NIST SP 800-53r3 Appendix A

From FISMApedia
Jump to: navigation, search

APPENDIX A

REFERENCES

LAWS, POLICIES, DIRECTIVES, REGULATIONS, MEMORANDA, STANDARDS, AND GUIDELINES


LEGISLATION

1. E-Government Act [includes FISMA] (P.L. 107-347), December 2002.

2. Federal Information Security Management Act (P.L. 107-347, Title III), December 2002.

3. Paperwork Reduction Act (P.L. 104-13), May 1995.

4. USA PATRIOT Act (P.L. 107-56), October 2001.

5. Privacy Act of 1974 (P.L. 93-579), December 1974.

6. Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996.

7. Health Insurance Portability and Accountability Act (P.L. 104-191), August 1996.

8. The Atomic Energy Act of 1954 (P.L. 83-703), August 1954.

POLICIES, DIRECTIVES, REGULATIONS, AND MEMORANDA

1. Code of Federal Regulations, Title 5, Administrative Personnel, Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106).

2. Code of Federal Regulations, Part 5 Administrative Personnel, Subpart C—Employees Responsible for the Management or Use of Federal Computer Systems, Section 930.301 through 930.305 (5 C.F.R 930.301-305).

3. Director of Central Intelligence Directive 6/9, Physical Security Standards For Sensitive Compartmented Information Facilities, November 2002.

4. Federal Continuity Directive 1 (FCD 1), Federal Executive Branch National Continuity Program and Requirements, February 2008.

5. Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection, December 2003.

6. Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004.

7. Intelligence Community Directive Number 704, Personnel Security Standards and Procedures Governing Eligibility For Access To Sensitive Compartmented Information And Other Controlled Access Program Information, October 2008.

8. Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000.

9. Office of Management and Budget, Federal Enterprise Architecture Program Management Office, FEA Consolidated Reference Model Document, Version 2.3, October 2007.

10. Office of Management and Budget, Federal Segment Architecture Methodology (FSAM), January 2009.

11. Office of Management and Budget Memorandum M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, December 2000.

12. Office of Management and Budget Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones, October 2001.

13. Office of Management and Budget Memorandum M-03-19, Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting, August 2003.

14. Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 2003.

15. Office of Management and Budget Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, December 2003.

16. Office of Management and Budget Memorandum M-04-26, Personal Use Policies and File Sharing Technology, September 2004.

17. Office of Management and Budget Memorandum M-05-08, Designation of Senior Agency Officials for Privacy, February 2005.

18. Office of Management and Budget Memorandum M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12—Policy for a Common Identification Standard for Federal Employees and Contractors, August 2005.

19. Office of Management and Budget Memorandum M-06-15, Safeguarding Personally Identifiable Information, May 2006.

20. Office of Management and Budget Memorandum M-06-16, Protection of Sensitive Information, June 2006.

21. Office of Management and Budget Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 2006.

22. Office of Management and Budget Memorandum, Recommendations for Identity Theft Related Data Breach Notification Guidance, September 2006.

23. Office of Management and Budget Memorandum M-07-11, Implementation of Commonly Accepted Security Configurations for Windows Operating Systems, March 2007.

24. Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 2007.

25. Office of Management and Budget Memorandum M-07-18, Ensuring New Acquisitions Include Common Security Configurations, June 2007.

26. Office of Management and Budget Memorandum M-08-09, New FISMA Privacy Reporting Requirements for FY 2008, January 2008.

27. Office of Management and Budget Memorandum M-08-21, FY08 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, July 2008.

28. Office of Management and Budget Memorandum M-08-22, Guidance on the Federal Desktop Core Configuration (FDCC), August 2008.

29. Office of Management and Budget Memorandum M-08-23, Securing the Federal Government's Domain Name System Infrastructure, August 2008.

30. The White House, Office of the Press Secretary, Designation and Sharing of Controlled Unclassified Information (CUI), May 2008.

31. The White House, Office of the Press Secretary, Classified Information and Controlled Unclassified Information, May 2009.

STANDARDS

1. International Organization for Standardization/International Electrotechnical Commission 27001, Information Security Management System Requirements, October 2005.

2. International Organization for Standardization/International Electrotechnical Commission 15408-1, Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model, October 2005.

3. International Organization for Standardization/International Electrotechnical Commission 15408-2, Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 2: Security functional requirements, October 2005.

4. International Organization for Standardization/International Electrotechnical Commission 15408-3, Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance requirements, October 2005.

5. National Institute of Standards and Technology Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules, May 2001.

National Institute of Standards and Technology Federal Information Processing Standards Publication 140-3 (Draft), Security Requirements for Cryptographic Modules, July 2007.

6. National Institute of Standards and Technology Federal Information Processing Standards Publication 180-3, Secure Hash Standard (SHS), October 2008.

7. National Institute of Standards and Technology Federal Information Processing Standards Publication 186-3, Digital Signature Standard (DSS), June 2009.

8. National Institute of Standards and Technology Federal Information Processing Standards Publication 188, Standard Security Labels for Information Transfer, September 1994.

9. National Institute of Standards and Technology Federal Information Processing Standards Publication 190, Guideline for the Use of Advanced Authentication Technology Alternatives, September 1994.

10. National Institute of Standards and Technology Federal Information Processing Standards Publication 197, Advanced Encryption Standard (AES), November 2001.

11. National Institute of Standards and Technology Federal Information Processing Standards Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), July 2008.

12. National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.

13. National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.

14. National Institute of Standards and Technology Federal Information Processing Standards Publication 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006.

15. Committee for National Security Systems (CNSS) Instruction 4009, National Information Assurance Glossary, June 2006.

16. National Security Telecommunications and Information Systems Security Instruction (NSTISSI) 7003, Protective Distribution Systems (PDS), December 1996.

GUIDELINES

1. National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995.

2. National Institute of Standards and Technology Special Publication 800-13, Telecommunications Security Guidelines for Telecommunications Management Network, October 1995.

3. National Institute of Standards and Technology Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996.

4. National Institute of Standards and Technology Special Publication 800-15, Minimum Interoperability Specification for PKI Components (MISPC), Version 1, September 1997.

5. National Institute of Standards and Technology Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, April 1998.

6. National Institute of Standards and Technology Special Publication 800-17, Modes of Operation Validation System (MOVS): Requirements and Procedures, February 1998.

7. National Institute of Standards and Technology Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006.

8. National Institute of Standards and Technology Special Publication 800-19, Mobile Agent Security, October 1999.

9. National Institute of Standards and Technology Special Publication 800-20, Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures, April 2000.

10. National Institute of Standards and Technology Special Publication 800-21-1, Second Edition, Guideline for Implementing Cryptography in the Federal Government, December 2005.

11. National Institute of Standards and Technology Special Publication 800-22, A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, May 2001.

12. National Institute of Standards and Technology Special Publication 800-23, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, August 2000.

13. National Institute of Standards and Technology Special Publication 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does, August 2000.

14. National Institute of Standards and Technology Special Publication 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, October 2000.

15. National Institute of Standards and Technology Special Publication 800-27, Revision A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2004.

16. National Institute of Standards and Technology Special Publication 800-28, Version 2, Guidelines on Active Content and Mobile Code, March 2008.

17. National Institute of Standards and Technology Special Publication 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, June 2001.

18. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.

19. National Institute of Standards and Technology Special Publication 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure, February 2001.

20. National Institute of Standards and Technology Special Publication 800-33, Underlying Technical Models for Information Technology Security, December 2001.

21. National Institute of Standards and Technology Special Publication 800-34, Contingency Planning Guide for Information Technology Systems, June 2002.

22. National Institute of Standards and Technology Special Publication 800-35, Guide to Information Technology Security Services, October 2003.

23. National Institute of Standards and Technology Special Publication 800-36, Guide to Selecting Information Security Products, October 2003.

24. National Institute of Standards and Technology Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004.

25. National Institute of Standards and Technology Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques, December 2001.

26. National Institute of Standards and Technology Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, May 2005.

27. National Institute of Standards and Technology Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality, May 2004.

28. National Institute of Standards and Technology Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication, November 2007.

29. National Institute of Standards and Technology Special Publication 800-39 (Second Public Draft), Managing Risk from Information Systems: An Organizational Perspective, April 2008.

30. National Institute of Standards and Technology Special Publication 800-40, Version 2, Creating a Patch and Vulnerability Management Program, November 2005.

31. National Institute of Standards and Technology Special Publication 800-41, Revision 1 (Draft), Guidelines on Firewalls and Firewall Policy, July 2008.

32. National Institute of Standards and Technology Special Publication 800-43, Systems Administration Guidance for Windows 2000 Professional, November 2002.

33. National Institute of Standards and Technology Special Publication 800-44, Version 2, Guidelines on Securing Public Web Servers, September 2007.

34. National Institute of Standards and Technology Special Publication 800-45, Version 2, Guidelines on Electronic Mail Security, February 2007.

35. National Institute of Standards and Technology Special Publication 800-46, Revision 1, Guide to Enterprise Telework and Remote Access Security, June 2009.

36. National Institute of Standards and Technology Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002.

37. National Institute of Standards and Technology Special Publication 800-48, Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, July 2008.

38. National Institute of Standards and Technology Special Publication 800-49, Federal S/MIME V3 Client Profile, November 2002.

39. National Institute of Standards and Technology Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, October 2003.

40. National Institute of Standards and Technology Special Publication 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002.

41. National Institute of Standards and Technology Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, June 2005.

42. National Institute of Standards and Technology Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems: Building Effective Security Assessment Plans, July 2008.

43. National Institute of Standards and Technology Special Publication 800-54, Border Gateway Protocol Security, July 2007.

44. National Institute of Standards and Technology Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security, July 2008.

45. National Institute of Standards and Technology Special Publication 800-56A (Revised), Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, March 2007.

46. National Institute of Standards and Technology Special Publication 800-57 (Revised), Recommendation for Key Management, March 2007.

47. National Institute of Standards and Technology Special Publication 800-58, Security Considerations for Voice Over IP Systems, January 2005.

48. National Institute of Standards and Technology Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.

49. National Institute of Standards and Technology Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008.

50. National Institute of Standards and Technology Special Publication 800-61, Revision 1, Computer Security Incident Handling Guide, March 2008.

51. National Institute of Standards and Technology Special Publication 800-63-1 (Draft), Electronic Authentication Guideline, December 2008.

52. National Institute of Standards and Technology Special Publication 800-64, Revision 2, Security Considerations in the System Development Life Cycle, October 2008.

53. National Institute of Standards and Technology Special Publication 800-65, Integrating Security into the Capital Planning and Investment Control Process, January 2005.

54. National Institute of Standards and Technology Special Publication 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, October 2008.

55. National Institute of Standards and Technology Special Publication 800-67, Version 1.1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 2008.

56. National Institute of Standards and Technology Special Publication 800-68, Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist, October 2008.

57. National Institute of Standards and Technology Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist, September 2006.

58. National Institute of Standards and Technology Special Publication 800-70, Revision 1 (Draft), National Checklist Program for IT Products -- Guidelines for Checklist Users and Developers, September 2008.

59. National Institute of Standards and Technology Special Publication 800-72, Guidelines on PDA Forensics, November 2004.

60. National Institute of Standards and Technology Special Publication 800-73-2, Interfaces for Personal Identity Verification, September 2008.

61. National Institute of Standards and Technology Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, January 2007.

62. National Institute of Standards and Technology Special Publication 800-77, Guide to IPsec VPNs, December 2005.

63. National Institute of Standards and Technology Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, August 2007.

64. National Institute of Standards and Technology Special Publication 800-79-1, Guidelines for the Accreditation of Personal Identity Verification Card Issuers, June 2008.

65. National Institute of Standards and Technology Special Publication 800-81, Secure Domain Name System (DNS) Deployment Guide, May 2006.

66. National Institute of Standards and Technology Special Publication 800-82 (Final Public Draft), Guide to Industrial Control Systems (ICS) Security, September 2008.

67. National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling, November 2005.

68. National Institute of Standards and Technology Special Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, September 2006.

69. National Institute of Standards and Technology Special Publication 800-85A-1, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73 Compliance), March 2009.

70. National Institute of Standards and Technology Special Publication 800-85B, PIV Data Model Test Guidelines, July 2006.

71. National Institute of Standards and Technology Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, August 2006.

72. National Institute of Standards and Technology Special Publication 800-87, Revision 1, Codes for the Identification of Federal and Federally-Assisted Organizations, April 2008.

73. National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, September 2006.

74. National Institute of Standards and Technology Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, November 2006.

75. National Institute of Standards and Technology Special Publication 800-90 (Revised), Recommendation for Random Number Generation Using Deterministic Random Bit Generators, March 2007.

76. National Institute of Standards and Technology Special Publication 800-92, Guide to Computer Security Log Management, September 2006.

77. National Institute of Standards and Technology Special Publication 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), February 2007.

78. National Institute of Standards and Technology Special Publication 800-95, Guide to Secure Web Services, August 2007.

79. National Institute of Standards and Technology Special Publication 800-96, PIV Card / Reader Interoperability Guidelines, September 2006.

80. National Institute of Standards and Technology Special Publication 800-97, Establishing Robust Security Networks: A Guide to IEEE 802.11i, February 2007.

81. National Institute of Standards and Technology Special Publication 800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems, April 2007.

82. National Institute of Standards and Technology Special Publication 800-100, Information Security Handbook: A Guide for Managers, October 2006.

83. National Institute of Standards and Technology Special Publication 800-101, Guidelines on Cell Phone Forensics, May 2007.

84. National Institute of Standards and Technology Special Publication 800-103 (Draft), An Ontology of Identity Credentials, Part I: Background and Formulation, October 2006.

85. National Institute of Standards and Technology Special Publication 800-104, A Scheme for PIV Visual Card Topography, June 2007.

86. National Institute of Standards and Technology Special Publication 800-106, Randomized Hashing Digital Signatures, February 2009.

87. National Institute of Standards and Technology Special Publication 800-107, Recommendation for Using Approved Hash Algorithms, February 2009.

88. National Institute of Standards and Technology Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions, November 2008.

89. National Institute of Standards and Technology Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices, November 2007.

90. National Institute of Standards and Technology Special Publication 800-113, Guide to SSL VPNs, July 2008.

91. National Institute of Standards and Technology Special Publication 800-114, User's Guide to Securing External Devices for Telework and Remote Access, November 2007.

92. National Institute of Standards and Technology Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, September 2008.

93. National Institute of Standards and Technology Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), November 2008.

94. National Institute of Standards and Technology Special Publication 800-117 (Draft), Guide to Adopting and Using the Security Content Automation Protocol (SCAP), May 2009.

95. National Institute of Standards and Technology Special Publication 800-118 (Draft), Guide to Enterprise Password Management, April 2009.

96. National Institute of Standards and Technology Special Publication 800-121, Guide to Bluetooth Security, September 2008.

97. National Institute of Standards and Technology Special Publication 800-122 (Draft), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), January 2009.

98. National Institute of Standards and Technology Special Publication 800-123, Guide to General Server Security, July 2008.

99. National Institute of Standards and Technology Special Publication 800-124, Guidelines on Cell Phone and PDA Security, October 2008.

100. National Institute of Standards and Technology Special Publication 800-128 (Draft), Guide for Security Configuration Management of Information Systems, August 2009.


Footnotes