User talk:DanPhilpott

From FISMApedia
Jump to: navigation, search

Tasks List

First Priority

Organizational

  • Fix FIPS links recursion issue
  • Redirect SP articles to appropriate SP category
  • Ensure SP category pages reflect documents available
  • Create root SP categories and SP revisions categories
  • Add NIST SP 800-53r2 category to NIST SP 800-53r2 wiki pages
  • Write up a contributor style guidelines page

FISMA Core Content

  • NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems, February 2004 (final)
  • NIST FIPS 200 Minimum Security Requirements for Federal Information and Information Systems, March 2006 (final)
  • NIST SP 800-018r1 Guide for Developing Security Plans for Federal Information Systems, February 2006 (final)
  • NIST SP 800-027rA Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2004
  • NIST SP 800-030 Risk Management Guide for Information Technology Systems, July 2002
  • NIST SP 800-037 Guide for the Security Certification and Accreditation of Federal Information Systems, May 2004 (final)
  • NIST SP 800-039d Managing Risk from Information Systems; An Organizational Perspective
  • NIST SP 800-053r2 Recommended Security Controls for Federal Information Systems, December 2007 (final)
  • NIST SP 800-053AdF Draft Guide for Assessing the Security Controls in Federal Information Systems (Final Draft)
  • NIST SP 800-060V1 Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004 (final)
  • NIST SP 800-060V2 Errata Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004
  • NIST SP 800-060V2 Guide for Mapping Types of Information and Information Systems to Security Categories, June 2004 (final)
  • NIST SP 800-082d2 Guide to Industrial Control Systems (ICS) Security (Clean)
  • NIST IR-7328d Security Assessment Provider Requirements and Customer Responsibilities

Software

  • Create category schema for FISMA and Federal IT standards products
  • Create wiki template for product categories
  • Create wiki template for product pages
  • Create wiki pages for related categories
  • Create wiki pages for related products

OVAL

  • Create wiki entries for OVAL suite of standards:
    • Common Attack Pattern Enumeration and Classification (CAPEC) The objective of this effort is to provide a publicly available catalog of attack patterns along with a comprehensive schema and classification taxonomy. (Source: http://capec.mitre.org/ )
    • Common Configuration Enumeration (CCE) Provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. For example, CCE Identifiers can be used to associate checks in configuration assessment tools with statements in configuration best-practice documents. (Source: http://cce.mitre.org/ )
    • Common Event Expression (CEE) Standardizes the way computer events are described, logged, and exchanged. By using CEE’s common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results than was possible prior to CEE. (Source: http://cee.mitre.org/ )
    • Common Malware Enumeration (CME) Provides single, common identifiers to new virus threats and to the most prevalent virus threats in the wild to reduce public confusion during malware incidents. CME is not an attempt to replace the vendor names currently used for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware. (Source: http://cme.mitre.org/ )
    • Common Platform Enumeration (CPE) tructured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name. (Source: http://cpe.mitre.org/ )
    • Common Result Format (CRF) Standardized IT asset assessment result format that facilitates the exchange of assessment results among systems to increase tool interoperability and allow for the aggregation of those results across large enterprises that utilize diverse technologies to detect patch levels, policy compliance, vulnerability, asset inventory, and other tasks. CRF leverages existing standardization efforts for common names and naming schemes to report the findings for assets. (Source: http://makingsecuritymeasurable.mitre.org/crf/ )
    • Common Vulnerabilities and Exposures (CVE) Dictionary of publicly known information security vulnerabilities and exposures. CVE's common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services. (Source: http://cve.mitre.org/ )
    • Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritization of vulnerability remediation activities and in calculating the severity of vulnerabilities discovered on one's systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. (Source: http://nvd.nist.gov/cvss.cfm?version=2 )
    • Common Weakness Enumeration (CWE) Provides a unified, measurable set of software weaknesses that will enable more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code. (Source: http://cwe.mitre.org/ )
    • CRF (CRF) Common Result Format (Source: http://makingsecuritymeasurable.mitre.org/crf/ )
    • CWE (CWE) Common Weakness Enumeration (Source: http://cwe.mitre.org/ )
    • eXtensible Checklist Configuration Description Format (XCCDF) a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices. (Source: http://nvd.nist.gov/xccdf.cfm )
    • ISAP (ISAP) Information Security Automation Program (Source: ISAP-SCAP-Acronyms)
    • NVD (NVD) National Vulnerability Database (Source: ISAP-SCAP-Acronyms)
    • Open Vulnerability Assessment Language (OVAL) An international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. (Source: http://oval.mitre.org/ )
    • Security Content Automation Protocol (SCAP) Method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). (Source: http://nvd.nist.gov/scap.cfm )
      • SCAP Check A specific configuration check within an SCAP checklist. Note that checks are written in XCCDF and are required to include SCAP enumerations and mappings per the SCAP template. (Source: ISAP-SCAP-Glossary)
      • SCAP Checklists Configuration checklists written in a machine readable language (XCCDF). SCAP checklists have been submitted to, and accepted by, the NIST National Checklist Program. They also conform to an SCAP template to ensure compatibility with SCAP products and services. The SCAP template discusses requirements for including SCAP enumerations and mappings within the checklist (see below). (Source: ISAP-SCAP-Glossary)
      • SCAP Content Consists of security checklist data represented in automated XML formats, vulnerability and product name related enumerations, and mappings between the enumerations. (Source: ISAP-SCAP-Glossary)
      • SCAP Enumerations Include a list of all known security related software flaws (CVE), a list of known software configuration issues (CCE), and a list of standard vendor and product names (CPE). (Source: ISAP-SCAP-Glossary)
      • SCAP Mappings Interrelate the enumerations and provide standards based impact measurements for software flaws and configuration issues. Thus, for any given software flaw (CVE) one can determine the affected standard product names (CPE). For any given standard product name (CPE), one can determine the configuration issues that affect that product (CCE). For any given software flaw (CVE) or configuration issue (CCE), one can determine the standard impact score (CVSS). (Source: ISAP-SCAP-Glossary)
      • SCAP Reports Are the results produced from evaluating an SCAP checklist against a target. SCAP reports are required to include SCAP enumerations and mappings per the SCAP template. (Source: ISAP-SCAP-Glossary)
      • SCAP Test Procedures SCAP checklists reference “SCAP test procedures” for machine readable information on performing low level checks of machine state (OVAL). SCAP test procedures are used in conjunction with SCAP checklists. (Source: ISAP-SCAP-Glossary)


Second Priority

FISMA Related

  • NIST SP 800-028 Guidelines on Active Content and Mobile Code, October 2001
  • NIST SP 800-034 Contingency Planning Guide for Information Technology Systems, June 2002
  • NIST SP 800-034 Contingency Planning Guide for Information Technology Systems, Addendum I
  • NIST SP 800-040 Version 2 Creating a Patch and Vulnerability Management Program, November 2005
  • NIST SP 800-042 Guideline on Network Security Testing, October 2003
  • NIST SP 800-053r2 Annex 1; Baseline Security Controls for Low-Impact Information Systems
  • NIST SP 800-053r2 Annex 2; Baseline Security Controls for Moderate-Impact Information Systems
  • NIST SP 800-053r2 Annex 3; Baseline Security Controls for High-Impact Information Systems
  • NIST SP 800-061r1 Computer Security Incident Handling Guide, March 2008
  • NIST SP 800-064 Security Considerations in the Information System Development Life Cycle, October 2003 (revision 1 released June 2004)
  • NIST SP 800-065 Integrating Security into the Capital Planning and Investment Control Process, January 2005 (final)
  • NIST SP 800-081 Secure Domain Name System (DNS) Deployment Guide, May 2006
  • NIST SP 800-088r1 Guidelines for Media Sanitization, September 2006
  • NIST SP 800-092 Guide to Computer Security Log Management, September 2006
  • NIST SP 800-100 Information Security Handbook; A Guide for Managers, October 2006 (updated March 9, 2007)
  • NIST SP 800-115d Technical Guide to Information Security Testing, November 2007
  • NIST SP 800-123d Guide to General Server Security

Repository

  • Create repository for PDF versions of documents:
    • Rename documents along standard naming schema
    • Upload documents to FISMApedia.org
    • Create web page linking full names to document files

Federal Security Related

  • DHS IT Security Essential Body of Knowledge
  • DHS IT Security Essential Body of Knowledge-Improved
  • Privacy Act of 1974, Public Law No. 93-579, 88 Stat. 1897 (Dec. 31, 1974), codified in part at 5 U.S.C. § 552a


Third Priority

General Security

  • NIST SP 800-012 An Introduction to Computer Security; The NIST Handbook, October 1995
  • NIST SP 800-014 Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996
  • NIST SP 800-016 Information Technology Security Training Requirements; A Role- and Performance-Based Model, April 1998
  • NIST SP 800-016 Information Technology Security Training Requirements; A Role- and Performance-Based Model, Appendix A-D, April 1998
  • NIST SP 800-016 Information Technology Security Training Requirements; A Role- and Performance-Based Model, Appendix E, April 1998
  • NIST SP 800-019 Mobile Agent Security, October 1999
  • NIST SP 800-023 Guideline to Federal Organizations on Security Assurance and Acquisition-Use of Tested-Evaluated Products, August 2000
  • NIST SP 800-024 PBX Vulnerability Analysis; Finding Holes in Your PBX Before Someone Else Does, August 2000
  • NIST SP 800-028v2 Guidelines on Active Content and Mobile Code, March 2008
  • NIST SP 800-031 Intrusion Detection Systems (IDS), November 2001
  • NIST SP 800-033 Underlying Technical Models for Information Technology Security, December 2001
  • NIST SP 800-035 Guide to Information Technology Security Services, October 2003
  • NIST SP 800-036 Guide to Selecting Information Technology Security Products, October 2003
  • NIST SP 800-041 Guidelines on Firewalls and Firewall Policy, January 2002
  • NIST SP 800-044v2 Guidelines on Securing Public Web Servers
  • NIST SP 800-045 Version 2 Guidelines on Electronic Mail Security, February 2007
  • NIST SP 800-046 Security for Telecommuting and Broadband Communications, August 2002
  • NIST SP 800-047 Security Guide for Interconnecting Information Technology Systems, August 2002
  • NIST SP 800-048 Wireless Network Security; 802.11, Bluetooth, and Handheld Devices, November 2002
  • NIST SP 800-049 Federal S-MIME V3 Client Profile, November 2002
  • NIST SP 800-050 Building an Information Technology Security Awareness and Training Program, October 2003
  • NIST SP 800-051 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002
  • NIST SP 800-055 Security Metrics Guide for Information Technology Systems, July 2003
  • NIST SP 800-058 Security Considerations for Voice Over IP Systems, January 2005 (final)
  • NIST SP 800-059 Guideline for Identifying an Information System as a National Security System, August 2003
  • NIST SP 800-063 v1.0.2 Electronic Authentication Guideline, April 2006
  • NIST SP 800-066 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, March 2005
  • NIST SP 800-068 Guidance for Securing Microsoft Windows XP Systems for IT Professionals document, version R1.2.0, November 2005
  • NIST SP 800-069 Guidance for Securing Microsoft Windows XP Home Edition
  • NIST SP 800-070 Security Configuration Checklists Program for IT Products (20050526)
  • NIST SP 800-072 Guidelines on PDA Forensics, November 2004
  • NIST SP 800-077 Guide to IPsec VPNs, December 2005
  • NIST SP 800-083 Guide to Malware Incident Prevention and Handling, November 2005
  • NIST SP 800-084 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, September 2006
  • NIST SP 800-086 Guide to Integrating Forensic Techniques into Incident Response, August 2006
  • NIST SP 800-094 Guide to Intrusion Detection and Prevention Systems (IDPS), February 2007
  • NIST SP 800-095 Guide to Secure Web Services, August 2007
  • NIST SP 800-097 Establishing Wireless Robust Security Networks; A Guide to IEEE 802.11i, February 2007
  • NIST SP 800-101 Guidelines for Cell Phone Forensics (2007-05)
  • NIST SP 800-111 Guide to Storage Encryption Technologies for End User Devices, November 2007
  • NIST SP 800-114 User’s Guide to Securing External Devices for Telework and Remote Access. November 2007

FISMA Historic

  • NIST SP 800-026 Revised NIST SP 800-26 System Questionnaire with NIST SP 800-53 References and Associated Security Control Mappings, April 2005
  • NIST SP 800-026 Security Self-Assessment Guide for Information Technology Systems, November 2001
  • NIST SP 800-053 Recommended Security Controls for Federal Information Systems, February 2005
  • NIST SP 800-053r1 Annex 1; Baseline Security Controls for Low-Impact Information Systems
  • NIST SP 800-053r1 Annex 2; Baseline Security Controls for Moderate-Impact Information Systems
  • NIST SP 800-053r1 Annex 3; Baseline Security Controls for High-Impact Information Systems
  • NIST SP 800-053r1 Appendices DEF (Markup)
  • NIST SP 800-053r1 Recommended Security Controls for Federal Information Systems, December 2006 (final, clean)
  • NIST SP 800-053r1 Recommended Security Controls for Federal Information Systems, December 2006 (final, markup)


HSPD-12 Related

  • NIST FIPS 201-1 Personal Identity Verification (PIV) of Federal Employees and Contractors, March 2006 (updated June 26, 2006)
  • NIST SP 800-073r1 Errata; Interfaces for Personal Identity Verification, March 2006 (updated April 20, 2006)
  • NIST SP 800-073r1 Interfaces for Personal Identity Verification, March 2006 (updated April 20, 2006)
  • NIST SP 800-076-1 Biometric Data Specification for Personal Identity Verification, January 2007
  • NIST SP 800-078 Cryptographic Algorithms and Key Sizes for Personal Identity Verification, April 2005 (final)
  • NIST SP 800-078-1 Cryptographic Algorithms and Key Sizes for Personal Identity Verification, August 2007 (final)
  • NIST SP 800-079 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005
  • NIST SP 800-079 Q&A, Part 1; Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005
  • NIST SP 800-079 Q&A, Part 2; Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, July 2005
  • NIST SP 800-085A PIV Card Application and Middleware Interface Test Guidelines (SP 800-73 compliance), April 2006
  • NIST SP 800-085B PIV Data Model Conformance Test Guidelines, July 2006 (final)
  • NIST SP 800-087r1 Codes for the Identification of Federal and Federally-Assisted Organizations (2008-04)
  • NIST SP 800-096 PIV Card-Reader Interoperability Guidelines, September 2006
  • NIST SP 800-098 Guidelines for Securing Radio Frequency Identification (RFID) Systems
  • NIST SP 800-104 A Scheme for PIV Visual Card Topography, June 2007 (Final)


Encryption Related

  • NIST SP 800-015 Minimum Interoperability Specification for PKI Components (MISPC), Version 1, September 1997
  • NIST SP 800-017 Modes of Operation Validation System (MOVS); Requirements and Procedures, February 1998
  • NIST SP 800-020 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS)
  • NIST SP 800-021-1 Guideline for Implementing Cryptography in the Federal Government, Second Edition, December 2005
  • NIST SP 800-022 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, October 2000 (updated May 15, 2001)
  • NIST SP 800-025 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, October 2000
  • NIST SP 800-029 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, June 2001
  • NIST SP 800-032 Introduction to Public Key Technology and the Federal PKI Infrastructure, February 2001
  • NIST SP 800-038A Recommendation for Block Cipher Modes of Operation; Methods and Techniques, December 2001
  • NIST SP 800-038B Recommendation for Block Cipher Modes of Operation; The CMAC Mode for Authentication, May 2005
  • NIST SP 800-038B Recommendation for Block Cipher Modes of Operation; The CMAC Mode for Authentication, Updated CMAC Examples, May 2005
  • NIST SP 800-038C Recommendation for Block Cipher Modes of Operation; the CCM Mode for Authentication and Confidentiality, May 2004
  • NIST SP 800-038D Recommendation for Block Cipher Modes of Operation; GCM and GMAC, November 2007
  • NIST SP 800-052 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations, June 2005
  • NIST SP 800-056A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, March 2006 (updated March 9, 2007)
  • NIST SP 800-057 Recommendation for Key Management, Part 1, August 2005 (updated March 9, 2007)
  • NIST SP 800-057 Recommendation for Key Management, Part 2, August 2005 (updated March 9, 2007)
  • NIST SP 800-067 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, May 2004
  • NIST SP 800-089 Recommendation for Obtaining Assurances for Digital Signature Applications, November 2006
  • NIST SP 800-090 Recommendation for Random Number Generation Using Deterministic Random Bit Generators, June 2006 (updated March 13, 2007)