OMB A-11 NIST SP 800-26 Topic Implementation Guidance
Area
Risk Assessment 1. Risk Management ~ NIST SP 800-30, Risk Management Guide for Information Technology
Systems
Security Planning and 5. System Security Plan ~ NIST SP 800-18, Guide for Developing Security Plans for Information
Policy Technology Systems
Certification and 4. Authorize Processing ~ Draft NIST SP 800-37, Guidelines for the Security Certification and
Accreditation (C&A) Accreditation of Federal Information Technology Systems
~ NIST SP 800-23 ,Guideline to Federal Organizations on Security Assurance
and Acquisition/Use of Tested/Evaluated Products.
Specific management, 11. Data Integrity ~ NIST SP 800-53, Minimum Security Controls for Federal Information Security
operational, 16. Logical Access Systems (under development)
and technical security Controls ~ NIST SP 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques.
controls ~ NIST SP 800-7, Security in Open Systems.
~ NIST SP 800-10, Keeping Your Site Comfortably Secure: An Introduction to
Internet Firewalls.
~ NIST SP 800-19, Mobile Agent Security.
~ NIST SP 800-8, Security Issues in the Database Language SQL
~ NIST SP 800-11, The Impact of the FCC's Open Network Architecture on
NS/EP Telecommunications Security
~ NIST SP 800-13, Telecommunications Security Guidelines for
Telecommunications Management Network
~ NIST SP 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX
Before Someone Else Does
~ NIST SP 800-28, Guidelines on Active Content and Mobile Code
c0052e91-01b9-4333-a3dd-149881bc0e3e.xls 1
Authentication or 15. Identification and ~ NIST SP 800-21, Guideline for Implementing Cryptography in the Federal
cryptographic applications Authentication Government
~ NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital
Signatures and Authentication
~ NIST SP 800-29 A Comparison on the Security Requirements for
Cryptographic Modules in FIPS 140-1 and FIPS 140-2
~ FIPS 140-2, Security Requirments for Cryptographic Modules
~ FIPS 83, Guideline On User Authentication Techniques For Computer
Network Access Control.
~ FIPS 112, Standard On Password Usage.
Education, awareness, and 13. Security Awareness, ~ NIST SP 800-16, Information Technology Security Training Requirements: A
training Training, and Education Role and Performance-Based Model
~ Second Draft NIST SP 800-50, Building an Information Technology Security
Awareness and Training Program
System reviews/evaluations 2. Review of Security ~ Draft NIST SP 800-42, Guideline on Network Security Testing
(inc. ST&E) Controls ~ Under development, NIST SP 800-53a, Techniques and Procedures for the
Verification of Security Controls in Federal Information Security Systems
Oversight or compliance ~ Draft NIST SP 800-35, Guide to Information Technology Security Services
inspections ~ NIST SP 800-18, Guide for Developing Security Plans for Information
Technology Systems.
~ NIST SP 800-23 ,Guideline to Federal Organizations on Security Assurance
and Acquisition/Use of Tested/Evaluated Products
Development or 3. Life Cycle ~ OMB FISMA Reporting Guidance
maintenance of agency 2. Review of Security
reports to OMB and Controls
corrective action plans as
they pertain to the specific
investment
Contingency planning and 9. Contingency Planning ~ NIST SP 800-34 Contingency Planning Guide for Information Technology
testing Systems
~ FIPS 87, Guidelines For ADP Contingency Planning
c0052e91-01b9-4333-a3dd-149881bc0e3e.xls 2
Physical and environmental 8. Production, Input/output ~ NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
controls for HW and SW controls ~ FIPS 31, Guidelines For ADP Physical Security And Risk Management
Auditing and monitoring 17. Audit trails ~ NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
~ NIST SP 800-6, Automated Tools for Testing Computer System Vulnerability.
~ NIST SP 800-31, Intrusion Detection Systems (IDS).
~ Under Development, Guide to Self-Testing Networks
Computer security 14. Incident Response ~ NIST SP 800-3, Establishing a Computer Security Incident Response
investigations and forensics Capability Capability (CIRC)
Reviews, inspections, ~ Draft NIST SP 800-35, Guide to Information Technology Security Services
audits, and other
evaluations performed on
contractor facilities and
operations
c0052e91-01b9-4333-a3dd-149881bc0e3e.xls 3
OMB A-11 NIST SP 800-26 Topic Area Implementation Guidance
10. Hardware and Systems Software
Maintenance NIST SP 800-12, An Introduction to Computer Security:
12. Documentation
Configuration or change management control The NIST Handbook
NIST SP 800-12, An Introduction to Computer Security:
Personnel security 6. Personnel Security The NIST Handbook
NIST SP 800-12, An Introduction to Computer Security: The
NIST Handbook
FIPS 31, Guidelines For ADP Physical Security And Risk
Physical security 7. Physical Security Management
6. Personnel Security
7. Physical Security
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and Systems Software
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and NIST SP 800-12, An Introduction to Computer Security:
Education The NIST Handbook. NIST SP 800-26, The NIST Guide to Self
Operations security 14. Incident Response Capability Assessment
13. Security Awareness, Training,
Privacy training and Education None
Program/system evaluations
whose NIST SP 800-12, An Introduction to Computer Security:
primary purpose is other than 2. Review of Security Controls. The NIST Handbook. NIST SP 800-26, The NIST Guide to Self
security 4. Authorize Processing. Assessment
15. Identification and Authentication.
16. Logical Access Controls.
System administrator functions 17. Audit Trails. Various (see definitions handout)
System upgrades with new
features that obviate
the need for other standalone
security controls N/A None