There are certain legal requirements regarding IT security to which Federal agencies must adhere. Many come from legislation, while others come
from Presidential Directives or the Office of Budget and Management (OMB) Circulars. Here is a list of the major sources of these requirements
with supporting documents from NIST. Some of the documents are a direct result of mandates given to NIST. Others are documents developed
in order to give guidance to Federal agencies in how to carry out legal requirements.
E-Government Act of 2002 |
Mandates NIST Development of Security Standards |
|
Back to Top |
Federal Information Security Management Act of 2002 (FISMA) |
Annual Public Report on Activities Undertaken in the Previous Year |
|
Back to Top |
Categorization of All Information & Information Systems & Minimum Security Requirements for Each Category |
|
Back to Top |
Detection & Handling of Information Security Incidents |
FIPS 198--1 | Jul 2008 | The Keyed-Hash Message Authentication Code (HMAC) FIPS-198-1_final.pdf |
FIPS 180--3 | Oct 2008 | Secure Hash Standard (SHS) fips180-3_final.pdf |
FIPS 140--3 | Jul 13, 2007 | DRAFT Security Requirements for Cryptographic Modules fips1403Draft.pdf |
FIPS 140--2 | May 2001 | Security Requirements for Cryptographic Modules fips1402.pdf |
| | Fips140-2.zip |
| | fips1402annexa.pdf |
| | fips1402annexb.pdf |
| | fips1402annexc.pdf |
| | fips1402annexd.pdf |
FIPS 140--1 | Jan 1994 | FIPS 140-1: Security Requirements for Cryptographic Modules fips1401.pdf |
SP 800-126 | July 31, 2009 | DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP) Draft-SP800-126.pdf |
SP 800-117 | May 5, 2009 | DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) draft-sp800-117.pdf |
SP 800-116 | Nov 2008 | A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS) SP800-116.pdf |
SP 800-114 | Nov 2007 | User's Guide to Securing External Devices for Telework and Remote Access SP800-114.pdf |
SP 800-113 | Jul 2008 | Guide to SSL VPNs SP800-113.pdf |
| | SP800-113_pdf.zip |
SP 800-111 | Nov 2007 | Guide to Storage Encryption Technologies for End User Devices SP800-111.pdf |
SP 800-107 | Feb. 2009 | Recommendation for Applications Using Approved Hash Algorithms NIST-SP-800-107.pdf |
SP 800-106 | Feb. 2009 | Randomized Hashing for Digital Signatures NIST-SP-800-106.pdf |
SP 800-104 | Jun 2007 | A Scheme for PIV Visual Card Topography SP800-104-June29_2007-final.pdf |
SP 800-103 | Oct 6, 2006 | DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation sp800-103-draft.pdf |
| | draft-sp800-103.zip |
SP 800-101 | May 2007 | Guidelines on Cell Phone Forensics SP800-101.pdf |
SP 800-98 | Apr 2007 | Guidelines for Securing Radio Frequency Identification (RFID) Systems SP800-98_RFID-2007.pdf |
SP 800-94 | Feb 2007 | Guide to Intrusion Detection and Prevention Systems (IDPS) SP800-94.pdf |
SP 800-86 | Aug 2006 | Guide to Integrating Forensic Techniques into Incident Response SP800-86.pdf |
| | SP800-86-pdf.zip |
SP 800-84 | Sep 2006 | Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities SP800-84.pdf |
SP 800-83 | Nov 2005 | Guide to Malware Incident Prevention and Handling SP800-83.pdf |
SP 800-78 -1 | Aug 2007 | Cryptographic Algorithms and Key Sizes for Personal Identity Verification SP-800-78-1_final2.pdf |
SP 800-76 -1 | Jan 2007 | Biometric Data Specification for Personal Identity Verification SP800-76-1_012407.pdf |
SP 800-63 Version 1.0.2 | Apr 2006 | Electronic Authentication Guideline SP800-63V1_0_2.pdf |
SP 800-61 Rev. 1 | Mar 2008 | Computer Security Incident Handling Guide SP800-61rev1.pdf |
SP 800-54 | Jul 2007 | Border Gateway Protocol Security SP800-54.pdf |
SP 800-53 Rev. 3 | Aug 2009 | Recommended Security Controls for Federal Information Systems and Organizations sp800-53-rev3-final.pdf |
| | 800-53-rev3_final-markup_FinalPublicDraft-to-Final.pdf |
| | 800-53-rev3-Annex1.pdf |
| | 800-53-rev3-Annex2.pdf |
| | 800-53-rev3-Annex3.pdf |
SP 800-53 Rev. 2 | Dec 2007 | Recommended Security Controls for Federal Information Systems sp800-53-rev2-final.pdf |
| | sp800-53-rev2_pdf.zip |
| | sp800-53-rev2-annex1.pdf |
| | sp800-53-rev2-annex1.zip |
| | sp800-53-rev2-annex2.pdf |
| | sp800-53-rev2-annex2.zip |
| | sp800-53-rev2-annex3.pdf |
| | sp800-53-rev2-annex3.zip |
SP 800-53 Rev. 1 | Dec 2006 | Recommended Security Controls for Federal Information Systems 800-53-rev1-final-clean-sz.pdf |
| | sp800-53-rev1.zip |
| | 800-53-rev1-final-markup-sz.pdf |
| | sp800-53-rev1-markup.zip |
| | SP800-53-AppendicesDEF-markup.pdf |
| | SP800-53-AppendicesDEF-markup.zip |
| | 800-53-rev1-annex1-sz.pdf |
| | SP-800-53Rev1-Annex1.zip |
| | 800-53-rev1-annex2-sz.pdf |
| | SP-800-53Rev1-Annex2.zip |
| | 800-53-rev1-annex3-sz.pdf |
| | SP-800-53Rev1-Annex3.zip |
SP 800-51 | Sep 2002 | Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme sp800-51.pdf |
| | sp800-51.zip |
SP 800-48 Rev. 1 | Jul 2008 | Guide to Securing Legacy IEEE 802.11 Wireless Networks SP800-48r1.pdf |
SP 800-44 Version 2 | Sep 2007 | Guidelines on Securing Public Web Servers SP800-44v2.pdf |
| | SP800-44v2.pdf.zip |
ITL June 2007 | Jun 2007 | Forensic Techniques for Cell Phones - ITL Security Bulletin b-June-2007.pdf |
ITL May 2007 | May 2007 | Securing Radio Frequency Identification (RFID) Systems - ITL Security Bulletin b-May-2007.pdf |
ITL April 2007 | Apr 2007 | Securing Wireless Networks - ITL Security Bulletin b-April-07.pdf |
ITL February 2007 | Feb 2007 | Intrusion Detection And Prevention Systems - ITL Security Bulletin b-02-07.pdf |
ITL January 2007 | Jan 2007 | Security Controls For Information Systems: Revised Guidelines Issued By NIST - ITL Security Bulletin b-01-07.pdf |
ITL December 2006 | Dec 2006 | Maintaining Effective Information Technology (IT) Security Through Test, Training, And Exercise Programs - ITL Security Bulletin b-12-06.pdf |
ITL October 2006 | Oct 2006 | Log Management: Using Computer And Network Records To Improve Information Security - ITL Security Bulletin b-10-06.pdf |
ITL September 2006 | Sep 2006 | Forensic Techniques: Helping Organizations Improve Their Responses To Information Security Incidents - ITL Security Bulletin b-09-06.pdf |
ITL August 2006 | Aug 2006 | Protecting Sensitive Information Processed And Stored In Information Technology (IT) Systems - ITL Security Bulletin Aug-06.pdf |
ITL May 2006 | May 2006 | An Update On Cryptographic Standards, Guidelines, And Testing Requirements - ITL Security Bulletin b-05-06.pdf |
ITL April 2006 | Apr 2006 | Protecting Sensitive Information Transmitted in Public Networks - ITL Security Bulletin b-04-06.pdf |
ITL December 2005 | Dec 2005 | Preventing And Handling Malware Incidents: How To Protect Information Technology Systems From Malicious Code And Software - ITL Security Bulletin b-12-05.pdf |
|
Back to Top |
Identification of an Information System as a National Security System |
|
Back to Top |
Manage Security Incidents |
|
Back to Top |
Health Insurance Portability and Accountability Act (HIPAA) |
Assure Health Information Privacy & Security |
SP 800-111 | Nov 2007 | Guide to Storage Encryption Technologies for End User Devices SP800-111.pdf |
SP 800-98 | Apr 2007 | Guidelines for Securing Radio Frequency Identification (RFID) Systems SP800-98_RFID-2007.pdf |
NIST IR 7497 | Jan. 13, 2009 | DRAFT Security Architecture Design Process for Health Information Exchanges (HIEs) Draft-NISTIR-7497.pdf |
ITL October 2006 | Oct 2006 | Log Management: Using Computer And Network Records To Improve Information Security - ITL Security Bulletin b-10-06.pdf |
|
Back to Top |
Standardize Electronic Data Interchange in Health Care Transactions |
SP 800-66 Rev 1 | Oct 2008 | An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP-800-66-Revision1.pdf |
|
Back to Top |
Homeland Security Presidential Directive-12 (HSPD-12) |
Establishes a Mandatory, Government-Wide Standard for Secure & Reliable Forms of Identification Issued by the Federal Goernment to its Employees & Contractors |
|
Back to Top |
Homeland Security Presidential Directive-7 (HSPD-7) |
Protect Critical Infrastructure |
|
Back to Top |
OMB Circular A-11: Preparation, Submission, and Execution of the Budget |
Capital Planning |
|
Back to Top |
OMB Circular A-130: Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources |
Assess Risks |
|
Back to Top |
Certify & Accredit Systems |
|
Back to Top |
Conduct Security Awareness Training |
|
Back to Top |
Develop Contingency Plans & Procedures |
|
Back to Top |
Manage System Configurations & Security throughout the System Development Life Cycle |
|
Back to Top |
Mandates Agency-Wide Information Security Program Development & Implementation |
|
Back to Top |