I wanted to take this opportunity to post a quick "cheat sheet" on the various resources needed for the certification and accreditation (C&A) of federal information systems, as well as some other related resources. A number of federal C&A things are changing. For example, rather than using the NIST 800-26 self assessment questions, C&A will be done by making assessments against the NIST 800-53 controls. Some organizations use NIST 800-53, and some use 800-53, Rev 1. Here is a quick list of the publications and regulations that apply to federal systems. Enjoy.
National Institute of Standards and Technology (NIST):
SP 800-100Information Security Handbook: A Guide for Managers
SP 800-12An Introduction to Computer Security: The NIST Handbook
SP 800-14Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-18Guide for Developing Security Plans for Federal Information Systems
SP 800-23Guidline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
SP 800-26Security Self Assessment Guide for Information Technology Systems
SP 800-27Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
SP 800-30Risk Management Guide for Information Technology Systems
SP 800-34Contingency Planning Guide for Information Technology Systems
SP 800-36Guide to Selecting Information Technology Security Products
SP 800-37Guide for Security Certification and Accreditation
SP 800-42Guideline on Network Security Testing
SP 800-47Security Guide for Interconnecting Information Technology Systems
SP 800-51Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
SP 800-53Recommended Security Controls for Federal Information Systems
SP 800-53 Rev 1Recommended Security Controls for Federal Information Systems, Revision 1
SP 800-53A (DRAFT)Guide for Assessing the Security Controls in Federal Information Systems
SP 800-55Security Metrics Guide for Information Technology
SP 800-56Recommendation on Key Establishment Schemes
SP 800-60Guide or Mapping Types of Information Systems to Security Categories
SP 800-64Security Considerations in the Information System Development Lifecycle
SP 800-70Security Configuration Program Checklists Program For IT Products - Guidance For Checklists Users and Developers
-------------------------------------------------------------
Federal Information Processing Standards (FIPS):
FIPS 140-2Security Requirements for Cryptographic Modules
FIPS 199Standards for Security Categorization of Federal Information and Information Systems
FIPS 200Minimum Security Requirements for Federal Information Systems
-------------------------------------------------------------
Office of Management and Budget (OMB):
-------------------------------------------------------------
Laws and Regulations:
FISMAFederal Information Security Management Act of 2002
-------------------------------------------------------------
Other Publications and Usefull Information Assurance References:
CNSSCommittee on National Security Systems
Common CriteriaCommon Criteria for Information Technology Security Evaluation
DIACAPDoD InformationAssurance Certification and Accreditation (will replace DITSCAP)
DITSCAPDoD Information Technology Security Certification and Accreditation Process
GAO-05-231Emerging Cybersecurity Issues Threaten Federal Information Systems
MitreCommon Vulnerabilities and Exposures
NIACAPNational Information Assurance Certification and Accreditation Process
NIAPNational Information Assurance Partnership
NIATSNational Information Assurance Training Standard for System Administrators
NIST and SDLCBrochure: NIST and the Systems Development Lifecycle (SDLC)
US-CERTUnited States Computer Emergency Readiness Team
-------------------------------------------------------------
Topic Reference:
No comments:
Post a Comment