NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:


Back to Top

Legislation, Directives, and Policies

Public Law 107-347 Section III
Federal Information Security Management Act of 2002

December 2002

Homeland Security Presidential Directive #7
Critical Infrastructure Identification, Prioritization, and Protection

December 2003

OMB Circular A-130, Appendix III
Security of Federal Automated Information Resources

November 2003

Back to Top

Standards and Guidelines

FIPS Publication 199
Standards for Security Categorization of Federal Information and Information Systems

February 2004
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Stu Katzke, (301) 975-4768

FIPS Publication 200
Minimum Security Requirements for Federal Information and Information Systems

March 2006
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Arnold Johnson, (301) 975-3247

NIST Special Publication 800-18, Revision 1
Guide for Developing Security Plans for Federal Information Systems

February 2006
Primary Contact: Marianne Swanson, (301) 975-3293
Alternate Contact: Matt Scholl, (301) 975-2941

NIST Special Publication 800-30
Risk Management Guide for Information Technology Systems

July 2002
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Matt Scholl, (301) 975-2941

DRAFT Special Publication 800-37, Revision 1 Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach (initial public draft)
August 2008
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Marianne Swanson, (301) 975-3293

NIST Special Publication 800-37
Guide for the Security Certification and Accreditation of Federal Information Systems

May 2004
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Marianne Swanson, (301) 975-3293

DRAFT Special Publication 800-39 (2nd Draft)
Managing Risk from Information Systems: An Organizational Perspective

Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Marianne Swanson, (301) 975-3293
(April 2008)

NIST Special Publication 800-53, Revision 2
Recommended Security Controls for Federal Information Systems
December 2007
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Arnold Johnson, (301) 975-3247

Annex 1: Baseline Security Controls for Low-Impact Information Systems
  Adobe PDF 

Annex 2: Baseline Security Controls for Moderate-Impact Information Systems
  Adobe PDF

Annex 3: Baseline Security Controls for High-Impact Information Systems
  Adobe PDF

NIST Special Publication 800-53, Revision 1
Recommended Security Controls for Federal Information Systems
December 2006
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Arnold Johnson, (301) 975-3247

Annex 1: Baseline Security Controls for Low-Impact Information Systems
  Adobe PDF (352 KB)
  Zipped Adobe PDF (269 KB)

Annex 2: Baseline Security Controls for Moderate-Impact Information Systems
  Adobe PDF (467 KB)
  Zipped Adobe PDF (364 KB)

Annex 3: Baseline Security Controls for High-Impact Information Systems
  Adobe PDF (506 KB)
  Zipped Adobe PDF (395 KB)

NIST Special Publication 800-53A
Guide for Assessing the Security Controls in Federal Information Systems

June 2008
Primary Contact: Ron Ross, (301) 975-5390
Alternate Contact: Arnold Johnson, (301) 975-3247

NIST Special Publication 800-59
Guideline for Identifying an Information System as a National Security System

August 2003
Primary Contact: Curt Barker, (301) 975-8443
Alternate Contact: Arnold Johnson, (301) 975-3247

NIST Special Publication 800-60, Revision 1 VOLUME 1 of 2 (document)
Guide for Mapping Types of Information and Information Systems to Security Categories

August 2008
Primary Contact: Kevin Stine, (301) 975-4483
Alternate Contact: Arnold Johnson, (301) 975-3247

Special Publication 800-60 Revision 1 VOLUME 2 of 2 (Appendices)
Guide for Mapping Types of Information and Information Systems to Security Categories
August 2008
Primary Contact: Kevin Stine, (301) 975-4483
Alternate Contact: Arnold Johnson, (301) 975-3247

Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

(September 2007)
Primary Contact: Arnold Johnson, (301) 975-3247

Back to Top

Tutorials and Presentations

Presentations from the NIST Security Seminar on February 1, 2007
   NIST Presentation - (black & white)
   FDIC Presentation

Automated Security Support Tools: The Key to Successful FISMA Implementation

FISMA Phase II Workshop

FISMA Information Security Poster

FISMA Implementation: The Strategy, Challenges, and Roadmap Ahead

Certification and Accreditation Tutorial

FISMA Phase II April 26, 2006 Workshop Summary on Credentialing Program for Security Assessment Service Providers

Presentation from the FISMA Phase II Workshop on Credentialing Program for Security Assessment Service Providers

Back to Top


Memorandum For Record: Security Controls Assessment Form (SP 800-53A),
[updated 05/24/07]

Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs