2. Crucial Publications and Laws Flashcards
CNSS 1253a
“Security Categorization and Control Selection for National Security Systems”
Provides all Federal Government departments, agencies, etc. with guidance on the first two steps of the RMF (Categorize and Select) for National Security Systems
FIPS 199
Develop standards for categorizing information and information systems.
Security categorization standards for information and information systems provide a common framework and understanding for expressing security (Low, Med, High)
FIPS 200
Addresses specification of minimum security requirements for federal information and information systems.
Minimum security requirements cover 17 areas to protect the C-I-A of federal information systems and their information.
- access control
- awareness, training
- audit, accountability
- certification, accreditation, assessments
- configuration management
- contingency planning
- identification, authentication
- incident response
- maintenance
- media protection
- physical, environmental protection
- planning
- personnel security
- risk assessment
- systems and services acquisition
- system and communications protection
- system and information integrity
SP 800-30
Guide for Conducting Risk Assessments
Guidance for conducting risk assessments
Amplifies guidance in SP 800-39.
Risk assessments cat all 3 tiers of the risk management hierarchy are part of an overall risk management process
SP 800-37
Risk Management Framework
Core publication describing the RMF in detail
SP 800-39
Managing Information Security Risk
Guidance for integrated, organization-wide program for managing information security risk to organizational operations (ie mission, functions, image, reputation), assets, individuals.
SP 800-53
Security and Privacy Controls for Federal Information Systems
Guidelines for selecting and specifying security controls to meet requirements of FIPS 200
SP 800-60
Guide for Mapping Types of Information and IS to Security Categories
Maps information types to FIPS 199
SP 800-64
Security Considerations in the System Development Lifecycle
Assists in integrating essential IT security steps into established IT System Development Lifecycle
SP 800-137
Information Security Continuous Monitoring
Maintaining ongoing awareness of information security, vulnerabilities and threats to support risk management decisions
Section 3541 Title 44 USC
Federal Information Security Management Act 2002
FISMA compels government to secure its IT resources
OMB Circular A-130
Establishes minimum set of controls to be included in Federal infosec programs.
Assigns federal agency responsibilities for the security of automated information
Links agency automated infosec programs and agency management control systems established IAW OMB A-123
OMB Circular A-123
Guidance to federal managers on improving accountability and effectiveness of Federal programs by establishing, assessing, correcting, reporting on internal control.
Attachment this circular defines management responsibilities for internal control and the process for assessing internal control effectiveness, with a summary of the major changes
USC 552a
Privacy Act of 1974
Establishes code of fair information practices that govern collection, maintenance, use and dissemination of information about individuals that is maintained in federal systems of records.
FISMA
Agencies must engage in authorization per OMB A-130
Agencies must maintain an information systems inventory
Agencies must categorize their information systems per FIPS 199 and SP 800-60
Agencies must meet minimum requirements by implementing and assessing security controls per FIPS 200 and SP 800-53
(800-53 references 800-37 so it is also compulsory with other SPs, but agencies have attitude for how to be compliant)
