Guide: FISMA Requirements
Federal Information Security Management Act of 2002 (FISMA)
Contents
- 1 Categorization of all information and information systems and minimum information security requirements for each category
- 2 Identification of an information system as a national security system
- 3 Detection and handling of information security incidents
- 4 Manage security incidents
- 5 Annual public report on activities undertaken in the previous year
Categorization of all information and information systems and minimum information security requirements for each category
| NIST FIPS 200 | Security Controls for Federal Information Systems |
|---|---|
| NIST FIPS 199 | Standards for Security Categorization of Federal Information and Information Systems |
| NIST SP 800-18 Rev. 1 | Guide for Developing Security Plans for Federal Information Systems |
| NIST SP 800-30 | Risk Management Guide for Information Technology Systems |
| NIST SP 800-34 | Contingency Planning Guide for Information Technology Systems |
| NIST SP 800-37 | Guide for the Security Certification and Accreditation of Federal Information Systems |
| NIST SP 800-37 Rev. 1 | DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach |
| NIST SP 800-44 Version 2 | Guidelines on Securing Public Web Servers |
| NIST SP 800-53A | Guide for Assessing the Security Controls in Federal Information Systems |
| NIST SP 800-53 Rev. 1 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 2 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 3 | Recommended Security Controls for Federal Information Systems and Organizations |
| NIST SP 800-60 Rev. 1 | Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices |
| NIST SP 800-70 Rev. 1 | National Checklist Program for IT Products--Guidelines for Checklist Users and Developers |
| NIST SP 800-76-1 | Biometric Data Specification for Personal Identity Verification |
| NIST SP 800-78-1 | Cryptographic Algorithms and Key Sizes for Personal Identity Verification |
| NIST SP 800-117 | DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) |
| NIST SP 800-126 | DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP) |
| NIST IR 7328 | DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems |
| NIST IR 7516 | Forensic Filtering of Cell Phone Protocols |
| ITL 1999-04 | Guide for Developing Security Plans for Information Technology Systems |
| ITL 2006-03 | Minimum Security Requirements For Federal Information And Information Systems: Federal Information Processing Standard (FIPS) 200 Approved By The Secretary Of Commerce |
| ITL 2006-06 | Domain Name System (DNS) Services: NIST Recommendations For Secure Deployment |
Identification of an information system as a national security system
| NIST SP 800-53 Rev. 1 | Recommended Security Controls for Federal Information Systems |
|---|---|
| NIST SP 800-53 Rev. 2 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 3 | Recommended Security Controls for Federal Information Systems and Organizations |
| NIST SP 800-59 | Guideline for Identifying an Information System as a National Security System |
| NIST ITL 2006-04 | Protecting Sensitive Information Transmitted in Public Networks |
| NIST ITL 2006-05 | An Update On Cryptographic Standards, Guidelines, And Testing Requirements |
| NIST ITL 2006-06 | Domain Name System (DNS) Services: NIST Recommendations For Secure Deployment |
Detection and handling of information security incidents
| NIST FIPS 140-1 | FIPS 140-1: Security Requirements for Cryptographic Modules |
|---|---|
| NIST FIPS 140-2 | Security Requirements for Cryptographic Modules |
| NIST FIPS 140-3 | DRAFT Security Requirements for Cryptographic Modules |
| NIST FIPS 180-3 | Secure Hash Standard (SHS) |
| NIST FIPS 198-1 | The Keyed-Hash Message Authentication Code (HMAC) |
| NIST SP 800-44 Version 2 | Guidelines on Securing Public Web Servers |
| NIST SP 800-48 Rev. 1 | Guide to Securing Legacy IEEE 802.11 Wireless Networks |
| NIST SP 800-51 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme |
| NIST SP 800-53 Rev. 1 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 2 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 3 | Recommended Security Controls for Federal Information Systems and Organizations |
| NIST SP 800-54 | Border Gateway Protocol Security |
| NIST SP 800-61 | Computer Security Incident Handling Guide |
| NIST SP 800-61 Rev. 1 | Computer Security Incident Handling Guide |
| NIST SP 800-63 Version 1.0.2 | Electronic Authentication Guideline |
| NIST SP 800-76-1 | Biometric Data Specification for Personal Identity Verification |
| NIST SP 800-78-1 | Cryptographic Algorithms and Key Sizes for Personal Identity Verification |
| NIST SP 800-83 | Guide to Malware Incident Prevention and Handling |
| NIST SP 800-84 | Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities |
| NIST SP 800-86 | Guide to Integrating Forensic Techniques into Incident Response |
| NIST SP 800-94 | Guide to Intrusion Detection and Prevention Systems (IDPS) |
| NIST SP 800-98 | Guidelines for Securing Radio Frequency Identification (RFID) Systems |
| NIST SP 800-101 | Guidelines on Cell Phone Forensics |
| NIST SP 800-103 | DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation |
| NIST SP 800-104 | A Scheme for PIV Visual Card Topography |
| NIST SP 800-106 | Randomized Hashing for Digital Signatures |
| NIST SP 800-107 | Recommendation for Applications Using Approved Hash Algorithms |
| NIST SP 800-111 | Guide to Storage Encryption Technologies for End User Devices |
| NIST SP 800-113 | Guide to SSL VPNs |
| NIST SP 800-114 | User's Guide to Securing External Devices for Telework and Remote Access |
| NIST SP 800-117 | DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) |
| NIST SP 800-126 | DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP) |
| NIST SB 2005-12 | Preventing and Handling Malware Incidents: How To Protect Information Technology Systems From Malicious Code and Software |
| NIST ITL 2005-12 | Preventing And Handling Malware Incidents: How To Protect Information Technology Systems From Malicious Code And Software |
| NIST ITL 2006-04 | Protecting Sensitive Information Transmitted in Public Networks |
| NIST ITL 2006-05 | An Update On Cryptographic Standards, Guidelines, And Testing Requirements |
| NIST ITL 2006-08 | Protecting Sensitive Information Processed And Stored In Information Technology (IT) Systems |
| NIST ITL 2006-09 | Forensic Techniques: Helping Organizations Improve Their Responses To Information Security Incidents |
| NIST ITL 2006-10 | Log Management: Using Computer And Network Records To Improve Information Security |
| NIST ITL 2006-12 | Maintaining Effective Information Technology (IT) Security Through Test, Training, And Exercise Programs |
| NIST ITL 2007-01 | Security Controls For Information Systems: Revised Guidelines Issued By NIST |
| NIST ITL 2007-02 | Intrusion Detection And Prevention Systems |
| NIST ITL 2007-04 | Securing Wireless Networks |
| NIST ITL 2007-05 | Securing Radio Frequency Identification (RFID) Systems |
| NIST ITL 2007-06 | Forensic Techniques for Cell Phones |
Manage security incidents
| NIST SP 800-44 Version 2 | Guidelines on Securing Public Web Servers |
|---|---|
| NIST SP 800-51 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme |
| NIST SP 800-53 Rev. 1 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 2 | Recommended Security Controls for Federal Information Systems |
| NIST SP 800-53 Rev. 3 | Recommended Security Controls for Federal Information Systems and Organizations |
| NIST SP 800-54 | Border Gateway Protocol Security |
| NIST SP 800-61 | Computer Security Incident Handling Guide |
| NIST SP 800-61 Rev. 1 | Computer Security Incident Handling Guide |
| NIST SP 800-83 | Guide to Malware Incident Prevention and Handling |
| NIST SP 800-86 | Guide to Integrating Forensic Techniques into Incident Response |
| NIST SP 800-94 | Guide to Intrusion Detection and Prevention Systems (IDPS) |
| NIST SP 800-101 | Guidelines on Cell Phone Forensics |
| NIST SP 800-122 | DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) |
| NIST ITL 2006-04 | Protecting Sensitive Information Transmitted in Public Networks |
| NIST ITL 2006-05 | An Update On Cryptographic Standards, Guidelines, And Testing Requirements |
| NIST ITL 2006-09 | Forensic Techniques: Helping Organizations Improve Their Responses To Information Security Incidents |
| NIST ITL 2006-10 | Log Management: Using Computer And Network Records To Improve Information Security |
| NIST ITL 2006-12 | Maintaining Effective Information Technology (IT) Security Through Test, Training, And Exercise Programs |
| NIST ITL 2007-01 | Security Controls For Information Systems: Revised Guidelines Issued By NIST |
| NIST ITL 2007-02 | Intrusion Detection And Prevention Systems |
| NIST ITL 2007-06 | Forensic Techniques for Cell Phones |
Annual public report on activities undertaken in the previous year
| NIST IR 7111 | Computer Security Division 2003 Annual Report |
|---|---|
| NIST IR 7219 | Computer Security Division 2004 Annual Report |
| NIST IR 7285 | Computer Security Division 2005 Annual Report |
| NIST IR 7399 | Computer Security Division 2006 Annual Report |
| NIST IR 7442 | Computer Security Division 2007 Annual Report |
| NIST IR 7536 | 2008 Computer Security Division Annual Report |
Original source for tables: Guide to NIST Security Documents.
