Presidential Documents (Presidential Decision Directives (PDD); National Security Policy Directive (NSPD); Homeland Security Policy Directive (HSPD))

Executive Branch Directive

NSPD 54/HSPD 21, Cyber Security & Monitoring

HSPD 12, Policy for a Common Identification Standard for Federal Employees and Contractors

HSPD 7, Critical Infrastructure Identification, Prioritization, and Protection

PDD 67, Enduring Constitutional Government and Continuity of Government Operations

PDD 63, Protecting America's Critical Infrastructures

Executive Orders

EO 13292, Further Amendment to EO 12958, as Amended, Classified National Security Information

EO 13284, Establishment of the Department of Homeland Security

EO 13231, Critical Infrastructure Protection in the Information Age

EO 13130, National Infrastructure Assurance Council

EO 13103, Computer Software Piracy

EO 13011, Federal Information Technology

EO 12958, Classified National Security Information

EO 12472, Assignment of National Security and Emergency Preparedness Telecommunications Functions

EO 12333, US Intelligence Activities

Presidential Memoranda

Presidential Memorandum, Freedom of Information Act

Presidential Memorandum, Controlled Unclassified Information

Presidential Memorandum, Action by Federal Agencies to Safeguard Against Internet Attacks

Memo from White House Chief of Staff, Security of Federal Information Systems

Presidential Memorandum, Electronic Government

Presidential Memorandum, Privacy and Personal Information and Federal Records

Public Laws

the E-Gov Act of 2002)

Electronic Government Act of 2002 (E-Gov)

Sec. 639. (A) Prohibition Of Federal Agency Monitoring Of Personal Information On Use Of Internet, Treasury and General Government Appropriations Act of 2002

Section 646, Protection of Citizens’ Privacy on Federal Web Sites, Treasury and General Government Appropriations Act, 2001

Electronic Signatures in Global and National Commerce Act

Government Paperwork Elimination Act of 1999 (GPEA)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Clinger Cohen Act (formerly the Information Technology Management Reform Act of 1996)

Privacy Act of 1974, as amended

Computer Security Act of 1987

OMB Documents

OMB Memorandum 09-02, Information Technology Management Structure and Governance Framework

OMB Memorandum 08-27, Guidance for Trusted Internet Connection (TIC) Compliance

OMB Memorandum 08-23, Securing the Federal Government’s Domain Name System Infrastructure

OMB Memorandum 08-22, Guidance on the Federal Desktop Core Configuration (FDCC)

M-08-21, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

OMB Circular A-11, Preparation and Submission of Budget Estimates, Section 300

OMB Memorandum 08-09, New FISMA Privacy Reporting Requirements for FY 2008

OMB Memorandum 07-18, Ensuring New Acquisitions Include Common Security Configurations

OMB Memorandum 06-16, Protection of Sensitive Agency Information

OMB Memorandum 05-24, Implementation of HSPD-12

OMB Memorandum 04-15, Development of HSPD-7 Critical Infrastructure Protection Plans

OMB Memorandum 04-04, e-Authentication Guidance for Federal Agencies

M-03-18, Implementation Guidance for the E-Government Act of 2002

OMB Guidance to Federal Agencies on Data Availability and Encryption

Appendix III to OMB Circular A-130, Revised, Security of Federal Automated Information Resources

OMB Circular A-130, Revised, Transmittal Memorandum No. 4, Management of Federal Information Resources

M-01-05, Guidance on Inter-Agency Sharing of Personal Data-Protecting Personal Privacy

M-00-15, OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act

M-00-13, Privacy Policies and Data Collection on Federal Web Sites

M-00-10, OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act

M-00-07, Incorporating and Funding Security in Information Systems Investments

NIST Documents

Federal Information Processing Standard Publications (FIPS)

FIPS 200-01, Change 1, Personal Identity Verification (PIV) of Federal Employees and Contractors

FIPS 200, Minimum Security Requirements for Federal Information and Information Systems

FIPS 199, Standards for Security Categorization of Federal Information and Information Systems

FIPS 198, The Keyed-Hash Message Authentication Code (HMAC)

FIPS 197, Advanced Encryption Standard

FIPS 191, Guideline for The Analysis of Local Area Network Security

FIPS 190, Guideline for the Use of Advanced Authentication Technology Alternatives

FIPS 188, Standard Security Labels for Information Transfer

FIPS 186-2, Digital Signature Standard (DSS)

FIPS 185, Escrowed Encryption Standard

FIPS 181, Automated Password Generator

FIPS 140-2, Security Requirements for Cryptographic Modules (With Change Notices)

NIST Special Publications (SP)

NIST Guide to the Information Security Documents and Associated Trifold

NIST SP 800-124, Guidelines on Cell Phone and PDA Security

NIST SP 800-123, Guide to General Server Security

DRAFT NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

NIST SP 800-121, Guide to Bluetooth Security

NIST SP 800-115, Technical Guide to Information Security Testing and Assessment

NIST SP 800-114, User's Guide to Securing External Devices for Telework and Remote Access

NIST 800-100, Information Security Handbook: A Guide for Managers

NIST SP 800-88, Guidelines for Media Sanitization

NIST SP 800-65, Integrating IT Security Into the Capital Planning and Investment Control Process

NIST SP 800-64, Rev 2, Security Considerations in the System Development Life Cycle

NIST SP 800-61, Computer Security Incident Handling Guide

NIST SP 800-59, Guideline for Identifying an Information System as a National Security System

NIST SP 800-55, Security Metrics Guide for Information Technology Systems

NIST SP 800-53, Rev 2, Recommended Security Controls for Federal Information Systems

NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems

NIST SP 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

NIST SP 800-50, Building an Information Technology Security Awareness and Training Program

NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems

DRAFT NIST SP 800-46, Rev 1, Guide to Enterprise Telework and Remote Access Security

NIST SP 800-45, Rev 2, Guidelines on Electronic Mail Security

NIST SP 800-44, Rev 2, Guidelines on Securing Public Web Servers

DRAFT NIST SP 800-41, Guidelines on Firewalls and Firewall Policy

NIST SP 800-40, Procedures for Handling Security Patches

NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems

NIST SP 800-36, Guide to Selecting IT Security Products

NIST SP 800-35, Guide to IT Security Services

NIST SP 800-34, Contingency Planning Guide for Information Technology Systems

NIST SP 800-33, Underlying Technical Models for Information Technology Security

NIST SP 800-32, Introduction to Public Key Infrastructure and the Federal PKI Infrastructure

NIST SP 800-29, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2

NIST SP 800-28, Rev. 2, Guidelines on Active Content and Mobile Code

NIST SP 800-27, Rev A., Engineering Principles for Information Technology Security

NIST SP 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products

NIST SP 800-19, Mobile Agent Security

NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems

NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model

NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems

NIST SP 800-13, Telecommunications Security Guide for Telecommunications Management Network

NIST SP 800-12, An Introduction to Computer Security: the NIST Handbook

COMMITTEE FOR NATIONAL SECURITY SYSTEMS (CNSS) PUBLICATIONS

CNSSP-6, National Policy on Certification & Accreditation (C&A) of National Security Systems

CNSSSP-22, Information Assurance Risk Management Policy for National Security Systems

NSTISSI 1000, National Certification & Accreditation Process (NIACAP)

DEPARTMENT OF DEFENSE PUBLICATIONS

Department of Defense Directives

DODD 3020.26, Defense Continuity Program

DOD 5200.1-R, Information Security Program

DOD 5400.11, Department of Defense Privacy Program

DODD 8500.01E, Information Assurance

Management

Department of Defense Instructions

DODI 3020.39, Integrated Continuity Program for the Defense Intelligence Enterprise (DIE)

DODI 3020.42, Defense Continuity Plan Development

DODI 5000.02, Operation of the Defense Acquisition System

DODI 8500.2, Information Assurance Implementation

DODI 8510.01, Department of Defense Information Assurance Certification & Accreditation Process (DIACAP)

DODI 8552.01, Use of Mobile Code Technologies in DOD Information Systems

DODI 8580.1, Information Assurance in the Defense Acquisition System

Department of Defense Manuals

DOD 5220.22-M,, National Industrial Security Program Operating Manual (NISPOM)

DOD 8570.1-M, Information Assurance Workforce Improvement Program

Department of Defense Memos

Department of Defense Memo on DOD C&A Reciprocity

Policy on Use of Department of Defense (DoD) Information Systems Standard Consent Banner and User Agreement

Department of Defense Global Information Grid (GIG) Information Assurance

Guidance on Protecting Personally Identifiable Information (PII)

Encryption of Sensitive Unclassified Data on Mobile Computing Devices and Removable Storage Media

Joint Chiefs of Staff Policy

CJCSI 6510.01E, Information Assurance (IA) and Computer Network Defense (CND)

Department of the Air Force Policy

Department of the Army Policy

AR 25-1, Army Knowledge Management and Information Technology

AR 25-2, Information Assurance

DA PAM 25-1-2, Information Technology Contingency Planning

DA Best Business Practice(BBP) 002, Certification & Accreditation

BBP 003, Designated Accrediting Authority

BBP 004, Certification Authority

BBP 005, Agent of the Certification Authority

BBP 006, Installation Level Designated Approving Authority

BBP 007, Connection Approval Process

BBP 008, Army Information Assurance Certification and Accreditation Terms for Connectivity to the Installation Service Provider/ICAN

BBP 009, Stand Alone IS and Closed Restricted Networks Information Assurance Certification & Accreditation (IA C&A) Requirements

Department of the Navy Policy (Includes Navy and Marine Corps)

SECNAVINST 5239.3A, Department of the Navy Information Assurance Policy

OPNAV 5239.3C, Navy Information Assurance Program

DON CIO Memo, Platform Information Technology (PIT) C&A Guidance

DON CIO Memo, Senior Information Assurance Officer (SIAO) Alignment And Responsibilities For Information Assurance And Certification And Accreditation Processes

DON DOD Information Assurance C&A Process (DIACAP) Handbook

National Security Agency (NSA) Policy

Security Configuration Guides

Defense Information Systems Agency (DISA) Policy

Security Technical Configuration Guides (STIGS)

Security Checklists

C&A Transformation Documentation

Agreement Between CIOs

Federal Required Documentation

NIST System Security Plan – Version 1

NIST System Security Plan – Version 2

NIST Plan of Action & Milestones Guide

NIST Plan of Action & Milestones Guide for System Stewards

NIST Security Assessment Report (SAR) Template

Certification & Authorization Statement Template

Federal Artifacts

Personally Identifiable Information Controls Analysis Template

NIST IT Security Handbook

NIST Configuration Management Plan

NIST Incident Response Plan

NIST IT Contingency Plan

NIST Memorandum of Understanding (MOU) Template

NIST Interconnection Security Agreement Template

Risk Calculation Worksheet Template

Department of Defense Required Documentation

DIACAP Package

DIACAP Artifacts (Evidence of Compliance)

Artifact 1 – Security Concept of Operations (S-CONOPS)

Artifact 2 – Configuration Management Plan

Artifact 4 – Contingency Plan/Business Continuity Plan

Artifact 5 – Incident Response Plan

Artifact 6 – Interconnection Memorandum of Agreement

Artifact 7 – Privacy Impact Assessment Determination Checklist

Artifact 8 – Security Test Plan

Artifact 8a – Security Test Plan – Version 2

Artifact 9 – Physical Security Assessment Report

Artifact 10 – Security Education, Training, and Awareness (SETA) Plan

Artifact 11 – Security Assessment Report (SAR)

DOD IA Controls & Validation Procedures

DOD IA Controls Weakness Statements

DOD IA Controls Impact Codes

DIACAP Security Posture Questionnaire

FISMA-CIO Template FY 2008

IA Workforce Training Tracker FY 09

IA Workforce Training Tracker FY09 Guidance

DOD Memorandum of Agreement (MOA) Template

DOD Annual IA Controls Assessment Form

General

Change Request Form

Change Request Status Log

Emergency Change Request Form

Security Impact Assessment Form

HIPAA Analysis Template

C&A Document Tracker Template

Additional Risk Assessment Resources

Sample List of Assets

In-Briefing Template

Out-Briefing Template

Threat Identification Workbook

System Life Cycle and Documentation