NIST, Computer Security Division, Computer Security Resource Center
Drivers
The United States Congress and OMB have instituted laws, regulations, and directives that govern creation and implementation of federal information security practices. These laws and regulations place responsibility and accountability for information security at all levels within federal agencies, from the agency head to system users. Furthermore, these laws and regulations provide an infrastructure for overseeing implementation of required practices, and charge NIST with developing and issuing standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA) of 2002 and in managing cost-effective programs to protect their information and information systems. These laws, regulations, standards, and guidance
- Establish agency-level responsibilities for information security;
- Define key information security roles and responsibilities;
- Establish a minimum set of controls in information security programs;
- Specify compliance reporting rules and procedures; and
- Provide other essential requirements and guidance
In addressing these requirements, agencies should tailor their information security practices to their organization’s own missions, operations, and needs.
2007-2008 Drivers
| Policy Date | Title of Policy |
|---|---|
| March 2008 | Sensitive Database Extracts Technical Frequently Asked Questions |
2006-2007 Drivers
| Policy Date | Title of Policy |
|---|---|
| July 2007 | |
| June 2007 | Ensuring New Acquisition Include Common Security Configurations |
| May 2007 | |
| Dec. 2006 | Recognition of Certification and Accreditation of Certified PKI Shared Service Providers Across Agency Boundaries Memorandum for Federal Information System Security Managers from Mary Mitchell, Deputy Associate Administrator of Technology Strategy, GSA |
| June 2006 | OMB
Reinforces Strict Adherence to Safeguard Standards |
| June 2006 | Protection
of Sensitive Agency Information Memorandum for the Heads of Departments and Agencies From Clay Johnson, Deputy Director for Management |
| May 2006 | Safeguarding
Personally Identifiable Information M-06-15 Memorandum for the Heads of Departments and Agencies From Clay Johnson, Deputy Director for Management |
2004-2005 Drivers
2002-2003 Drivers
| Policy Date | Title of Policy |
|---|---|
| December 2003 | OMB
Memo: E-authentication Guidance for Federal Agencies |
| December 2003 | Homeland
Security Presidential Directive/Hspd-7 Subject: Critical Infrastructure Identification, Prioritization, and Protection (.html page) |
| September 2003 | OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (.html page) |
| September 2003 | OMB
Guidance to Assist Agencies With Certification and Accreditation Efforts |
| December 2002 | Electronic
Government Act of 2002 |
| December 2002 | Cyber
Security R&D Act |
| December 2002 | Federal
Information Security Management Act of 2002 (Title III of E-Gov) |
| October 2002 | Guidance on Homeland Security Information Issued - DOJ - Action to Safeguard Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to Homeland Security (.html page) |
| September 12, 2002 | Handling and Reporting Computer Security Incidents (memorandum - .html page) |
| July 2002 |
2000-2001 Drivers
| Policy Date | Title of Policy |
|---|---|
| November 26, 2001 | OMB
Guidance to Federal Agencies on Data Availability and Encryption |
| October
16, 2001 |
Executive
Order: Critical Infrastructure Protection in the Information Age (.html page) |
| August
15, 2001 |
MEMORANDUM
to Chief Information Officers and Program Officials FROM:
Dan Chenok SUBJECT: Guidance on the Release of Security
Act Reports |
| January 2001 |
Department
of The Treasury - Fiscal Service - Electronic Authentication Policy - Policies and practices for the use of electronic transactions and
authentication techniques in Federal payments and collections. |
| January 2001 | |
| November 2000 |
Federal Information Technology Security Assessment Framework |
| November 2000 | |
| September 2000 |
OMB
Guidance on Implementing the Electronic Signatures in Global and National
Commerce Act. To view the OMB memorandum.
(.html page) To view the Global and National Commerce Act.(.pdf file) |
| June 2000 |
This
site contains a copy of a June 22, 2000 memorandum
from OMB Director Jacob J. Lew on the subject of privacy policies
and data collection on Federal websites. (.html page) |
| May 2000 |
OMB
issues Federal Register Notice on Procedures
and Guidance for the Implementation of the Government Paperwork Elimination
Act (.pdf file) [Federal Register, Vol. 65, No. 85, Tuesday, May
2, 2000]. |
| March 2000 |
The
President sent a memo to the heads of
Departments and Agencies on renewing their efforts to safeguard their
computer systems against denial-of-service attacks on the Internet. |
| February 2000 |
The
Director of the OMB issues guidance
to Federal agencies on Incorporating and Funding Security in Information
Systems Investments. (.html page) |
| February 2000 |
The
President's Chief of Staff sent a memo to the heads of Federal Department's and Agencies on computer security. (.html page) |
Pre-2000 Drivers
| Policy Date | Title of Policy |
|---|---|
| July 1999 |
Privacy
Policies on Federal Web Sites |
| July 1999 |
Security
of Federal Automated Information Resources (memorandum from Jacob J. Lew, Director) |
| May 1998 |
Critical
Infrastructure Protection |
| November 2000 |
OMB
Circular A-130, Revised .pdf file web page |
| November 2000 | Appendix
III to OMB Circular No. A-130 .pdf file web page |
| 1987 | Computer
Security Act of 1987 (has been superseded by Federal Information Security Management Act of 2002 (Title III of E-Gov)) |