NIST SP 800-53r2 Appendix A

From FISMApedia
Jump to: navigation, search

APPENDIX A

REFERENCES

LAWS, POLICIES, DIRECTIVES, REGULATIONS, MEMORANDA, STANDARDS, AND GUIDELINES


LEGISLATION


1. E-Government Act (includes FISMA) (P.L. 107-347), December 2002.

2. Federal Information Security Management Act (P.L. 107-347, Title III), December 2002.

3. Paperwork Reduction Act (P.L. 104-13), May 1995.

4. USA PATRIOT Act (P.L. 107-56), October 2001.

5. Privacy Act of 1974 (P.L. 93-579), December 1974.


POLICIES, DIRECTIVES, REGULATIONS, AND MEMORANDA


6. Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106 Designation of Public Trust Positions and Investigative Requirements, (5 C.F.R. 731.106).

7. Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C-Employees Responsible for the Management or Use of Federal Computer Systems, Section 930.301 through 930.305 (5 C.F.R 930.301-305).

8. Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000.

9. Office of Management and Budget, Federal Enterprise Architecture Program Management Office, Business Reference Model (v2.0), June 2003.

10. Office of Management and Budget Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones, October 2001.

11. Director of Central Intelligence Directive 6/3 Policy, Protecting Sensitive Compartmented Information within Information Systems, June 1999.

12. Director of Central Intelligence Directive 6/3 Manual, Protecting Sensitive Compartmented Information within Information Systems, May 2000.

13. Department of Defense Instruction 8500.2, Information Assurance Implementation, February 2003.

14. Office of Management and Budget Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting, August 2003.

15. Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 2003.

16. Office of Management and Budget Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, December 2003.

17. Office of Management and Budget Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005.

18. Office of Management and Budget Memorandum M-06-16, Protection of Sensitive Information, June 2006.

19. Office of Management and Budget Memorandum M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 2006.


STANDARDS


20. International Organization for Standardization/International Electrotechnical Commission 27001, Information Security Management System Requirements, October 2005.

21. International Organization for Standardization/International Electrotechnical Commission 17799, Code of Practice for Information Security Management, June 2005.

22. National Institute of Standards and Technology Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules, May 2001.

National Institute of Standards and Technology Federal Information Processing Standards Publication 140-3 (Draft), Security Requirements for Cryptographic Modules, July 2007.

23. National Institute of Standards and Technology Federal Information Processing Standards Publication 180-2, Secure Hash Standard (SHS), August 2002.

National Institute of Standards and Technology Federal Information Processing Standards Publication 180-3 (Draft), Secure Hash Standard (SHS), June 2007.

24. National Institute of Standards and Technology Federal Information Processing Standards Publication 186-2, Digital Signature Standard (DSS), January 2000.

National Institute of Standards and Technology Federal Information Processing Standards Publication 186-3 (Draft), Digital Signature Standard (DSS), March 2006.

25. National Institute of Standards and Technology Federal Information Processing Standards Publication 188, Standard Security Labels for Information Transfer, September 1994.

26. National Institute of Standards and Technology Federal Information Processing Standards Publication 190, Guideline for the Use of Advanced Authentication Technology Alternatives, September 1994.

27. National Institute of Standards and Technology Federal Information Processing Standards Publication 197, Advanced Encryption Standard (AES), November 2001.

28. National Institute of Standards and Technology Federal Information Processing Standards Publication 198, The Keyed-Hash Message Authentication Code (HMAC), March 2002.

National Institute of Standards and Technology Federal Information Processing Standards Publication 198-1 (Draft), The Keyed-Hash Message Authentication Code (HMAC), June 2007.

29. National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.

30. National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.

31. National Institute of Standards and Technology Federal Information Processing Standards Publication 201-1, Personal Identity Verification of Federal Employees and Contractors, March 2006.

32. Committee for National Security Systems (CNSS) Instruction 4009, National Information Assurance Glossary, June 2006.

33. National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7003, Protective Distribution Systems (PDS), December 1996.


GUIDELINES


34. National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995.

35. National Institute of Standards and Technology Special Publication 800-13, Telecommunications Security Guidelines for Telecommunications Management Network, October 1995.

36. National Institute of Standards and Technology Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996.

37. National Institute of Standards and Technology Special Publication 800-15, Minimum Interoperability Specification for PKI Components (MISPC), Version 1, September 1997.

38. National Institute of Standards and Technology Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, April 1998.

39. National Institute of Standards and Technology Special Publication 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures, February 1998.

40. National Institute of Standards and Technology Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006.

41. National Institute of Standards and Technology Special Publication 800-19, Mobile Agent Security, October 1999.

42. National Institute of Standards and Technology Special Publication 800-20 (Revised), Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures, April 2000.

43. National Institute of Standards and Technology Special Publication 800-21-1, Second Edition, Guideline for Implementing Cryptography in the Federal Government, December 2005.

44. National Institute of Standards and Technology Special Publication 800-22 (Revised), A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, May 2001.

45. National Institute of Standards and Technology Special Publication 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, August 2000.

46. National Institute of Standards and Technology Special Publication 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does, August 2000.

47. National Institute of Standards and Technology Special Publication 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, October 2000.

48. National Institute of Standards and Technology Special Publication 800-27, Revision A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2004.

49. National Institute of Standards and Technology Special Publication 800-28, Guidelines on Active Content and Mobile Code, October 2001.

50. National Institute of Standards and Technology Special Publication 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, June 2001.

51. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.

52. National Institute of Standards and Technology Special Publication 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, February 2001.

53. National Institute of Standards and Technology Special Publication 800-33, Underlying Technical Models for Information Technology Security, December 2001.

54. National Institute of Standards and Technology Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, June 2002.

55. National Institute of Standards and Technology Special Publication 800-35, Guide to Information Technology Security Services, October 2003.

56. National Institute of Standards and Technology Special Publication 800-36, Guide to Selecting Information Security Products, October 2003.

57. National Institute of Standards and Technology Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.

58. National Institute of Standards and Technology Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques, December 2001.

59. National Institute of Standards and Technology Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005.

60. National Institute of Standards and Technology Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality, May 2004.

61. National Institute of Standards and Technology Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication, November 2007.

62. National Institute of Standards and Technology Special Publication 800-39 (Initial Public Draft), Managing Risk from Information Systems: An Organizational Perspective, October 2007.

63. National Institute of Standards and Technology Special Publication 800-40, Version 2, Creating a Patch and Vulnerability Management Program, November 2005.

64. National Institute of Standards and Technology Special Publication 800-41, Guidelines on Firewalls and Firewall Policy, January 2002.

65. National Institute of Standards and Technology Special Publication 800-42, Guideline on Network Security Testing, October 2003.

66. National Institute of Standards and Technology Special Publication 800-43, Systems Administration Guidance for Windows 2000 Professional, November 2002.

67. National Institute of Standards and Technology Special Publication 800-44, Version 2, Guidelines on Securing Public Web Servers, September 2007.

68. National Institute of Standards and Technology Special Publication 800-45, Version 2, Guidelines on Electronic Mail Security, February 2007.

69. National Institute of Standards and Technology Special Publication 800-46, Security for Telecommuting and Broadband Communications, August 2002.

70. National Institute of Standards and Technology Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002.

71. National Institute of Standards and Technology Special Publication 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices, November 2002.

National Institute of Standards and Technology Special Publication 800-48, Revision 1 (Draft), Wireless Network Security for IEEE 802.11a/b/g and Bluetooth, August 2007.

72. National Institute of Standards and Technology Special Publication 800-49, Federal S/MIME V3 Client Profile, November 2002.

73. National Institute of Standards and Technology Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, October 2003.

74. National Institute of Standards and Technology Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002.

75. National Institute of Standards and Technology Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, June 2005.

76. National Institute of Standards and Technology Special Publication 800-53A (Final Public Draft), Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans, December 2007.

77. National Institute of Standards and Technology Special Publication 800-54, Border Gateway Protocol Security, June 2007.

78. National Institute of Standards and Technology Special Publication 800-55, Security Metrics Guide for Information Technology Systems, July 2003.

National Institute of Standards and Technology Special Publication 800-55, Revision 1 (Draft), Performance Measurement Guide for Information Security, September 2007.

79. National Institute of Standards and Technology Special Publication 800-56A (Revised), Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, March 2007.

80. National Institute of Standards and Technology Special Publication 800-57 (Revised), Recommendation on Key Management, Part I: General, March 2007.

81. National Institute of Standards and Technology Special Publication 800-58, Security Considerations for Voice Over IP Systems, January 2005.

82. National Institute of Standards and Technology Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.

83. National Institute of Standards and Technology Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004.

National Institute of Standards and Technology Special Publication 800-60, Revision 1 (Draft), Guide for Mapping Types of Information and Information Systems to Security Categories, November 2007.

84. National Institute of Standards and Technology Special Publication 800-61, Computer Security Incident Handling Guide, January 2004.

National Institute of Standards and Technology Special Publication 800-61, Revision 1 (Draft), Computer Security Incident Handling Guide, September 2007.

85. National Institute of Standards and Technology Special Publication 800-63, Version 1.0.2, Electronic Authentication Guideline: Recommendations of the National Institute of Standards and Guidelines, April 2006.

86. National Institute of Standards and Technology Special Publication 800-64, Revision 1, Security Considerations in the Information System Development Life Cycle, June 2004.

87. National Institute of Standards and Technology Special Publication 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005.

88. National Institute of Standards and Technology Special Publication 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005.

89. National Institute of Standards and Technology Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 2004.

90. National Institute of Standards and Technology Special Publication 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist, October 2005.

91. National Institute of Standards and Technology Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist, September 2006.

92. National Institute of Standards and Technology Special Publication 800-70, Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers, May 2005.

93. National Institute of Standards and Technology Special Publication 800-72, Guidelines on PDA Forensics, November 2004.

94. National Institute of Standards and Technology Special Publication 800-73, Revision 1, Interfaces for Personal Identity Verification, March 2006.

National Institute of Standards and Technology Special Publication 800-73-2 (Draft), Interfaces for Personal Identity Verification, October 2007.

95. National Institute of Standards and Technology Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007.

96. National Institute of Standards and Technology Special Publication 800-77, Guide to IPsec VPNs, December 2005.

97. National Institute of Standards and Technology Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, August 2007.

98. National Institute of Standards and Technology Special Publication 800-79, Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005.

99. National Institute of Standards and Technology Special Publication 800-81, Secure Domain Name System (DNS) Deployment Guide, May 2006.

100. National Institute of Standards and Technology Special Publication 800-82 (Second Public Draft), Guide to Industrial Control Systems (ICS) Security, September 2007.

101. National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling, November 2005.

102. National Institute of Standards and Technology Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, September 2006.

103. National Institute of Standards and Technology Special Publication 800-85A, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73 Compliance), April 2006.

104. National Institute of Standards and Technology Special Publication 800-85B, PIV Data Model Test Guidelines, July 2006.

105. National Institute of Standards and Technology Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, August 2006.

106. National Institute of Standards and Technology Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations, March 2007.

107. National Institute of Standards and Technology Special Publication 800-88, Guidelines For Media Sanitization, September 2006.

108. National Institute of Standards and Technology Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, November 2006.

109. National Institute of Standards and Technology Special Publication 800-90 (Revised), Recommendation for Random Number Generation Using Deterministic Random Bit Generators, March 2007.

110. National Institute of Standards and Technology Special Publication 800-92, Guide to Computer Security Log Management, September 2006.

111. National Institute of Standards and Technology Special Publication 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems, February 2007.

112. National Institute of Standards and Technology Special Publication 800-95, Guide to Secure Web Services, August 2007.

113. National Institute of Standards and Technology Special Publication 800-96, PIV Card / Reader Interoperability Guidelines, September 2006.

114. National Institute of Standards and Technology Special Publication 800-97, Establishing Robust Security Networks: A Guide to IEEE 802.11i:, February 2007.

115. National Institute of Standards and Technology Special Publication 800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems, April 2007.

116. National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: A Guide for Managers, October 2006.

117. National Institute of Standards and Technology Special Publication 800-101, Guidelines on Cell Phone Forensics, May 2007.

118. National Institute of Standards and Technology Special Publication 800-103 (Draft), An Ontology of Identity Credentials, Part I: Background and Formulation, October 2006.

119. National Institute of Standards and Technology Special Publication 800-104, A Scheme for PIV Visual Card Topography, June 2007.

120. National Institute of Standards and Technology Special Publication 800-106 (Draft), Randomized Hashing Digital Signatures, July 2007.

121. National Institute of Standards and Technology Special Publication 800-107 (Draft), Recommendation for Using Approved Hash Algorithms, July 2007.

122. National Institute of Standards and Technology Special Publication 800-110 (Draft), Information System Security Reference Data Model, September 2007.

123. National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, August 2007.

124. National Institute of Standards and Technology Special Publication 800-113 (Draft), Guide to SSL VPNs, August 2007.

125. National Institute of Standards and Technology Special Publication 800-114, User's Guide to Securing External Devices for Telework and Remote Access, November 2007.

126. National Institute of Standards and Technology Special Publication 800-115 (Draft), Technical Guide to Information Security Testing, November 2007.


MISCELLANEOUS PUBLICATIONS


127. Department of Health and Human Services Centers for Medicare and Medicaid Services (CMS), Core Set of Security Requirements, February 2004.

128. Government Accountability Office, Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6, January 1999.