NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

FASP Areas

Some security practices in the listing below may not reference an organization's affiliation. These practices are provided in a generic format. Document icons specify the type of file format (Ex. MS Word, pdf, Text file, etc.). The right column contains the document title. The left column contains the date when the file was posted to this page.

NOTE: After clicking link to document, the document will open in a blank browser window and this page will be in the background.

Audit Trails

Maintains a record of system activity by system or application processes and by user activity.

Document Posted
Audit Trails - Overseas Private Investment Corporation 12/29/04

Back to Top

Authorize Processing (C&A)

Provides a form of assurance of the security of the system.

Document Posted
C&A Stakeholder Quarterly Training 04/16/08
C&A Document Tracker 04/16/08
C&A Comments Matrix 04/16/08
C&A Boundary/Scope Memorandum 04/16/08
CDC POA&M Tracking and Reporting for System Stewards - Centers for Disease Control and Prevention (CDC) 01/03/07
Bridge Accreditation Process - Centers for Disease Control and Prevention (CDC) 12/18/06
Plan of Action and Milestones (POA&M) Template - Centers for Disease Control and Prevention (CDC) 12/14/06
Baseline System Information - Centers for Disease Control and Prevention (CDC) 10/18/06
Information Technology Security Test and Evaluation Guide - Department of Health and Human Services 05/04/06
Certification and Authorization - Overseas Private Investment Corporation 12/29/04
NIST 800-37 Risk Management & Certification and Accreditation Tasks - TSA 09/14/04

Back to Top

Contingency Planning

How to keep an organization's critical functions operating in the event of disruption, large and small.

Document Posted
Contingency Plan Template 04/16/08
Backup and Recovery - Overseas Private Investment Corporation 12/29/04
Contingency Planning - Overseas Private Investment Corporation 12/29/04
System and Data Backups - FCC 12/29/04
Contingency Planning Template - DOJ 7/03/03

Back to Top

Continuous Monitoring

Activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting.

Document Posted
Continuous Monitoring Training 04/16/08

Back to Top

Data Integrity

Controls used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity.

Document Posted
Antivirus - Overseas Private Investment Corporation 12/29/04
Database Security - Overseas Private Investment Corporation 12/29/04
Viruses 101 - FCC 07/03/03

Back to Top

Hardware and System Software Maintenance

Controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes.

Document Posted
Change Control - Overseas Private Investment Corporation 12/29/04

Back to Top

Identification and Authentication

Technical measures that prevent unauthorized people (or unauthorized processes) from entering an IT system.

Document Posted
Encryption - Overseas Private Investment Corporation 12/29/04
Identification and Authentication - Overseas Private Investment Corporation 12/29/04
Password Protection - FCC 07/03/03
Creating Strong Passwords - FCC 07/03/03

Back to Top

Incident Response Capability

Capability to provide help to users when a security incident occurs in a system.

Document Posted
Business Continuity Plan Format Guide - Centers for Disease Control and Prevention (CDC) 10/20/06
Business Continuity Plan Functional Test After-Action Report - Centers for Disease Control and Prevention (CDC) 10/20/06
Business Continuity Plan Tabletop Test After-Action Report - Centers for Disease Control and Prevention (CDC) 10/20/06
Incident Reporting - Overseas Private Investment Corporation 12/30/04
Incident Response - Overseas Private Investment Corporation 12/30/04
Procedures and Techniques for Prevention of and Recovery From Fast Spreading Malware - EEOC 11/18/04
VA Central Incident Response Capability (VA-CIRC) - Department of VA 06/15/04

Back to Top

Life Cycle

IT system life cycles contain five basic phases: initiation, development and/or acquisition, implementation, operation, and disposal.

Document Posted
Systems Development - Overseas Private Investment Corporation 12/30/04
The Project Manager's View of Security Processes Over the System Development Life Cycle - V.A. 11/18/04

Back to Top

Logical Access Controls

System-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.

Document Posted
Access Control - Overseas Private Investment Corporation 12/29/04

Back to Top

Network Security

Secure communication capability that allows one user or system to connect to another user or system.

Document Posted
Categorization and Firewall Worksheet - Centers for Disease Control and Prevention (CDC) 10/18/06
Combined Hardware/Software Solutions to Malware and SPAM Control - US Equal Employment Opportunity Commission 11/15/05
Electronic Mail - Overseas Private Investment Corporation 12/29/04
Network Security - Overseas Private Investment Corporation 12/29/04
Cyber Security Infrastructure Project (ECSIP) - Department of VA 6/15/04
Lessons Learned - Phishing Attacks - Department of Treasury 06/14/04
E-mail Etiquette 07/03/03
Cookies - FCC 07/03/03
E-Mail Hoaxes and Scams - FCC 07/03/03
E-Mail Spam - FCC 07/03/03

Back to Top

Personnel Security

Involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their jobs.

Document Posted
Acceptable Use of Information Resources - Overseas Private Investment Corporation 12/29/04
Elevated Privileges/Information Custodian Agreement - Overseas Private Investment Corporation 12/29/04
Security Clearance and User ID Request - Department of Education 6/15/04
Identity Theft - FCC 07/03/03
FCC Personal Use - FCC 07/03/03
Policy on Limited Personnel Use of Government Office Equipment - EPA 04/08/03

Back to Top

Physical and Environmental Protection

Measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.

Document Posted
Physical and Environmental Security - Overseas Private Investment Corporation 12/30/04
Site Survey of Data Center - CFTC 06/15/04
Securing Portable Electronic Media - FCC 07/03/03

Back to Top

Policy and Procedures

Formally documented security policies and procedures.

Document Posted
CDC Wireless Security Policy - Centers for Disease Control and Prevention (CDC) 12/18/06
Use of CDC Information Technology Resources - Centers for Disease Control and Prevention (CDC) 12/18/06
Handbook for General Support Systems and Major Applications Inventory Procedures - Department of Education 04/07/06
Information Security Policies & Procedures, October 2004 - Overseas Private Investment Corporation 12/30/04
Mobile Computing - Overseas Private Investment Corporation 12/30/04
Password Management - Overseas Private Investment Corporation 12/30/04
Patch Management and System Updates - Overseas Private Investment Corporation 12/30/04
Perimeter Protection - Overseas Private Investment Corporation 12/30/04
Personnel Security - Overseas Private Investment Corporation 12/30/04
Remote Access - Overseas Private Investment Corporation 12/30/04
Server Security - Overseas Private Investment Corporation 12/30/04
Telephone Security - Overseas Private Investment Corporation 12/30/04
User Agreement - Overseas Private Investment Corporation 12/30/04
Vulnerability Testing - Overseas Private Investment Corporation 12/30/04
Wireless Security - Overseas Private Investment Corporation 12/30/04
U.S. Customs AIS Security Policy Manual CIS HB 1400-05 11/13/03
Administrative Policies and Procedures Manual - National Labor Relations Board 07/03/03
Rules of Behavior - FCC 07/03/03
Internet Security Policy - CMS 04/10/03

Back to Top

Production, Input/Output Controls

Covers topics ranging from a user help desk to procedures for storing, handling and destroying media.

Document Posted
USB Flash Drive Security - Office of Government Ethics 05/04/06
Asset Management - Overseas Private Investment Corporation 12/29/04
Media Management - Overseas Private Investment Corporation 12/29/04
Media Sanitization Procedures - NIST 12/08/03

Back to Top

Program Management

Overall scope of the program (i.e., PD's, policies and security program plans and guidance).

Document Posted
FISMA Security Assessment Report for FY 07 12/10/07
System Inventory Template 05/25/06
Information Security Program, Plan of Action and Milestones Guide - Department of Health and Human Services 05/04/06
Information Security Program - Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide, September 14, 2005 01/17/06
Information Resource Classification - Overseas Private Investment Corporation 12/30/04
Information Systems Security Program, Directive 05-01 (10/20/04) - Overseas Private Investment Corporation 12/30/04
Information Systems Security Program (ISSP) Handbook - Overseas Private Investment Corporation 12/30/04
Information Systems Security Program Plan Draft Version 3, January 14, 2003 - Overseas Private Investment Corporation 12/30/04
Information Security & FISMA - National Labor Relations Board 09/10/04
FISMA Reporting Project - Department of VA 06/15/04
Legislative Resource - CMS 04/10/03

Back to Top

Review of Security Controls

Routine evaluations and response to identified vulnerabilities.

Document Posted
Security Assessment Summary Template 04/16/08
Security Test & Evaluation Template 04/16/08
PII Security Controls Assessment Plan Template - Department of Commerce 07/28/06
Spreadsheet of SP 800-53 Controls - Commodity Futures Trading Commission 06/21/06

Back to Top

Risk Management

The process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.

Document Posted
Risk Mitigation Worksheet - Centers for Disease Control and Prevention (CDC) 10/18/06
Risk Calculation Worksheet - Centers for Disease Control and Prevention (CDC) 10/18/06
Risk Assessment Report - Agency: Centers for Disease Control and Prevention (CDC) 10/18/06
Risk Management - Overseas Private Investment Corporation 12/30/04
Risk Assessment Methodology - CMS 04/10/03
Risk Assessment Template - CMS 04/10/03
Threat Identification Resource - CMS 04/10/03
Threat ID Workbook- CMS 04/10/03
System Security Levels - CMS 04/10/03
Acceptable Risk Safeguards - CMS 04/10/03

Back to Top

Security Awareness, Training and Education

Improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge.

Document Posted
Stop - Think - Click: 7 Practices for Safer Computing - FTC 02/24/06
Security Traning and Awareness - Overseas Private Investment Corporation 12/30/04
Cyber Security Practitioner Professionalization (CSPP) - Department of VA 06/15/04
Social Engineering - FCC 07/03/03
ISSO Course Slides (to be used with participant book and instructor guide) 04/01/03
ISSO Course Participant Book (to be used with ISSO course slides and instructor guide) 04/01/03
ISSO Course Instructor Guide (to be used with ISSO course slides and ISSO course participant book) 04/01/03
Information Security Briefing for Executives 03/24/03
Information Security Briefing for Managers 03/24/03
Risk Assessment and Security Plan Course Slides - Centers for Medicare & Medicaid Services 03/24/03

Back to Top

System Security Plan

Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.

Document Posted
Security Plan Template for Moderate Impact Systems 04/16/08
System Security Plan Template - Centers for Disease Control and Prevention (CDC) 10/20/06
Enterprise Master System Security Plan - Centers for Disease Control and Prevention (CDC) 10/18/06
System Security Plans - Overseas Private Investment Corporation 12/30/04

* These submissions were first collected by the Federal CIO Council for their Best Security Practices initiative. That material was later passed to NIST's Computer Security Division.