Guide to NIST Security Documents Legal Requirements-Improved

From FISMApedia
Revision as of 02:29, 18 March 2008 by Wikitick (talk) (New page: = Legal Requirements = There are certain legal requirements regarding IT security to which Federal agencies must adhere. Many come from legislation, while others come from Presidential Di...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Legal Requirements

There are certain legal requirements regarding IT security to which Federal agencies must adhere. Many come from legislation, while others come from Presidential Directives or the Office of Budget and Management (OMB) Circulars. Here is a list of the major sources of these requirements with supporting documents from NIST. Some of the documents are a direct result of mandates given to NIST. Others are documents developed in order to give guidance to Federal agencies in how to carry out legal requirements.

Title III of the E-Gov Act of 2002 (Public Law 107-347)


Federal Information Security Management Act

Federal Information Security Management Act of 2002 (FISMA)

Categorization of all information and information systems and minimum information security requirements for each category

NIST FIPS 200 Security Controls for Federal Information Systems
NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
NIST SP 800-70 Security Configuration Checklists Program for IT Products
NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems
NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
NIST SP 800-30 Risk management Guide for Information Technology Systems
NIST SP 800-26 Rev 1 Guide for Information Security Program Assessments and System Reporting Form
NIST SP 800-18 Rev 1 Guide for Developing Security Plans for Information Systems


Identification of an information system as a national security system

NIST SP 800-59 Guide for Identifying an Information System as a National Security System


Detection and handling of information security incidents

NIST SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
NIST SP 800-61 Computer Security Incident Handling Guide
NIST SP 800-83 Guide to Malware Incident Prevention and Handling
NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
NIST SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
NIST SB 2005-12 Preventing And Handling Malware Incidents: How To Protect Information Technology Systems From Malicious Code And Software


Manage security incidents

NIST SP 800-61 Computer Security Incident Handling Guide
NIST SP 800-83 Guide to Malware Incident Prevention and Handling
NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
NIST SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme


Annual public report on activities undertaken in the previous year

NIST IR 7285 Computer Security Division 2005 Annual Report
NIST IR 7219 Computer Security Division 2004 Annual Report
NIST IR 7111 Computer Security Division 2003 Annual Report


OMB Circular A-130

Management Of Federal Information Resources, Appendix Iii: Security Of Federal Automated Information Resources ==


Assess risks

NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems


Certify and accredit systems

NIST FIPS 200 Security Controls for Federal Information Systems
NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems


Develop contingency plans and procedures

NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
NIST SP 800-46 Security for Telecommuting and Broadband Communications


Manage system configurations and security throughout the system development life cycle

NIST SP 800-64 Rev 1 Security Considerations in the Information System Development Life Cycle
NIST SP 800-70 Security Configuration Checklists Program for IT Products
NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
NIST IR 7316 Assessment of Access Control Systems


Mandates agency-wide information security program development and implementation

NIST SP 800-18, Rev 1 Guide for Developing Security Plans for Information Systems
NIST SP 800-100 Information Security Handbook: A Guide for Managers
NIST SP 800-12 An Introduction to Computer Security: The NIST Handbook


Conduct security awareness training

NIST SP 800-50 Building an Information Technology Security Awareness and Training Program
NIST SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model
NIST SP 800-46 Security for Telecommuting and Broadband Communications


E-Government Act Of 2002

(Public Law 107-347)


Mandates NIST development of security standards

NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
NIST FIPS 200 Security Controls for Federal Information Systems


Homeland Security Presidential Directive-12

Homeland Security Presidential Directive-12 (HSPD-12), Common Identification Standard For Federal Employees And Contractors

Establishes a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors

NIST FIPS 201-1 Personal Identity Verification for Federal Employees and Contractors
NIST SP 800-85B PIV Data Model Test Guidelines
NIST SP 800-85A PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance)
NIST SP 800-79 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations
NIST SP 800-78 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST SP 800-76 Biometric Data Specification for Personal Identity Verification
NIST SP 800-73 Rev 1 Integrated Circuit Card for Personal Identification Verification
NIST IR 7337 Personal Identity Verification Demonstration Summary
NIST IR 7284 Personal Identity Verification Card Management Report
NIST SB 2006-01 Testing And Validation Of Personal Identity Verification (PIV) Components And Subsystems For Conformance To Federal Information Processing Standard 201
NIST SB 2005-08 Implementation Of FIPS 201, Personal Identity Verification (PIV) Of Federal Employees And Contractors
NIST SB 2005-03 Personal Identity Verification (PIV) Of Federal Employees And Contractors: Federal Information Processing Standard (FIPS) 201


OMB Circular A-11

OMB Circular A-11: Preparation, Submission, And Execution Of The Budget

Capital Planning

NIST SP 800-65 Integrating IT Security into the Capital Planning and Investment Control Process


Other Requirements With Supporting Documents

Health Insurance Portability and Accountability Act (HIPAA)

For more information about HIPAA requirements, please visit www.cms.hhs.gov

Assure health information privacy and security

Standardize electronic data interchange in health care transactions

NIST SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule


Homeland Security Presidential Directive-7

Homeland Security Presidential Directive-7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection

For more information about HSPD-7, please visit www.dhs.gov

Protect critical infrastructure

NIST FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
NIST FIPS 200 Security Controls for Federal Information Systems
NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
NIST SP 800-30 Risk Management Guide for Information Technology Systems
NIST SP 800-37 Guide for Security Certification and Accreditation of Federal Information Systems
NIST SP 800-53 Recommended Security Controls for Federal Information Systems
NIST SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
NIST SP 800-59 Guideline for Identifying an Information System as a National Security System
NIST SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security



Tanya Brewer, Editor
Matthew Scholl, Editor


NIST
National Institute of Standards and Technology
Technology Administration, U.S. Department of Commerce


February 2007
Disclaimer: Any mention of commercial products is for information only; it does not imply NIST recommendation or endorsement, nor does it imply that the products mentioned are necessarily the best available for the purpose.


Michael James, Design/Production
The DesignPond