OMB A-11 NIST SP 800-26 Topic Implementation Guidance Area Risk Assessment 1. Risk Management ~ NIST SP 800-30, Risk Management Guide for Information Technology Systems Security Planning and 5. System Security Plan ~ NIST SP 800-18, Guide for Developing Security Plans for Information Policy Technology Systems Certification and 4. Authorize Processing ~ Draft NIST SP 800-37, Guidelines for the Security Certification and Accreditation (C&A) Accreditation of Federal Information Technology Systems ~ NIST SP 800-23 ,Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products. Specific management, 11. Data Integrity ~ NIST SP 800-53, Minimum Security Controls for Federal Information Security operational, 16. Logical Access Systems (under development) and technical security Controls ~ NIST SP 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques. controls ~ NIST SP 800-7, Security in Open Systems. ~ NIST SP 800-10, Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls. ~ NIST SP 800-19, Mobile Agent Security. ~ NIST SP 800-8, Security Issues in the Database Language SQL ~ NIST SP 800-11, The Impact of the FCC's Open Network Architecture on NS/EP Telecommunications Security ~ NIST SP 800-13, Telecommunications Security Guidelines for Telecommunications Management Network ~ NIST SP 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does ~ NIST SP 800-28, Guidelines on Active Content and Mobile Code f3d5a224-da2b-4edb-8409-0868ac3cad33.xls 1 Authentication or 15. Identification and ~ NIST SP 800-21, Guideline for Implementing Cryptography in the Federal cryptographic applications Authentication Government ~ NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication ~ NIST SP 800-29 A Comparison on the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2 ~ FIPS 140-2, Security Requirments for Cryptographic Modules ~ FIPS 83, Guideline On User Authentication Techniques For Computer Network Access Control. ~ FIPS 112, Standard On Password Usage. Education, awareness, and 13. Security Awareness, ~ NIST SP 800-16, Information Technology Security Training Requirements: A training Training, and Education Role and Performance-Based Model ~ Second Draft NIST SP 800-50, Building an Information Technology Security Awareness and Training Program System 2. Review of Security ~ Draft NIST SP 800-42, Guideline on Network Security Testing reviews/evaluations (inc. Controls ~ Under development, NIST SP 800-53a, Techniques and Procedures for the ST&E) Verification of Security Controls in Federal Information Security Systems Oversight or compliance ~ Draft NIST SP 800-35, Guide to Information Technology Security Services inspections ~ NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems. ~ NIST SP 800-23 ,Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products Development or 3. Life Cycle ~ OMB FISMA Reporting Guidance maintenance of agency 2. Review of reports to OMB and Security Controls corrective action plans as they pertain to the specific investment Contingency planning and 9. Contingency Planning ~ NIST SP 800-34 Contingency Planning Guide for Information Technology testing Systems ~ FIPS 87, Guidelines For ADP Contingency Planning f3d5a224-da2b-4edb-8409-0868ac3cad33.xls 2 Physical and environmental 8. Production, Input/output ~ NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook controls for HW and SW controls ~ FIPS 31, Guidelines For ADP Physical Security And Risk Management Auditing and monitoring 17. Audit trails ~ NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook ~ NIST SP 800-6, Automated Tools for Testing Computer System Vulnerability. ~ NIST SP 800-31, Intrusion Detection Systems (IDS). ~ Under Development, Guide to Self-Testing Networks Computer security 14. Incident Response ~ NIST SP 800-3, Establishing a Computer Security Incident Response investigations and forensics Capability Capability (CIRC) Reviews, inspections, ~ Draft NIST SP 800-35, Guide to Information Technology Security Services audits, and other evaluations performed on contractor facilities and operations f3d5a224-da2b-4edb-8409-0868ac3cad33.xls 3 OMB A-11 NIST SP 800-26 Topic Area Implementation Guidance 10. Hardware and Systems Software Maintenance NIST SP 800-12, An Introduction to Computer Security: 12. Documentation Configuration or change management control The NIST Handbook NIST SP 800-12, An Introduction to Computer Security: Personnel security 6. Personnel Security The NIST Handbook NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook FIPS 31, Guidelines For ADP Physical Security And Risk Physical security 7. Physical Security Management 6. Personnel Security 7. Physical Security 8. Production, Input/Output Controls 9. Contingency Planning 10. Hardware and Systems Software 11. Data Integrity 12. Documentation 13. Security Awareness, Training, and NIST SP 800-12, An Introduction to Computer Security: Education The NIST Handbook. NIST SP 800-26, The NIST Guide to Self Operations security 14. Incident Response Capability Assessment 13. Security Awareness, Training, Privacy training and Education None Program/system evaluations whose NIST SP 800-12, An Introduction to Computer Security: primary purpose is other than 2. Review of Security Controls. The NIST Handbook. NIST SP 800-26, The NIST Guide to Self security 4. Authorize Processing. Assessment 15. Identification and Authentication. 16. Logical Access Controls. System administrator functions 17. Audit Trails. Various (see definitions handout) System upgrades with new features that obviate the need for other standalone security controls N/A None
"Security of Information Technology"