CAP Documents

The Privacy Act of 1974, 5 U.S.C. § 552a (2006), which has been in effect since September 27, 1975, can generally be characterized as an omnibus "code of fair information practices" that attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies.

The National Institute of Standards and Technology (NIST) created NIST Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems and Organizations," to establish a standardized set of information security controls for use within the United States (U.S.) Federal Government. NIST collaborated with the Intelligence Community (IC), Department of Defense (DoD), and the Committee on National Security Systems (CNSS) to ensure NIST SP 800-53 contains security controls to meet the requirements of National Security Systems (NSS).2 As a result of these collaborative efforts, the Director of National Intelligence and the Secretary of Defense have directed that the processes described in NIST SP 800-53 (as amended by this Instruction) and the security and programmatic controls contained in Appendices F and G, respectively, shall apply to NSS within the National Security Community. This means NIST SP 800-53 now provides a common foundation for information security controls across the U.S. Federal Government. (Guidance on how to implement the processes described in NIST SP 800-53)

Federal Information Processing Standards Publication (FIPS). FIPS Publication 199 addresses the first task cited—to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.

FIPS Publication 200, the second of the mandatory security standards, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government and a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements. This standard will promote the development, implementation, and operation of more secure information systems within the federal government by establishing minimum levels of due diligence for information security and facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet minimum security requirements.

Guide for Developing Security Plans for Federal Information Systems

Risk Management Guide for Information Technology Systems

Contingency Planning Guide for Information Technology Systems

The purpose of this publication is to provide guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization,9 security control selection and implementation, security control assessment, information system authorization,10 and security control monitoring. The guidelines have been developed: • To ensure that managing information system-related security risks is consistent with the organization's mission/business objectives and overall risk strategy established by the senior leadership through the risk executive (function); • To ensure that information security requirements, including necessary security controls, are integrated into the organization's enterprise architecture and system development life cycle processes; • To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk management-related information, and reciprocity;11 and • To achieve more secure information and information systems within the federal government through the implementation of appropriate risk mitigation strategies. This publication satisfies the requirements of the Federal Information Security Management Act (FISMA) and meets or exceeds the information security requirements established for executive agencies12 by the Office of Management and Budget (OMB) in Circular A-130, Appendix III, Security of Federal Automated Information Resources. The guidelines in this publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems. State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.

NIST Special Publication 800-39 is the flagship document in the series of information security standards and guidelines developed by NIST in response to FISMA. The purpose of Special Publication 800-39 is to provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. Special Publication 800-39 provides a structured, yet flexible approach for managing risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines. The guidance provided in this publication is not intended to replace or subsume other risk-related activities, programs, processes, or approaches that organizations have implemented or intend to implement addressing areas of risk management covered by other legislation, directives, policies, programmatic initiatives, or mission/business requirements. Rather, the risk management guidance described herein is complementary to and should be used as part of a more comprehensive Enterprise Risk Management (ERM) program.

Creating a Patch and Vulnerability Management Program. This publication is designed to assist organizations in implementing security patch and vulnerability remediation programs. It focuses on how to create an organizational process and test the effectiveness of the process. It also seeks to inform the reader about the technical solutions that are available for vulnerability remediation.

This document seeks to assist organizations in understanding the capabilities of firewall technologies and firewall policies. It provides practical guidance on developing firewall policies and selecting, configuring, testing, deploying, and managing firewalls.

Security Guide for Interconnecting Information Technology Systems. This document provides guidance for planning, establishing, maintaining, and terminating interconnections between information technology (IT) systems that are owned and operated by different organizations, including organizations within a single federal agency.

Building an Information Technology Security Awareness and Training Program. This document provides guidelines for building and maintaining a comprehensive awareness and training program, as part of an organization's IT security program. The guidance is presented in a life-cycle approach, ranging from designing (Section 3), developing (Section 4), and implementing (Section 5) an awareness and training program, through post-implementation evaluation of the program (Section 6). The document includes guidance on how IT security professionals can identify awareness and training needs, develop a training plan, and get organizational buy-in for the funding of awareness and training program efforts. This document also describes how to: • Select awareness and training topics; • Find sources of awareness and training material; • Implement awareness and training material, using a variety of methods; • Evaluate the effectiveness of the program; and • Update and improve the focus as technology and organizational priorities change.

Recommended Security Controls for Federal Information Systems and Organizations. The purpose of this publication is to provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components11 of an information system that process, store, or transmit federal information. The guidelines have been developed to help achieve more secure information systems and effective risk management within the federal government by: • Facilitating a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems and organizations; • Providing a recommendation for minimum security controls for information systems categorized in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems; • Providing a stable, yet flexible catalog of security controls for information systems and organizations to meet current organizational protection needs and the demands of future protection needs based on changing requirements and technologies; • Creating a foundation for the development of assessment methods and procedures for determining security control effectiveness; and • Improving communication among organizations by providing a common lexicon that supports discussion of risk management concepts. The guidelines in this special publication are applicable to all federal information systems12 other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of appropriate federal officials exercising policy authority over such systems.13 State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.

Guide for Assessing the Security Controls in Federal Information Systems. The purpose of this publication is to provide guidelines for building effective security assessment plans and a comprehensive set of procedures for assessing the effectiveness of security controls employed in information systems supporting the executive agencies of the federal government. The guidelines apply to the security controls defined in NIST Special Publication 800-53 (as amended), Recommended Security Controls for Federal Information Systems, and any additional security controls developed by the organization. The guidelines have been developed to help achieve more secure information systems within the federal government by: • Enabling more consistent, comparable, and repeatable assessments of security controls; • Facilitating more cost-effective assessments of security controls contributing to the determination of overall control effectiveness; • Promoting a better understanding of the risks to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems; and • Creating more complete, reliable, and trustworthy information for organizational officials—to support security accreditation decisions, information sharing, and FISMA compliance. The guidelines provided in this special publication are applicable to all federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly developed from a technical perspective to complement similar guidelines for national security systems and may be used for such systems with the approval of the Director of National Intelligence (DNI), the Secretary of Defense (SECDEF), the Chairman of the Committee on National Security Systems (CNSS), or their designees. State, local, and tribal governments, as well as private sector organizations that compose the critical infrastructure of the United States, are also encouraged to consider the use of these guidelines, as appropriate. Organizations should use as a minimum, NIST Special Publication 800-53A in conjunction with an approved security plan in developing a viable security assessment plan for producing and compiling the information necessary to determine the effectiveness of the security controls employed in the information system. This publication has been developed with the intention of enabling organizations to tailor and supplement the basic assessment procedures provided. The assessment procedures should be used as a starting point for and as input to the security assessment plan. In developing effective security assessment plans, organizations should take into consideration existing information about the security controls to be assessed (e.g., results from organizational assessments of risk, platform-specific dependencies in the hardware, software, or firmware,10 and any assessment procedures needed as a result of organization-specific controls not included in NIST Special Publication 800-53). The selection of appropriate assessment procedures for a particular information system depends on three factors: • The security categorization of the information system in accordance with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories; • The security controls identified in the approved security plan, including those from NIST Special Publication 800-53 (as amended) and any organization-specific controls;11 and • The level of assurance that the organization must have in determining the effectiveness of the security controls in the information system. The extent of security control assessments should always be risk-driven. Organizations should determine the most cost-effective implementation of this key element in the organization's information security program by applying the results of risk assessments, considering the maturity and quality level of the organization's risk management processes, and taking advantage of the flexibility in NIST Special Publication 800-53A. The use of Special Publication 800-53A as a starting point in the process of defining procedures for assessing the security controls in information systems, promotes a more consistent level of security within the organization and offers the needed flexibility to customize the assessment based on organizational policies and requirements, known threat and vulnerability information, operational considerations, information system and platform dependencies, and tolerance for risk.12 Ultimately, organizations should view assessment as an information gathering activity, not a security producing activity. The information produced during security control assessments can be used by an organization to: • Identify potential problems or shortfalls in the organization's implementation of the NIST Risk Management Framework; • Identify information system weaknesses and deficiencies; • Prioritize risk mitigation decisions and associated risk mitigation activities; • Confirm that identified weaknesses and deficiencies in the information system have been addressed; • Support information system authorization (i.e., security accreditation) decisions; and • Support budgetary decisions and the capital investment process. Organizations are not expected to employ all of the assessment methods and assessment objects contained within the assessment procedures identified in this document. Rather, organizations have the flexibility to determine the security control assessment level of effort and resources expended (e.g., which assessment methods and objects are employed in the assessment). This determination is made on the basis of what will most cost-effectively accomplish the assessment objectives defined in this publication with sufficient confidence to support the subsequent determination of the resulting mission or business risk.

Performance Measurement Guide for Information Security. This document is a guide for the specific development, selection, and implementation of information system-level and program level measures to indicate the implementation efficiency/effectiveness, and impact of security controls, and other security-related activities. It provides guidelines on how an organization, through the use of measures, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional information security resources, identify and evaluate nonproductive security controls, and prioritize security controls for continuous monitoring.

Guide for Mapping Types of Information and Information Systems to Security Categories. NIST SP 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline is intended to help agencies consistently map security impact levels to types of: (i) information (e.g., privacy, medical, proprietary, financial, contractor sensitive, trade secret, investigation); and (ii) information systems (e.g., mission critical, mission support, administrative). This guideline applies to all Federal information systems other than national security systems. National security systems store, process, or communicate national security information.

Computer Security Incident Handling Guide. This publication seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. It includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. Agencies are encouraged to tailor the recommended guidelines and solutions to meet their specific security and mission requirements.

Security Considerations in the System Development Life Cycle. The purpose of this guideline is to assist agencies in building security into their IT development processes. This should result in more cost-effective, risk-appropriate security control identification, development, and testing. This guide focuses on the information security components of the SDLC. Overall system implementation and development is considered outside the scope of this document. Also considered outside scope is an organization's information system governance process. First, the guideline describes the key security roles and responsibilities that are needed in development of most information systems. Second, sufficient information about the SDLC is provided to allow a person who is unfamiliar with the SDLC process to understand the relationship between information security and the SDLC. The scope of this document is security activities that occur within a waterfall SDLC methodology. It is intended that this could be translated into any other SDLC methodology that an agency may have adopted.

Guide to Malware Incident Prevention and Handling. This publication is intended to help organizations understand the threats posed by malware and mitigate the risks associated with malware incidents. In addition to providing background information on the major categories of malware, it provides practical, real-world guidance on preventing malware incidents and responding to malware incidents in an effective, efficient manner.

Guidelines for Media Sanitization. This document will assist organizations in implementing a media sanitization program with proper and applicable techniques and controls for sanitization and disposal decisions, considering the security categorization of the associated system's confidentiality. The objective of this special publication is to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information. The information in this guide is best applied in the context of current technology and applications. It also provides guidance for information disposition sanitization and control decisions to be made throughout the system life cycle. Forms of media exist that are not addressed by this guide, and media are yet to be developed and deployed that are not covered by this guide. In those cases, the intent of this guide outlined in the procedures section applies to all forms of media based on the evaluated security categorization of the system's confidentiality according to FIPS 199, Standards for Security Categorization of Federal Information and Information Systems.

Guide to Computer Security Log Management. This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. The guidance in this publication covers several topics, including establishing log management infrastructures, and developing and performing robust log management processes throughout an organization. The publication presents log management technologies from a high-level viewpoint, and it is not a step-by-step guide to implementing or using log management technologies.

Information Security Handbook; A Guide for Managers

Technical Guide to Information Security Testing and Assessment. The purpose of this document is to provide guidelines for organizations on planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. It provides practical recommendations for designing, implementing, and maintaining technical information relating to security testing and assessment processes and procedures, which can be used for several purposes—such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. This guide is not intended to present a comprehensive information security testing or assessment program, but rather an overview of the key elements of technical security testing and assessment with emphasis on specific techniques, their benefits and limitations, and recommendations for their use. (This document replaces NIST Special Publication 800-42, Guideline on Network Security Testing.)

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). The purpose of this document is to assist Federal agencies in protecting the confidentiality of personally identifiable information (PII) in information systems. The document explains the importance of protecting the confidentiality of PII in the context of information security and explains its relationship to privacy using the Fair Information Practices, which are the principles underlying most privacy laws and privacy best practices. PII should be protected from inappropriate access, use, and disclosure. This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for incidents involving PII. Organizations are encouraged to tailor the recommendations to meet their specific requirements.

FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

Guidance for Online Use of Web Measurement and Customization Technologies

Guidance for Agency Use of Third-Party Websites and Applications

Safeguarding Against and Responding to the Breach of Personally Identifiable Information

Recommendations for Identity Theft Related Data Breach Notification

Safeguarding Personally Identifiable Information

Protection of Sensitive Agency Information

Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments

Policies for Federal Agency Public Websites

E-Authentication Guidance

Development of Homeland Security Presidential Directive (HSPD) - 7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources

OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002

Guidance on Inter-Agency Sharing of Personal Data Protecting Personal Privacy

OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act.

Preparations, Submission, and Execution of the Budget

Management's Responsibility for Internal Control

Management of Federal Information Resources

Federal Information Security Management Act of 2002