnderlyingTechnicalModelsforInformationTechnologySecurity

SP800-27 EngineeringPrinciplesforInformationTechnologySecurity(ABaselineforAchievingSecurity)

SP800-14 GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems

SP800-12 AnIntroductiontoComputerSecurity:TheNISTHandbook

NISTIR7298 GlossaryofKeyInformationSecurityTerms



INcIDeNT reSpoNSe

A collection of documents to assist in the creation of a pre-determined set of instructions or procedures to detect, respond to, and limitconsequencesofamaliciouscyberattackagainstanorganization’sITsystem(s).



SP800-83 GuidetoMalwareIncidentPreventionandHandling

SP800-61 ComputerSecurityIncidentHandlingGuide

SP800-51 UseoftheCommonVulnerabilitiesandExposures(CVE)VulnerabilityNamingScheme

SP800-40 ProceduresforHandlingSecurityPatches





NISTIR6416 ApplyingMobileAgentstoIntrusionDetectionandResponse

September2006 ForensicTechniques:HelpingOrganizationsImproveTheirResponsesToInformationSecurityIncidents

February2006 CreatingAProgramToManageSecurityPatchesAndVulnerabilities:NISTRecommendationsForImprovingSystemSecurity

December2005 PreventingAndHandlingMalwareIncidents:HowToProtectInformationTechnologySystemsFromMaliciousCodeAndSoftware

October2005 National Vulnerability Database: Helping Information Technology System Users And Developers Find CurrentInformationAboutCyberSecurityVulnerabilities


October2002 SecurityPatchesAndTheCVEVulnerabilityNamingScheme:ToolsToAddressComputerSystemVulnerabilities

April2002 TechniquesforSystemandDataRecovery

November2001 ComputerForensicsGuidance

maINTeNaNce

AcollectionofdocumentsdiscussingsecurityconcernswithsystemsinthemaintenancephaseoftheSystemDevelopmentLifeCycle.




SP800-70 SecurityConfigurationChecklistsProgramforITProducts

SP800-69 GuidanceforSecuringMicrosoftWindowsXPHomeEdition:aNISTSecurityConfigurationChecklist

SP800-68 GuidanceforSecuringMicrosoftWindowsXPSystemsforITProfessionals:ANISTSecurityConfigurationChecklist




SP800-44 GuidelinesonSecuringPublicWebServers

SP800-43 SystemsAdministrationGuidanceforSecuringMicrosoftWindows2000ProfessionalSystem



Page �0



MAintenAnce continued





NISTIR7275 SpecificationfortheExtensibleConfigurationChecklistDescriptionFormat(XCCDF)

NISTIR6985 COTSSecurityProtectionProfile-OperatingSystems(CSPP-OS)(WorkedExampleApplyingGuidanceofNISTIR-6462,CSPP)

NISTIR6462 CSPP-GuidanceforCOTSSecurityProtectionProfiles


FIPS188 StandardSecurityLabelsforInformationTransfer


February2006 CreatingA ProgramTo Manage Security PatchesAndVulnerabilities: NIST Recommendations For Improving SystemSecurity

November2005 SecuringMicrosoftWindowsXPSystems:NISTRecommendationsForUsingASecurityConfigurationChecklist

October2005 NationalVulnerabilityDatabase:HelpingInformationTechnologySystemUsersAndDevelopersFindCurrentInformationAboutCyberSecurityVulnerabilities



November2003 NetworkSecurityTesting

December2002 SecurityofPublicWebServers



perSoNal IDeNTITy VerIfIcaTIoN (pIV)

PersonalIdentityVerification(PIV)isasuiteofstandardsandguidesthataredevelopedinresponsetoHSPD-12forimprovingtheidentificationandauthenticationofFederalemployeesandcontractorsforaccesstoFederalfacilitiesandinformationsystems.


SP800-85B PIVDataModelTestGuidelines

SP800-85A PIVCardApplicationandMiddlewareInterfaceTestGuidelines(SP800-73compliance)

SP800-79 GuidelinesfortheCertificationandAccreditationofPIVCardIssuingOrganizations

SP800-78 CryptographicAlgorithmsandKeySizesforPersonalIdentityVerification


SP800-73Rev1 IntegratedCircuitCardforPersonalIdentificationVerification

NISTIR7337 PersonalIdentityVerificationDemonstrationSummary




March2005 Personal Identity Verification (PIV) Of Federal Employees And Contractors: Federal Information Processing Standard(FIPS)201

Page ��A G u i d e t o N i S t i N f o r m A t i o N S e c u r i t y d o c u m e N t S


pKI

AcollectionofdocumentstoassistwiththeunderstandingofPublicKeycryptography.







plaNNINg

Acollectionofdocumentsdealingwithsecurityplansandforidentifying,documenting,andpreparingsecurityforsystems.














SP800-40,Ver2 CreatingaPatchandVulnerabilityManagementProgram


SP800-36 GuidetoSelectingInformationTechnologySecurityProducts

SP800-35 GuidetoInformationTechnologySecurityServices








SP800-19 MobileAgentSecurity


Page ��



PlAnning continued




NISTIR6985 COTSSecurityProtectionProfile-OperatingSystems(CSPP-OS)(WorkedExampleApplyingGuidanceofNISTIR-6462,CSPP)



NISTIR6462 CSPP-GuidanceforCOTSSecurityProtectionProfiles



February2006 CreatingAProgramToManageSecurityPatchesAndVulnerabilities:NISTRecommendationsForImprovingSystemSecurity


November2005 SecuringMicrosoftWindowsXPSystems:NISTRecommendationsForUsingASecurityConfigurationChecklist


July2005 ProtectingSensitiveInformationThatIsTransmittedAcrossNetworks:NISTGuidanceForSelectingAndUsingTransportLayerSecurityImplementations

June2005 NIST’sSecurityConfigurationChecklistsProgramForITProducts


January2005 IntegratingItSecurityIntoTheCapitalPlanningAndInvestmentControlProcess






December2002 SecurityofPublicWebServers


February2002 RiskManagementGuidanceForInformationTechnologySystems



April1999 GuideforDevelopingSecurityPlansforInformationTechnologySystems



reSearch

Acollectionofdocumentsthatreportsonthetechniquesandresultsofsecurityresearchsubjects,topics,forumsorworkshops.

NISTIR7224 4thAnnualPKIR&DWorkshop:MultiplePathstoTrust–Proceedings

NISTIR7200 ProximityBeaconsandMobileHandheldDevices:OverviewandImplementation


NISTIR7007 AnOverviewofIssuesinTestingIntrusionDetectionSystems

NISTIR6068 ReportontheTMACHExperiment

NISTIR5810 TheTMACHExperimentPhase1-PreliminaryDevelopmentalEvaluation

NISTIR5788 PublicKeyInfrastructureInvitationalWorkshopSeptember28,1995,MITRECorporation,McLean,Virginia

July2003 TestingIntrusionDetectionSystems

rISK aSSeSSmeNT

Acollectionofdocuments thatassists in identifying risks toagencyoperations (includingmission, functions, image,or reputation),agencyassets,orindividualsbydeterminingtheprobabilityofoccurrence,theresultingimpact,andadditionalsecuritycontrolsthatwouldmitigatethisimpact.












SP800-28 GuidelinesonActiveContentandMobileCode







February2006 CreatingA ProgramTo Manage Security PatchesAndVulnerabilities: NIST Recommendations For Improving SystemSecurity

October2005 NationalVulnerabilityDatabase:HelpingInformationTechnologySystemUsersAndDevelopersFindCurrentInformationAboutCyberSecurityVulnerabilities



Page ��



Risk AssessMent continued





November2003 NetworkSecurityTesting



February2002 RiskManagementGuidanceForInformationTechnologySystems


SerVIceS & acquISITIoNS

Acollectionofdocumentstoassistwithunderstandingsecurityissuesconcerningpurchasingandobtainingitems.Alsocoversconsiderationsforacquiringservices,includingassistancewithasystematanypointinitslifecycle,fromexternalsources.



SP800-97 GuidetoIEEE802.11i:RobustSecurityNetworks

SP800-85 PIVMiddlewareandPIVCardApplicationConformanceTestGuidelines







SP800-65 IntegratingSecurityintotheCapitalPlanningandInvestmentControlProcess















seRvices & Acquisitions continued



June2005 NIST’sSecurityConfigurationChecklistsProgramForITProducts


January2005 IntegratingItSecurityIntoTheCapitalPlanningAndInvestmentControlProcess


June2004 InformationTechnologySecurityServices:HowToSelect,Implement,AndManage

April2004 SelectingInformationTechnologySecurityProducts



SmarT carDS

Acollectionofdocumentsthatprovides informationoncardswithbuilt-inmicroprocessorsandmemorythatcanbeusedfor identificationpurposes.












VIruSeS & malware

Acollectionofdocumentsthatdealswithviruses,malware,andhowtohandlethem.





Page ��



hISTorIcal archIVeS

NISTdocumentsthatarenowobsoleteornearlyobsolete,duetochangesintechnologiesand/orenvironments,ordocumentsthathavehadnewerversionspublished,therebymakingtheseobsolete.Thesearelistedheremostlyforacademicandhistoricalpurposes.

SP800-29 AComparisonoftheSecurityRequirementsforCryptographicModulesinFIPS140-1andFIPS140-2

SP800-13 TelecommunicationsSecurityGuidelinesforTelecommunicationsManagementNetwork

SP800-11 TheImpactoftheFCC’sOpenNetworkArchitectureonNS/EPTelecommunicationsSecurity

SP800-10 KeepingYourSiteComfortablySecure:AnIntroductiontoInternetFirewalls

SP800-09 GoodSecurityPracticesforElectronicCommerce,IncludingElectronicDataInterchange

SP800-08 SecurityIssuesintheDatabaseLanguageSQL

SP800-07 SecurityinOpenSystems

SP800-06 AutomatedToolsforTestingComputerSystemVulnerability

SP800-05 AGuidetotheSelectionofAnti-VirusToolsandTechniques

SP800-04 ComputerSecurityConsiderationsinFederalProcurements:AGuideforProcurementInitiators

SP800-03 EstablishingaComputerSecurityIncidentResponseCapability(CSIRC)

SP800-02 Public-KeyCryptography

NISTIR6483 RandomnessTestingoftheAdvancedEncryptionStandardFinalistCandidates

NISTIR6390 RandomnessTestingoftheAdvancedEncryptionStandardCandidateAlgorithms

NISTIR5590 ProceedingsReportoftheInternationalInvitationWorkshoponDevelopmentalAssurance

NISTIR5570 AnAssessmentoftheDODGoalSecurityArchitecture(DGSA)forNon-MilitaryUse

NISTIR5540 Multi-AgencyCertificationandAccreditation(C&A)Process:AWorkedExample

NISTIR5495 ComputerSecurityTraining&AwarenessCourseCompendium

NISTIR5472 A Head Start onAssurance Proceedings of an InvitationalWorkshop on InformationTechnology (IT)Assurance andTrustworthiness

NISTIR5308 GeneralProceduresforRegisteringComputerSecurityObjects

NISTIR5283 SecurityofSQL-BasedImplementationsofProductDataExchangeUsingStep

NISTIR5234 ReportoftheNISTWorkshoponDigitalSignatureCertificateManagement,December10-11,1992

NISTIR5232 ReportoftheNSF/NISTWorkshoponNSFNET/NRENSecurity,July6-7,1992

NISTIR5153 MinimumSecurityRequirementsforMulti-UserOperatingSystems

NISTIR4976 AssessingFederalandCommercialInformationSecurityNeeds

NISTIR4939 ThreatAssessmentofMaliciousCodeandExternalAttacks

NISTIR4774 AReviewofU.S.andEuropeanSecurityEvaluationCriteria

NISTIR4749 SampleStatementsofWorkforFederalComputerSecurityServices:ForuseIn-HouseorContractingOut

NISTIR4734 FoundationsofaSecurityPolicyforuseoftheNationalResearchandEducationalNetwork

July2001 AComparisonoftheSecurityRequirementsforCryptographicModulesinFIPS140-1andFIPS140-2

October2000 AnOverviewOfTheCommonCriteriaEvaluationAndValidationScheme

July2000 IdentifyingCriticalPatchesWithICat

June2000 MitigatingEmergingHackerThreats

December1999 OperatingSystemSecurity:AddingtotheArsenalofSecurityTechniques

November1999 AcquiringandDeployingIntrusionDetectionSystems

September1999 SecuringWebServers




histoRicAl ARchives continued

August1999 TheAdvancedEncryptionStandard:AStatusReport

May1999 ComputerAttacks:WhatTheyAreandHowtoDefendAgainstThem

February1999 EnhancementstoDataEncryptionandDigitalSignatureFederalStandards

January1999 SecureWeb-BasedAccesstoHighPerformanceComputingResources

November1998 CommonCriteria:LaunchingtheInternationalStandard

September1998 CryptographyStandardsandInfrastructuresfortheTwenty-FirstCentury

June1998 TrainingforInformationTechnologySecurity:EvaluatingtheEffectivenessofResults-BasedLearning

April1998 TrainingRequirementsforInformationTechnologySecurity:AnIntroductiontoResults-BasedLearning

March1998 ManagementofRisksinInformationSystems:PracticesofSuccessfulOrganizations

February1998 InformationSecurityandtheWorldWideWeb(WWW)

November1997 InternetElectronicMail

July1997 PublicKeyInfrastructureTechnology

April1997 SecurityConsiderationsInComputerSupportAndOperations

March1997 AuditTrails

February1997 AdvancedEncryptionStandard

January1997 SecurityIssuesforTelecommuting

October1996 GenerallyAcceptedSystemSecurityPrinciples(GSSPs):GuidanceOnSecuringInformationTechnology(IT)Systems

August1996 ImplementationIssuesforCryptography

June1996 InformationSecurityPoliciesForChangingInformationTechnologyEnvironments

May1996 TheWorldWideWeb:ManagingSecurityRisks

February1996 Human/ComputerInterfaceSecurityIssue

September1995 PreparingforContingenciesandDisasters

August1995 FIPS140-1:AFrameworkforCryptographicStandards

February1995 TheDataEncryptionStandard:AnUpdate

November1994 DigitalSignatureStandard

May1994 ReducingtheRisksofInternetConnectionandUse

March1994 ThreatstoComputerSystems:AnOverview

January1994 ComputerSecurityPolicy

November1993 People:AnImportantAssetinComputerSecurity

August1993 SecurityProgramManagement

July1993 ConnectingtotheInternet:SecurityConsiderations

May1993 SecurityIssuesinPublicAccessSystems

November1992 SensitivityofInformation

October1992 DispositionofSensitiveAutomatedInformation

February1992 EstablishingaComputerSecurityIncidentHandlingCapability

November1991 AdvancedAuthenticationTechnology

February1991 ComputerSecurityRolesofNISTandNSA

August1990 ComputerVirusAttacks

Page ��

f A m i L i e S


TheFamilycategoriesareidenticaltothecontrolfamiliesfoundinFIPS200,SP800-53,andotherrelateddocuments.TheseFamilylistsmirror

thedocumentcrosswalkfromSP800-53,Revision1.

acceSS coNTrol






SP800-96 PIVCard/ReaderInteroperabilityGuidelines

SP800-87 CodesfortheIdentificationofFederalandFederallyAssistedOrganizations




SP800-77 GuidetoIPSecVPNs




SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability andAccountabilityAct (HIPAA)SecurityRule















Families


f A m i L i e S

awareNeSS & TraININg










auDIT & accouNTabIlITy




















cerTIfIcaTIoN, accreDITaTIoN & SecurITy aSSeSSmeNTS






Page �0

f A m i L i e S


ceRtificAtion, AccReditAtion & secuRity AssessMents continued















SP800-20 ModesofOperationValidationSystemfortheTripleDataEncryptionAlgorithm(TMOVS):RequirementsandProcedures





coNfIguraTIoN maNagemeNT



















f A m i L i e S

coNTINgeNcy plaNNINg





















IDeNTIfIcaTIoN aND auTheNTIcaTIoN








SP800-87 CodesfortheIdentificationofFederalandFederallyAssistedOrganizations









Page ��

f A m i L i e S


identificAtion And AuthenticAtion continued















INcIDeNT reSpoNSe





SP800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability andAccountabilityAct (HIPAA)SecurityRule







maINTeNaNce










f A m i L i e S

meDIa proTecTIoN













phySIcal & eNVIroNmeNTal proTecTIoN














plaNNINg








Page ��

f A m i L i e S


PlAnning continued




























perSoNNel SecurITy







f A m i L i e S

rISK aSSeSSmeNT


































Page ��

f A m i L i e S


SySTem & SerVIceS acquISITIoN





















SySTem & commuNIcaTIoN proTecTIoN




FIPS197 AdvancedEncryptionStandard







SP800-90 RecommendationforRandomNumberGenerationUsingDeterministicRandomBitGenerators




f A m i L i e S

systeM & coMMunicAtion PRotection continued








SP800-67 RecommendationfortheTripleDataEncryptionAlgorithm(TDEA)BlockCipher











SP800-38D RecommendationforBlockCipherModesofOperation:Galois/CounterMode(GCM)forConfidentialityandAuthentication






SP800-29 AComparisonoftheSecurityRequirementsforCryptographicModulesinFIPS140-1andFIPS140-2





SP800-20 ModesofOperationValidationSystemfortheTripleDataEncryptionAlgorithm(TMOVS):RequirementsandProcedures






Page ��

f A m i L i e S


SySTem & INformaTIoN INTegrITy























L e G A L r e q u i r e m e N t S

TherearecertainlegalrequirementsregardingITsecuritytowhichFederalagenciesmustadhere.Manycomefromlegislation,whileotherscome

fromPresidentialDirectivesortheOfficeofBudgetandManagement(OMB)Circulars.Hereisalistofthemajorsourcesoftheserequirements

withsupportingdocumentsfromNIST.SomeofthedocumentsareadirectresultofmandatesgiventoNIST.Othersaredocumentsdeveloped

inordertogiveguidancetoFederalagenciesinhowtocarryoutlegalrequirements.

feDeral INformaTIoN SecurITy maNagemeNT acT of 2002 (fISma)

TitleIIIoftheE-GovActof2002[PublicLaw107-347]

categorization of all information and information systems and minimum

information security requirements for each category





SP800-53 RecommendedSecurityControlsforFederalInformationSystems


SP800-37 GuidefortheSecurityCertificationandAccreditationofFederalInformationSystems


SP800-30 RiskmanagementGuideforInformationTechnologySystems

SP800-26Rev1 GuideforInformationSecurityProgramAssessmentsandSystemReportingForm

SP800-18Rev1 GuideforDevelopingSecurityPlansforInformationSystems

identification of an information system as a national security system

SP800-59 GuideforIdentifyinganInformationSystemasaNationalSecuritySystem

detection and handling of information security incidents







Legal Requirements

Page �0



Manage security incidents





Annual public report on activities undertaken in the previous year

NISTIR7285 ComputerSecurityDivision2005AnnualReport



omb cIrcular a-130: maNagemeNT of feDeral INformaTIoN reSourceS, appeNDIx III: SecurITy of feDeral auTomaTeD INformaTIoN reSourceS

Assess risks


certify and accredit systems


SP800-37 GuidefortheSecurityCertificationandAccreditationofFederalInformationSystems

develop contingency plans and procedures



Manage system configurations and security throughout the system development life cycle

SP800-64Rev1 SecurityConsiderationsintheInformationSystemDevelopmentLifeCycle




Mandates agency-wide information security program development and implementation

SP800-18,Rev1 GuideforDevelopingSecurityPlansforInformationSystems

SP800-100 InformationSecurityHandbook:AGuideforManagers




conduct security awareness training




e-goVerNmeNT acT of 2002

[PublicLaw107-347]

Mandates nist development of security standards



homelaND SecurITy preSIDeNTIal DIrecTIVe-12 (hSpD-12), commoN IDeNTIfIcaTIoN STaNDarD for feDeral employeeS aND coNTracTorS

establishes a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and contractors


SP800-85B PIVDataModelTestGuidelines






NISTIR7337 PersonalIdentityVerificationDemonstrationSummary




March2005 Personal IdentityVerification (PIV) Of Federal EmployeesAnd Contractors: Federal Information Processing Standard(FIPS)201

omb cIrcular a–11: preparaTIoN, SubmISSIoN, aND execuTIoN of The buDgeT

capital Planning

SP800-65 IntegratingITSecurityintotheCapitalPlanningandInvestmentControlProcess

Page ��



oTher requIremeNTS wITh SupporTINg DocumeNTS

health Insurance portability and accountability act (hIpaa)FormoreinformationaboutHIPAArequirements,pleasevisitwww.cms.hhs.gov.

Assure health information privacy and security

standardize electronic data interchange in health care transactions

SP800-66 AnIntroductoryResourceGuideforImplementingtheHealthInsurancePortabilityandAccountabilityActSecurityRule

homeland Security presidential Directive-7 (hSpD-7), critical Infrastructure Identification, prioritization, and protection FormoreinformationaboutHSPD-7,pleasevisitwww.dhs.gov.

Protect critical infrastructure





SP800-37 GuideforSecurityCertificationandAccreditationofFederalInformationSystems

SP800-53 RecommendedSecurityControlsforFederalInformationSystems



SP800-82 GuidetoSupervisoryControlandDataAcquisition(SCADA)andIndustrialControlSystemSecurity

TanyaBrewer,Editor

MatthewScholl,Editor

March 2007

disclaimer: Anymentionofcommercialproductsisforinformationonly;itdoesnotimplyNISTrecommendationorendorsement,nordoesitimplythattheproductsmentionedarenecessarilythebestavailableforthepurpose.

MichaelJames,Design/Production

TheDesignPond

March 2007

Date post:	16-Nov-2014
Category:	Documents
Upload:	sadownloader
View:	317 times
Download:	3 times