Archived NIST Technical Series Publication

The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below).

Archived Publication

Series/Number:

Title:

Publication Date(s):

Withdrawal Date:

Withdrawal Note:

Superseding Publication(s)

The attached publication has been superseded by the following publication(s):

Series/Number:

Title:

Author(s):

Publication Date(s):

URL/DOI:

Additional Information (if applicable)

Contact:

Latest revision of the

attached publication:

Related information:

Withdrawal announcement (link):

Date updated: June 9, 2015

NIST Special Publication 800-26

Security Self-Assessment Guide for Information TechnologySystems

November 2001December 19, 2007

SP 800-26 is superseded in its entirety by the publication ofSP 800-53 and SP 800-53A.

NIST Special Publication 800-53

Recommended Security Controls for Federal Information Systems

Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, George Rogers,Annabelle Lee

February 2005http://dx.doi.org/10.6028/NIST.SP.800-53

Computer Security Division (Information Technology Lab)

SP 800-53 Revision 4 (as of June 19, 2015)

http://csrc.nist.gov/groups/SMA/fisma/assessment.html

N/A

NIST Special Publication 800-26

NisrNational Institute of Standardsand Technology

Technology Administration

U.S. Department of Commerce

Security Self-Assessment Guide

for Information Technology

Systems

Marianne Swanson

COMPUTER SECURITY

rhe National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in

the development of technology . . . needed to improve product quality, to modernize manufacturing processes,

to ensure product reliability . . . and to facilitate rapid commercialization ... of products based on new scientific

discoveries."

NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's

competitiveness; advance science and engineering; and improve public health, safety, and the environment. One

of the agency's basic functions is to develop, maintain, and retain custody of the national standards of

measurement, and provide the means and methods for comparing standards used in science, engineering,

manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal

Government.

As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and

applied research in the physical sciences and engineering, and develops measurement techniques, test

methods, standards, and related services. The Institute does generic and precompetitive work on new and

advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303.

Major technical operating units and their principal activities are listed below. For more information contact the

Publications and Program Inquiries Desk, 301-975-3058.

Office of the Director• National Quality Program

• International and Academic Affairs

Technology Services• Standards Services

• Technology Partnerships

• Measurement Services

• Information Services

Advanced Technology Program• Economic Assessment

• Information Technology and Applications

• Chemistry and Life Sciences

• Materials and Manufacturing Technology

• Electronics and Photonics Technology

Manufacturing Extension PartnershipProgram• Regional Programs

• National Programs

• Program Development

Electronics and Electrical EngineeringLaboratory• Microelectronics

• Law Enforcement Standards

• Electricity

• Semiconductor Electronics

• Radio-Frequency Technology1

• Electromagnetic Technology'

• Optoelectronics1

Materials Science and EngineeringLaboratory• Intelligent Processing of Materials

• Ceramics

• Materials Reliability'

• Polymers

• Metallurgy

• NIST Center for Neutron Research

Chemical Science and TechnologyLaboratory• Biotechnology

• Physical and Chemical Properties2

• Analytical Chemistry

• Process Measurements

• Surface and Microanalysis Science

Physics Laboratory• Electron and Optical Physics

• Atomic Physics

• Optical Technology

• Ionizing Radiation

• Time and Frequency'

• Quantum Physics'

Manufacturing EngineeringLaboratory• Precision Engineering

• Manufacturing Metrology

• Intelligent Systems

• Fabrication Technology

• Manufacturing Systems Integration

Building and Fire ResearchLaboratory• Applied Economics

• Structures

• Building Materials

• Building Environment

• Fire Safety Engineering

• Fire Science

Information Technology Laboratory• Mathematical and Computational Sciences

2

• Advanced Network Technologies

• Computer Security

• Information Access

• Convergent Information Systems

• Information Services and Computing

• Software Diagnostics and Conformance Testing

• Statistical Engineering

'At Boulder, CO 80303.2Some elements at Boulder, CO.

NIST Special Publication 800-26 Security Self-Assessment Guide

for Information Technology

Systems

Marianne Swanson

COMPUTER SECURITY

Computer Security Division

Information Technology

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

November 2001

U.S. Department of CommerceDonald L. Evans, Secretary

Technology Administration

Phillip J. Bond, Under Secretary for Technology

National Institute of Standards and Technology

Karen H. Brown, Acting Director

Reports on Information Security Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST)

promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and

standards infrastructure for information technology. ITL develops tests, test methods, reference data, proof of concept

implementations and technical analyses to advance the development and productive use of information technology.

ITL's responsibilities include the development of technical, physical, administrative, and management standards and

guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems.

This Special Publication 800 series reports on ITL's research, guidance, and outreach efforts in computer security, and

its collaborative activities with industry, government, and academic organizations.

National Institute of Standards and Technology Special Publication 800-26

Natl. Inst. Stand. Technol. Spec. Publ. 800-26, 94 pages (Nov. 2001)

CODEN: NSPUE2

U.S. GOVERNMENT PRINTING OFFICEWASHINGTON: 2001

For sale by the Superintendent of Documents, U.S. Government Printing Office

Internet: bookstore.gpo.gov— Phone: (202) 5 1 2- 1 800— Fax: (202) 5 1 2-2250

Mail Stop SSOP, Washington, DC 20402-0001

Acknowledgements

Many people have contributed to this document, directly or indirectly. I would like to thank

our NIST Technical Editor, Elizabeth Lennon, for spending a significant amount of her time

editing this document. The questionnaire was field tested by Jim Craft, U.S. Agency for

International Development, who provided a team to use the questionnaire on two systems.

His team's input was invaluable in finalizing the document. I would also like to thank the

many people who have provided comments on the draft and expressed their enthusiasm and

support for the document. The development of the document was a consolidated effort by

many people.

iii

Executive Summary

Adequate security of information and the systems that process it is a fundamental

management responsibility. Agency officials must understand the current status of their

information security program and controls in order to make informed judgments and

investments that appropriately mitigate risks to an acceptable level.

Self-assessments provide a method for agency officials to determine the current status of

their information security programs and, where necessary, establish a target for improvement.

This self-assessment guide utilizes an extensive questionnaire containing specific control

objectives and techniques against which an unclassified system or group of interconnected

systems can be tested and measured. The guide does not establish new security requirements.

The control objectives and techniques are abstracted directly from long-standing

requirements found in statute, policy, and guidance on security.

This document builds on the Federal IT Security Assessment Framework (Framework)

developed by NIST for the Federal Chief Information Officer (CIO) Council. TheFramework established the groundwork for standardizing on five levels of security status and

criteria agencies could use to determine if the five levels were adequately implemented. This

document provides guidance on applying the Framework by identifying 17 control areas,

such as those pertaining to identification and authentication and contingency planning. In

addition, the guide provides control objectives and techniques that can be measured for each

area.

The questionnaire can be used for the following purposes:

> Agency managers who know their agency's systems and security controls can quickly

gain a general understanding of needed security improvements for a system (major

application or general support system), group of interconnected systems, or the entire

agency.

> The security of an agency's system can be thoroughly evaluated using the questionnaire

as a guide. The results of such a thorough review produce a reliable measure of security

effectiveness and may be used to 1) fulfill reporting requirements; 2) prepare for audits;

and 3) identify resources.

> The results of the questionnaire will assist, but not fulfill, agency budget requests as

outlined in Office of Management and Budget (OMB) Circular A-l 1, "Preparing and

Submitting Budget Estimates."

It is important to note that the questionnaire is not intended to be an all-inclusive list of

control objectives and related techniques. Accordingly, it should be used in conjunction with

the more detailed guidance listed in Appendix B. In addition, details associated with certain

technical controls are not specifically provided due to their voluminous and dynamic nature.

Agency managers should obtain information on such controls from other sources, such as

vendors, and use that information to supplement this guide.

iv

Consistent with OMB policy, each agency must implement and maintain a program to

adequately secure its information and system assets. An agency program must: 1) assure that

systems and applications operate effectively and provide appropriate confidentiality,

integrity, and availability; and 2) protect information commensurate with the level of risk and

magnitude ofharm resulting from loss, misuse, unauthorized access, or modification.

Performing a self-assessment and mitigating any of the weaknesses found in the assessment

is one way to determine if the system and the information are adequately secured.

v

Table of Contents

Acknowledgements m

Executive Summary iv

1. Introduction 1

1 . 1 Self -Assessments 1

1 .2 Federal IT Security Assessment Framework 2

1.3 Audience... .3

1 .4 Structure of this Document 3

2. System Analysis 4

2. 1 System Boundaries 4

2.2 Sensitivity Assessment 5

3. Questionnaire Structure 7

3.1 Questionnaire Cover Sheet 7

3.1.1 Questionnaire Control 7

3.1.2 System Identifica tion 8

3.1.3 Purpose and Assessor Informa tion 8

3.1.4 Crjticality ofInforma tion 9

3.2 Questions 9

3.3 Applicability of Control Objectives 11

4. Utilizing the Completed Questionnaire 13

4.1 Questionnaire Analysis 13

4.2 Action Plans 13

4.3 Agency IT Security Program Reports 13

4.3.1 SecurityProgramManagement. 14

4.3.2 Management Controls, Operational Controls, and Technical Controls 15

Appendix A - System Questionnaire A-l

Appendix B - Source of Control Criteria B-l

Appenddc C - Federal Information Technology Security Assessment Framework C-l

Appendix D - References D-l

vi

Security Self-Assessment

Guide For IT Systems

1. Introduction

A self-assessment conducted on a system (major application or general support system) or

multiple self-assessments conducted for a group of interconnected systems (internal or

external to the agency) is one method used to measure information technology (IT) security

assurance. IT security assurance is the degree of confidence one has that the managerial,

technical and operational security measures work as intended to protect the system and the

information it processes. Adequate security of these assets is a fundamental management

responsibility. Consistent with Office of Management and Budget (OMB) policy, each

agency must implement and maintain a program to adequately secure its information and

system assets. Agency programs must: 1) assure that systems and applications operate

effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect

information commensurate with the level of risk and magnitude ofharm resulting from loss,

misuse, unauthorized access, or modification.

Agencies must plan for security, ensure that the appropriate officials are assigned security

responsibility, and authorize system processing prior to operations and periodically

thereafter. These management responsibilities presume that responsible agency officials

understand the risks and other factors that could negatively impact their mission goals.

Moreover, these officials must understand the current status of security programs and

controls in order to make informed judgments and investments that appropriately mitigate

risks to an acceptable level.

An important element of ensuring an organizations' IT security health is performing routine

self-assessments of the agency security program. For a self-assessment to be effective, a risk

assessment should be conducted in conjunction with or prior to the self-assessment. A self-

assessment does not eliminate the need for a risk assessment.

There are many methods and tools for agency officials to help determine the current status of

their security programs relative to existing policy. Ideally many of these methods and tools

would be implemented on an ongoing basis to systematically identify programmatic

weaknesses and where necessary, establish targets for continuing improvement. This

document provides a method to evaluate the security of unclassified systems or groups of

systems; it guides the reader in performing an IT security self-assessment. Additionally, the

document provides guidance on utilizing the results of the system self-assessment to ascertain

the status of the agency-wide security program. The results are obtained in a form that can

readily be used to determine which of the five levels specified in the Federal IT Security

Assessment Framework the agency has achieved for each topic area covered in the

questionnaire. For example, the group of systems under review may have reached level 4

(Tested and Evaluated Procedures and Controls) in the topic area of physical and

environmental protection, but only level 3 (Implemented Procedures and Controls) in the area

of logical access controls.

1.1 Self -Assessments

This self-assessment guide utilizes an extensive questionnaire (Appendix A) containing

specific control objectives and suggested techniques against which the security of a system or

1

Security Self-Assessment

Guide For IT Systems

group of interconnected systems can be measured. The questionnaire can be based primarily

on an examination of relevant documentation and a rigorous examination and test of the

controls. This guide does not establish new security requirements. The control objectives are

abstracted directly from long-standing requirements found in statute, policy, and guidance on

security and privacy. However the guide is not intended to be a comprehensive list of control

objectives and related techniques. The guide should be used in conjunction with the more

detailed guidance listed in Appendix B. In addition, specific technical controls, such as those

related to individual technologies or vendors, are not specifically provided due to their

volume and dynamic nature. It should also be noted that an agency might have additional

laws, regulations, or policies that establish specific requirements for confidentiality, integrity,

or availability. Each agency should decide if additional security controls should be added to

the questionnaire and, if so, customize the questionnaire appropriately.

The goal of this document is to provide a standardized approach to assessing a system. This

document strives to blend the control objectives found in the many requirement and guidance

documents. To assist the reader, a reference source is listed after each control objective

question listed in the questionnaire. Specific attention was made to the control activities

found in the General Accounting Office's (GAO) Federal Information System Control Audit

Manual (FISCAM). FISCAM is the document GAO auditors and agency inspector generals

use when auditing an agency. When FISCAM is referenced in the questionnaire, the major

category initials along with the control activity number are provided, e.g., FISCAM SP-3.1

.

The cross mapping of the two documents will form a road map between the control

objectives and techniques the audit community assess and the control objectives and

techniques IT security program managers and program officials need to assess. The mapping

provides a common point of reference for individuals fulfilling differing roles in the

assessment process. The mapping ensures that both parties are reviewing the same types of

controls.

The questionnaire may be used to assess the status of security controls for a system, an

interconnected group of systems, or agency-wide. These systems include information,

individual systems (e.g., major applications, general support systems, mission critical

systems), or a logically related grouping of systems that support operational programs (e.g.,

Air Traffic Control, Medicare, Student Aid). Assessing all security controls and all

interconnected system dependencies provides a metric of the IT security conditions of an

agency. By using the procedures outlined in Chapter 4, the results of the assessment can be

used as input on the status of an agency's IT security program.

1.2 Federal IT Security Assessment Framework

The Federal IT Security Assessment Framework issued by the federal Chief Information

Officer Council in November 2000 provides a tool that agencies can use to routinely evaluate

the status of their IT security programs. The document established the groundwork for

standardizing on five levels of security effectiveness and measurements that agencies could

use to determine which of the five levels are met. By utilizing the Framework levels, an

agency can prioritize agency efforts as well as use the document over time to evaluate

progress. The NIST Self-Assessment Guide builds on the Framework by providing questions

on specific areas of control, such as those pertaining to access and service continuity, and a

means of categorizing evaluation results in the same manner as the Framework. See

Appendix C for a copy of the Framework.

2

Security Self-Assessment

Guide For IT Systems

1.3 Audience

The control objectives and techniques presented are generic and can be applied to

organizations in private and public sectors. This document can be used by all levels of

management and by those individuals responsible for IT security at the system level and

organization level. Additionally, internal and external auditors may use the questionnaire to

guide their review of the IT security of systems. To perform the examination and testing

required to complete the questionnaire, the assessor must be familiar with and able to apply a

core knowledge set of IT security basics needed to protect information and systems. In some

cases, especially in the area of examining and testing technical controls, assessors with

specialized technical expertise will be needed to ensure that the questionnaire's answers are

reliable.

1.4 Structure of this Document

Chapter 1 introduces the document and explains IT security assessments and the relationship

to other documents. Chapter 2 provides a method for determining the system boundaries and

criticality of the data. Chapter 3 describes the questionnaire. Chapter 4 provides guidance on

using the completed system questionnaire(s) as input into obtaining an assessment of an

agency-wide IT security program. Appendix A contains the questionnaire. Appendix B lists

the documents used in compiling the assessment control objective questions. Appendix Ccontains a copy of the Federal IT Security Assessment Framework. Appendix D lists

references used in developing this document.

3

Security Self-Assessment

Guide For IT Systems

2. System Analysis

The questionnaire is a tool for completing an internal assessment of the controls in place for a

major application or a general support system. The security of every system or group of

interconnected system(s) must be described in a security plan. The system may consist of a

major application or be part of a general support system. The definition of major application

and general support system are contained in Appendix C. Before the questionnaire can be

used effectively, a determination must be made as to the boundaries of the system and the

sensitivity and criticality of the information stored within, processed by, or transmitted by the

system(s). A completed general support system or major application security plan, which is

required under OMB Circular A- 130, Appendix III, should describe the boundaries of the

system and the criticality level of the data. If a plan has not been prepared for the system, the

completion of this self-assessment will aid in developing the system security plan. Many of

the control objectives addressed in the assessment are to be described in the system security

plan. The following two sections, Section 2.1 and Section 2.2, contain excerpts from NISTSpecial Publication 800-18, Guidefor Developing Security Plansfor Information Technology

Systems, and will assist the reader in determining the physical and logical boundaries of the

system and the criticality of the information.

2.1 System Boundaries

Defining the scope of the assessment requires an analysis of system boundaries and

organizational responsibilities. Networked systems make the boundaries much harder to

define. Many organizations have distributed client-server architectures where servers and

workstations communicate through networks. Those same networks are connected to the

Internet. A system, as defined in NIST Special Publication 800-18, Guidefor Developing

Security Plansfor Information Technology Systems, is identified by defining boundaries

around a set of processes, communications, storage, and related resources. The elements

within these boundaries constitute a single system requiring a system security plan and a

security evaluation whenever a major modification to the system occurs. Each element of the

system must1

:

• Be under the same direct management control;

• Have the same function or mission objective;

• Have essentially the same operating characteristics and security needs; and

• Reside in the same general operating environment.

All components of a system need not be physically connected (e.g., [1] a group of stand-

alone personal computers (PCs) in an office; [2] a group of PCs placed in employees' homes

under defined telecommuting program rules; [3] a group of portable PCs provided to

employees who require mobile computing capability to perform their jobs; and [4] a system

OMB Circular A-130, Appendix III defines general support system or "system" in similar terms

.

4

Security Self-Assessment

Guide For IT Systems

with multiple identical configurations that are installed in locations with the same

environmental and physical controls).

An important element of the assessment will be determining the effectiveness of the

boundary controls when the system is part of a network. The boundary controls must protect

the defined system or group of systems from unauthorized intrusions. If such boundary

controls are not effective, then the security of the systems under review will depend on the

security of the other systems connected to it. In the absence of effective boundary controls,

the assessor should determine and document the adequacy of controls related to each system

that is connected to the system under review.

2.2 Sensitivity Assessment

Effective use of the questionnaire presumes a comprehensive understanding of the value of

the systems and information being assessed. Value can be expressed in terms of the degree of

sensitivity or criticality of the systems and information relative to each of the five protection

categories in section 3534(a)(1)(A) of the Government Information Security Reform

provisions of the National Defense Authorization Act of 2000, i.e., integrity, confidentiality,

availability, authenticity, and non-repudiation. The addition of authenticity and non-

repudiation as protection categories within the Reform Act was to stress the need for these

assurances as the government progresses towards a paperless workplace. There are differing

opinions on what constitutes protection categories, for continuity within several NIST Special

Publication 800 documents; authenticity, non-repudiation, and accountability are associated

with the integrity of the information.

• Confidentiality - The information requires protection from unauthorized disclosure.

• Integrity - The information must be protected from unauthorized, unanticipated, or

unintentional modification. This includes, but is not limited to:

• Authenticity - A third party must be able to verify that the content of a message

has not been changed in transit.

• Non-repudiation - The origin or the receipt of a specific message must be

verifiable by a third party.

• Accountability - A security goal that generates the requirement for actions of an

entity to be traced uniquely to that entity.

• Availability - The information technology resource (system or data) must be available on

a timely basis to meet mission requirements or to avoid substantial losses. Availability

also includes ensuring that resources are used only for intended purposes.

When determining the value, consider any laws, regulations, or policies that establish specific

requirements for integrity, confidentiality, authenticity, availability, and non-repudiation of

data and information in the system. Examples might include Presidential Decision Directive

63, the Privacy Act, or a specific statute or regulation concerning the information processed

(e.g., tax or census information).

5

Security Self-Assessment

Guide For IT Systems

Consider the information processed by the system and the need for protective measures.

Relate the information processed to each of the three basic protection requirements above

(confidentiality, integrity, and availability). In addition, it is helpful to categorize the

system or group of systems by sensitivity level. Three examples of such categories for

sensitive unclassified information are described below:

• High — Extremely grave injury accrues to U.S. interests if the information is

compromised; could cause loss of life, imprisonment, major financial loss, or require

legal action for correction

• Medium—Serious injury accrues to U.S. interests if the information is compromised;

could cause significant financial loss or require legal action for correction

• Low—Injury accrues to U.S. interests if the information is compromised; would cause

only minor financial loss or require only administrative action for correction

For example, a system and its information may require a high degree of integrity and

availability, yet have no need for confidentiality.

Many agencies have developed their own methods of making these determinations.

Regardless of the method used, the system owner/program official is responsible for

determining the sensitivity of the system and information. The sensitivity should be

considered as each control objective question in the questionnaire is answered. When a

determination is made to either provide more rigid controls than are addressed by the

questionnaire or not to implement the control either temporarily or permanently, there is a

risk based decision field in the questionnaire that can be checked to indicate that a

determination was made. The determination for lesser or more stringent protection should be

made due to either the sensitivity of the data and operations affected or because there are

compensating controls that lessen the need for this particular control technique. It should be

noted in the comments section of the questionnaire that the system security plan contains

supporting documentation as to why the specific control has or has not been implemented.

6

Security Self-Assessment

Guide For IT Systems

3. Questionnaire Structure

The self-assessment questionnaire contains three sections: cover sheet, questions, and notes.

The questionnaire begins with a cover sheet requiring descriptive information about the

major application, general support system, or group of interconnected systems being

assessed. The questionnaire provides a hierarchical approach to assessing a system by

containing critical elements and subordinate questions. The critical element level should be

determined based on the answers to the subordinate questions. The critical elements are

derived primarily from OMB Circular A- 130. The subordinate questions address the control

objectives and techniques that can be implemented to meet the critical elements. Assessors

will need to carefully review the levels of subordinate control objectives and techniques in

order to determine what level has been reached for the related critical element. The control

objectives were obtained from the list of source documents located in Appendix B. There is

flexibility in implementing the control objectives and techniques. It is feasible that not all

control objectives and techniques may be needed to achieve the critical element.

The questionnaire section may be customized by the organization. An organization can add

questions, require more descriptive information, and even pre-mark certain questions if

applicable. For example, many agencies may have personnel security procedures that apply

to all systems within the agency. The level 1 and level 2 columns in the questionnaire can be

pre-marked to reflect the standard personnel procedures in place. Additional columns may be

added to reflect the status of the control, i.e., planned action date, non-applicable, or location

of documentation. The questionnaire should not have questions removed or questions

modified to reduce the effectiveness of the control.

After each question, there is a comment field and an initial field. The comment field can be

used to note the reference to supporting documentation that is attached to the questionnaire or

is obtainable for that question. The initial field can be used when a risk based decision is

made concerning not to implement a control or if the control is not applicable for the system.

At the end of each set of questions, there is an area provided for notes. This area may be used

for denoting where in a system security plan specific sections should be modified. It can be

used to document the justification as to why a control objective is not being implemented

fully or why it is overly rigorous. The note section may be a good place to mark where

follow-up is needed or additional testing, such as penetration testing or product evaluations,

needs to be initiated. Additionally, the section may reference supporting documentation on

how the control objectives and techniques were tested and a summary of findings.

3.1 Questionnaire Cover Sheet

This section provides instruction on completing the questionnaire cover sheet, standardizing

on how the completed evaluation should be marked, how systems are titled, and labeling the

criticality of the system.

3.1.1 Questionnaire Control

All completed questionnaires should be marked, handled, and controlled at the level of

sensitivity determined by organizational policy. It should be noted that the information

7

Security Self-Assessment

Guide For IT Systems

contained in a completed questionnaire could easily depict where the system or group of

systems is most vulnerable.

3.1.2 System Identification

The cover page of the questionnaire begins with the name and title of the system to be

evaluated. As explained in NIST Special Publication 800-18, each major application or

general support system should be assigned a unique name/identifier.

Assigning a unique identifier to each system helps to ensure that appropriate security

requirements are met based on the unique requirements for the system, and that allocated

resources are appropriately applied. Further, the use of unique system identifiers is integral

to the IT system investment models and analyses established under the requirements of the

Information Technology Management Reform Act of 1996 (also known as the Clinger-Cohen

Act). The identifiers are required by OMB Circular A-l 1 and used in the annual OMB budget

submissions of the Exhibit 53 and 300. In light ofOMB policies concerning capital planning

and investment control, the unique name/identifier should remain the same throughout the

life of the system to allow the organization to track completion of security requirements over

time. Please see OMB Circular A-l 1, Section 53.7 for additional information on assigning

unique identifiers. If no unique name/identifier has been assigned or is not known, contact the

information resource management office for assistance.

In many cases the major application or general support system will contain interconnected

systems. The connected systems should be listed and once the assessment is complete, a

determination should be made and noted on the cover sheet as to whether the boundary

controls are effective. The boundary controls should be part of the assessment. If the

boundary controls are not adequate, the connected systems should be assessed as well.

The line below the System Name and Title requires the assessor to mark the system category

(General Support or Major Application). If an agency has additional system types or system

categories, i.e., mission critical or non-mission critical, the cover sheet should be customized

to include them.

3.1.3 Purpose and Assessor Information

The purpose and objectives of the assessment should be identified. For example, the

assessment is intended to gain a high-level indication of system security in preparation for a

more detailed review or the assessment is intended to be a thorough and reliable evaluation

for purposes of developing an action plan. The name, title, and organization of the

individuals who perform the assessment should be listed. The organization should customize

the cover page accordingly.

The start date and completion date of the evaluation should be listed. The length of time

required to complete an evaluation will vary. The time and resources needed to complete the

assessment will vary depending on the size and complexity of the system, accessibility of

system and user data, and how much information is readily available for the assessors to

evaluate. For example, if a system has undergone extensive testing, certification, and

8

Security Self-Assessment

Guide For IT Systems

documentation, the self-assessment is easy to use and serves as a baseline for future

evaluations. If the system has undergone very limited amounts of testing and has poor

documentation, completing the questionnaire will require more time.

3.1.4 Criticality ofInformation

The level of sensitivity of information as determined by the program official or system owner

should be documented using the table on the questionnaire cover sheet. If an organization

has designed their own method of determining system criticality or sensitivity, the table

should be replaced with the organization's criticality or sensitivity categories. The premise

behind formulating the level of sensitivity is that systems supporting higher risk operations

would be expected to have more stringent controls than those that support lower risk

operations.

3.2 Questions

The questions are separated into three major control areas: 1) management controls, 2)

operational controls, and 3) technical controls. The division of control areas in this manner

complements three other NIST Special Publications: NIST Special Publication 800-12, AnIntroduction to Computer Security: The NISTHandbook (Handbook), NIST Special

Publication 800-14, Generally Accepted Principles and Practicesfor Securing Information

Technology Systems (Principles and Practices), and NIST Special Publication 800-18, Guide

for Developing Security Plansfor Information Technology Systems (Planning Guide). All

three documents should be referenced for further information. The Handbook should be used

to obtain additional detail for any of the questions (control objectives) listed in the

questionnaire. The Principles and Practices document should be used as a reference to

describe the security controls. The Planning Guide formed the basis for the questions listed in

the questionnaire. The documents can be obtained from the NIST Computer Security

Resource Center web site at the URL: http://csrc.nist.gov .

The questions portion of this document easily maps to the three NIST documents described

above since the chapters in all three documents are organized by the same control areas, i.e.,

management, operational, and technical.

Within each of the three control areas, there are a number of topics; for example, personnel

security, contingency planning, and incident response are topics found under the operational

control area. There are a total of 17 topics contained in the questionnaire; each topic contains

critical elements and supporting security control objectives and techniques (questions) about

the system. The critical elements are derived primarily from OMB Circular A- 130 and are

integral to an effective IT security program. The control objectives and techniques support

the critical elements. If a number of the control objectives and techniques are not

implemented, the critical elements have not been met.

Each control objective and technique may or may not be implemented depending on the

system and the risk associated with the system. Under each control objective and technique

question, one or more of the source documents is referenced. The reference points to the

9

Security Self-Assessment

Guide For IT Systems

specific control activity in the GAO FISCAM document or to the title of any of the other

documents listed in Appendix B, Source of Control Criteria.

\ /I qn cxrif* yy\ n t i Antrf\lcIVlallatiCIUCIU ^UllLIUl3

1 . KiSK Management 9. Contingency Planning

z. Keview 01 occuniy v_omrois 10. Hardware and Systems Software

j. L.ue i_ycie Maintenance

4. Authorize Processing (Certification 1 1 . Data Integrity

and Accreditation) 12. Documentation

5. System Security Plan 13. Security Awareness, Training, and Education

14. Incident Response Capability

Operational Controls

6. Personnel Security Technical Controls

7. Physical Security 15. Identification and Authentication

8. Production, Input/Output Controls 16. Logical Access Controls

17. Audit Trails

Figure 1 . Topic Areas

In order to measure the progress of effectively implementing the needed security control, five

levels of effectiveness are provided for each answer to the security control question:

• Level 1 - control objective documented in a security policy

• Level 2 - security controls documented as procedures

• Level 3 - procedures have been implemented

• Level 4 - procedures and security controls are tested and reviewed

• Level 5 - procedures and security controls are fully integrated into a comprehensive

program.

The method for answering the questions can be based primarily on an examination of

relevant documentation and a rigorous examination and test of the controls. The review, for

example, should consist of testing the access control methods in place by performing a

penetration test; examining system documentation such as software change requests forms,

test plans, and approvals; and examining security logs and audit trails. Supporting

documentation describing what has been tested and the results of the tests add value to the

assessment and will make the next review of the system easier.

Once the checklist, including all references, is completed for the first time, future

assessments of the system will require considerably less effort. The completed questionnaire

would establish a baseline. If this year's assessment indicates that most of the controls in

place are at level 2 or level 3, then that would be the starting point for the next evaluation.

More time can be spent identifying ways to increase the level of effectiveness instead of

having to gather all the initial information again. Use the comment section to list whether

there is supporting documentation and the notes section for any lengthy explanations.

The audit techniques to test the implementation or effectiveness of each control objective and

technique are beyond the scope of this document. The GAO FISCAM document provides

audit techniques that can be used to test the control objectives.

10

Security Self-Assessment

Guide For IT Systems

When answering the questions about whether a specific control objective has been met,

consider the sensitivity of the system. The questionnaire contains a field that can be checked

when a risk-based decision has been made to either reduce or enhance a security control.

There may be certain situations where management will grant a waiver either because

compensating controls exists or because the benefits of operating without the control (at least

temporarily) outweigh the risk of waiting for full control implementation. Alternatively,

there may be times when management implements more stringent controls than generally

applied elsewhere. When the risk-based decision field is checked, note the reason in the

comment field of the questionnaire and have management review and initial the decision.

Additionally, the system security plan for the system should contain supporting

documentation as to why the control has or has not been implemented.

The assessor must read each control objective and technique question and determine in

partnership with the system owner and those responsible for administering the system,

whether the system's sensitivity level warrants the implementation of the control stated in the

question. If the control is applicable, check whether there are documented policies (level 1),

procedures for implementing the control (level 2), the control has been implemented (level

3), the control has been tested and if found ineffective, remedied (level 4), and whether the

control is part of an agency's organizational culture (level 5). The shaded fields in the

questionnaire do not require a check mark. The five levels describing the state of the control

objective provide a picture of each operational control; however, how well each one of these

controls is met is subjective. Criteria have been established for each of the five levels that

should be applied when determining whether the control objective has fully reached one or

more of the five levels. The criteria are contained in Appendix C, Federal IT Security

Assessment Framework.

Based on the responses to the control objectives and techniques and in partnership with the

system owner and those responsible for system administration, the assessor should conclude

the level of the related critical element. The conclusion should consider the relative

importance of each subordinate objective/technique to achieving the critical element and the

rigor with which the technique is implemented, enforced, and tested.

3.3 Applicability of Control Objectives

As stated above, the critical elements are required to be implemented; the control objectives

and techniques, however, tend to be more detailed and leave room for reasonable subjective

decisions. If the control does not reasonably apply to the system, then a "non-applicable" or

"N/A" can be entered next to the question.

The control objectives and techniques in the questionnaire are geared for a system or group

of connected systems. It is possible to use the questionnaire for a program review at an

organizational level for ascertaining if the organization has policy and procedures in place

(level 1 or level 2). However, to ensure all systems have implemented, tested and fully

integrated the controls (level 3, level 4, and level 5), the assessment questionnaire must be

applied to each individual or interconnected group of systems. Chapter 4 describes how the

results of the assessment can be used as input into an IT security program review.

11

Security Self-Assessment

Guide For IT Systems

The policy and procedures for a control objective and technique can be found at the

Department level, agency level, agency component level, or application level. To effectively

assess a system, ensure that the control objectives being assessed are at the applicable level.

For example, if the system being reviewed has stringent authentication procedures, the

authentication procedures for the system should be assessed, instead of the agency-wide

minimum authentication procedures found in the agency IT security manual.

If a topic area is documented at a high level in policy, the level 1 box should be checked in

the questionnaire. If there are additional low level policies for the system, describe the

policies in the comment section of the questionnaire. If a specific control is described in

detail in procedures, and implemented, the level 2 and level 3 boxes should be checked in the

questionnaire. Testing and reviewing controls are an essential part of securing a system. For

each specific control, check whether it has been tested and/or reviewed when a significant

change occurred. The goal is to have all levels checked for each control. A conceptual sample

of completing the questionnaire is contained in Appendix C. The conceptual sample has

evolved into the questionnaire and differs slightly, i.e., there is now a comment and initial

field.

12

Security Self-Assessment

Guide For IT Systems

4. Utilizing the Completed Questionnaire

The questionnaire can be used for two purposes. First it can be used by agency managers who

know their agency's systems and security controls to quickly gain a general understanding of

where security for a system, group of systems, or the entire agency needs improvement.

Second, it can be used as a guide for thoroughly evaluating the status of security for a system.

The results of such thorough reviews provide a much more reliable measure of security

effectiveness and may be used to 1) fulfill reporting requirements; 2) prepare for audits; and

3) identify resource needs.

4.1 Questionnaire Analysis

Because this is a self-assessment, ideally the individuals assessing the system are the owners

of the system or responsible for operating or administering the system. The same individuals

who completed the assessment can conduct the analysis of the completed questionnaire. Bybeing familiar with the system, the supporting documentation, and the results of the

assessment, the next step that the assessor takes is an analysis, which summarizes the

findings. A centralized group, such as an agency's Information System Security Program

Office, can also conduct the analysis as long as the supporting documentation is sufficient.

The results of the analysis should be placed in an action plan, and the system security plan

should be created or updated to reflect each control objective and technique decision.

4.2 Action Plans

How the critical element is to be implemented, i.e., specific procedures written, equipment

installed and tested, and personnel trained, should be documented in an action plan. The

action plan must contain projected dates, an allocation of resources, and follow-up reviews to

ensure that remedial actions have been effective. Routine reports should be submitted to

senior management on weaknesses identified, the status of the action plans, and the resources

needed.

4.3 Agency IT Security Program Reports

Over the years, agencies have been asked to report on the status of their IT security program.

The reporting requests vary in how much detail is required and in the type of information that

should be reported. The completed self-assessment questionnaires are a useful resource for

compiling agency reports. Below are sample topics that should be considered in an agency-

wide security program report:

• Security Program Management

• Management Controls

• Operational Controls

• Technical Controls

13

Security Self-Assessment

Guide For IT Systems

• Planned Activities

4.3.1 Security Program Management

An agency's IT security program report needs to address programmatic issues such as:

• an established agency-wide security management structure,

• a documented up-to-date IT security program plan or policy (The assessment resultsfor

level 1 provides input.)

> an agency-developed risk management and mitigation plan,

> an agency-wide incident response capability,

y an established certification and accreditation policy,

y an agency-wide anti-virus infrastructure in place and operational at all agency

facilities,

> information security training and awareness programs established and available to

all agency employees,

> roles and relationships clearly defined and established between the agency and

bureau levels of information security program management,

• an understanding of the importance of protecting mission critical information assets,

• the integration of security into the capital planning process,

• methods used to ensure that security is an integral part of the enterprise architecture (The

assessment resultsfor the Life Cycle topic area provides input),

• the total security cost from this year's budget request and a breakdown of security costs

by each major operating division, and

• descriptions of agency-wide guidance issued in the past year.

14

Security Self-Assessment

Guide For IT Systems

4.3.2 Management Controls, Operational Controls, and Technical Controls

The results of the completed questionnaires' 17 control topic areas can be used to summarize

an agency's implementation of the management, operational, and technical controls. For the

report to project an accurate picture, the results must be summarized by system type, not

totaled into an overall agency grade level. For example, ten systems were assessed using the

questionnaire. Five of the ten systems assessed were major applications; the other five were

general support systems. The summary would separate the systems into general support

systems and major applications.

By further separating them into groups according to criticality, the report stresses which

systems and which control objectives require more attention based on sensitivity and

criticality. Not all systems require the same level of protection; the report should reflect that

diversity. The use of percentages for describing compliance (i.e., 50 percent of the major

applications and 25 percent of general support systems that are high in criticality have

complete and current system security plans within the past three years) can be used as long as

there is a distinct division provided between the types of systems being reported.

Additionally all or a sampling of the completed questionnaires can be analyzed to determine

which controls if implemented would impact the most systems. For example, if viruses

frequently plague systems, a stricter firewall policy that prevents attached files in E-mail maybe a solution. Also, systemic problems should be culled out. If an agency sees an influx of

poor password management controls in the questionnaire results, then possibly password

checkers should be used, awareness material issued, and password- aging software installed.

The report should conclude with a summary ofplanned IT security initiatives. The summary

should include goals, actions needed to meet the goals, projected resources, and anticipated

dates of completion.

15

J

I

I

I

.8«

_ c< ej oX «s

Pi

< uf-»

%&0

XI

t3Sat

aeu

'«

cao

•(•<

a>3asa>•*»»

CO

A-1

B<u**aoU•s

»-«

pQes

H

in o\ ^ oo

00WD

wH

00

IT)

< < < <

00I—

1

OHOUH

wa<5

on

ois

Hzw

wa<<

< < <

ZOP<

swetf

uu<

zop<usPPiWua

ononOJUOeAa,

uCO

* s-

u

^ > wffl u fc« « J

N2o

p<

00

OH§U

<oH

M m inwo

i i i i i i i i i i<<<<<<<<< <

zopuwHOKlPh

<

§

O

B wW QPW

z<

oon2wPh

\o r- oo

onPO

zouHPP OOu

f—p <A-. P

Ph

I*

z" Uo zCTl

wo

PQO §os;

Oh u00

sawPzi—

i

<<Q

P<z

P<upQWQZ<

I t1 a

on OZ tnW. Z

OPh<

< sp £

x w 7Q w 6O —i <N

00

O&

OU

<

uWH

m ot ti i i

< < <

HP<Q

onPOp"

§z u< on

onwUU<i-)

<u5o

zop<yEPzwa j <iri \D h

onJ—<

H

A-2

J

ft,Oft c^ 4)

C/2

s

1/2

uoaas09

"31*vc

3

o

a>

5+*aa>

"O*ma>

92"'3

TSCAS

ES3

z£

s

cs

a.a<uO

©V9

©

s

z

a#©05

"3

W©

Q

V3

s

(A>>(Z)

T3

<w

aaoU<*«

o*»<*)

4»

>•43

©a

a_©"•*-»

oC3

-a

aaJS

••c

"Su«-<

OOo

s-«

a3oJSK

£-**I/)>CZ!

o

£03

A-3

cuD. C/°- c< w

.22

(/I

«5a

o

o-J

o

E3

o

a

CO

s

ISSoU

OH

Xi

tpfl

><

>•au

oT3ccs

Voo.uS3

A-4

-o

ou4—

»

u

H

I/)

•c

u£4)

«5

£CD

-4—

»

T3C

£*">

>>

•c3o<uCO

a

S<vOA

c93

2

4) 4>

o 3

do -5 os

111ill<» .g <U

= £8s i^ _r w<5 u io

4> 4>tt3

*2oo 5 o^ sr 4>1/3 o

c

IS

a

EE©

"8 aw o «a 3 •s

3i s

J If

1a

J «a5

VI4>

3el"S

1q>HOB53

«oat

>

w<v

IooJsB9uvIS

^

<3><•<">

t

.3su

0

I

B

sM«B

J*

2

ta(A0)

•• i

I «

©?!

'

c"5 A

Bo

IeouEutS>«CO

CUbo

E <=>

tS °°

i~urSoo

00

.5

.3

-a"w*»Bu

Iuo

CD

•»3

o

C60u

a

•3%») I)

S3i/i "O

s s

a

A-5

-

sa*

EEoU

3 .2 £« .ffl «

2

a

1-1 4i

8

a.

ft.

aw4>

HT3a

v

«u1i

'So"3

coU

T3

crSo

t/Tuuu3O

s

0>

5s

8eg

a •

CO ,

T3USgu

c(Ua)-o

ca

6cca

E Z£ ogo

cfl St

M &<"< E«

Q G Q»,M <U Co

Si 3 S35 T3 Sfe

«J CB

^ c

CG —

•

xu

— *g ca

-2

f>u

cwaj

43

i©

C

5 4>

BJ ^>< 55

G U

1^U JO

a g

Ir—<

*-*

— T3

ca00

E

ca

cruTJC3

<UCJca

T3,

c

o

.a *** mmu 15

« s

Baa3 *i= C u3 O «h« « o*3 .is "3

•a « ?SJS 4)

B t« S!- 32* <*>

£ Se. «° 5,O 5?

u a.

T33C8

T31)*—

'

CwE3oo-oCO

ca q

6 goo «

nj 'ca

E E

35

ca

§oca

9?

i©

S3

5o

o

J3 a.rS p3

17 w <^2 iff

oJ= cO_ wao .SP

•a G

si

ootNca

§>

•a

C8T3

"uas

'3

aG(U

E00ca

AS

omioo

oo

GOCSO

3P,

Op,to

CO

ca

A-6

99

oU*<aoU>>-*»

TSS)wa»

C0

o

<u ."2

"si

s5

B

ES©U

1"J 2-J

I

j i

3

-3gsft.

ft.

TSa

wa* w

o .si

1|S HUuC

60

5

3

v. <=>

0 $

5S

a0y

i

05

S

>»«i

V Sjg <u

<m XIO Ifl

J8 S

ao

tf3 e

a>*-

>.

-= V C3

1- -a2 5

o 5

I o1'Sc aa Q

a o_ <aS

3

X")

Si

s *°

S3 wJ2 'C33 3 g—1 C 1

- §">

cuI

>cO

"9

c

9o

t— o< Im -a

a• ©

0O

A-7

.2

"5

B

EE©

•a

sl

«

«1Pi

V5 gJ

J?

J 8

1e

">|

cE

3

w2

—

a-

o

-a

O

o HUuC'3wo.

co

" X

i-iC «

- 1-1

e a

.5 ^

00 sE £

S 3^

ofc)

coo

8925cuP,

00c

CO

c^ 2•C Z3 Wo _CO • —

C3 E« Si

cu

3B

>>-oC N

CO c

< cm -a e

u

.£ 3

es >** u

3 Oi

C £« c5

E ^.

a « c« .s »s s

£ 8 J

COGOw

>>1 on?

*uE ac

cBT3 'aU 3

oE

> s <u

CO uffe

ing_>

u oro ffe

P« uu SJ001* 1-4V c

-5

CO

suri

CO cce

tN s nd(N

E

A- 8

9i

13>>US3

en

I * S

o 1/1

"43.{£

2 c<S3 «

13o

• i-«*->

c

4)H3&

H. ri

0) O

S3 S u

§ I s>> °r_ O

I!5 B

a

t-C

,o

13>

II*

3 «o

3 H

"a

s

13

-a

§ £ a 8

5 o 2 £

IS

2a

ca>

EEoU

s

*1

1c

E

2

-aa«

V

•au"ST* *

Oo 5Js

*

§HUwsw<wa

I

3

89

u

w

c oa* —s g

S E

w «

fi SB

a

ommt

4»

a"©

©

E

Eu»-»

ca

>>

O

>

i

"5

s

9

«N =0

=8

5;

C50

•5

m T3

U3

-a

c

aV.

ad

II>c

u

llS s

g s

i g3 3

a u

O tJ

S I

w O<u -a

<— o

I

3

o£Bc'5

E

A-9

V)

a«Ssou

a

2|1

a.

J 1£

m 0-

13a«Hi

1u-—> V

O .g1

£ J§2 u

o HUuC'w9a

u

*3

.S

requ ired

3u cr<u

<L>

u U

oenu <u

0Qin u

o to<u >•

rn c/1 C/3

Q

c

.5?

Su

3R

s

1

oo

„ o- toCUk'«

fc!

Elw

^ C

« s

C o3 CQ £>

m to

Cu."2 Hg «o is

5 &

C CD

o c« c

J? ^

<* ,« jS

c-i £ 53

s°o

-2

c ooo en

•5 ^o

g2uu

T3a

c .9

-c

w >i »

p ta

p, yp. o* S

< ?

O "p

u

TDOPho

Cu o

•auuo

-I

cs

S3

So

• om cj

S ft

co6

oocp,

60

3oc/5

caj

E3

-a 73c co -™

.a s

M

o <S

^ COr— OJ

• cr

ro Pi

IDU

-2

s

>OT3Ca

"S r"

u (U

S 5S -a.3 u3 <->

a- p>^ p.

oo

OO

S3

I

A-10

.23

3(3

aso

I"5 E

1a

a,

^ ft.

*0a

V

IV 09

O Ili5 HUoJK'3

8.CO

00

CB

is

trt

CO

•acCO

T3U£

T3

.5 c

U o

°o

i

"O Q_£ S3

5 ^eg

3 M.3 jb

8 2

o JB

S3

— to

IT- "o 8 jg

2'ob_o

Jou—

'

us

<9

s«ob S° iS

a o</> **« DC

"S .5a> -CS3 v)

© fis **

JSOA9©

ao

ai

en +;

2 <«

J3 £rj uexo

•c3oo>09

*m0DOc

aS3O

iu

OJu09

S3 ^

§oo-o•aeC8

uo3-acoo

to is

H §

-a E« |<U JO

h£ u

O trt

is «s *

c 65 tx

w utrt >

in a

-83U.3

o

tg•3oe

i

C.2

sg

I Eo13 rg

S o

T3U•a E E

3 uCB U

^>trts

«B9

whe

ols ve

t-. icont

itrt

secui

velopbeen

u"0

to u isu.s

on

cn "En u

oo

I

A-ll

c

EEoU

< i

1 1

< «

00

"5§ p8 .8 £pa 4S 1* a S2°

'.1

3

i E—J v

cE

I2

-3 oa.

X!cre

09

u.—, m5 BO _o

o HUwIS"u<uQ.c/3

a« -2

9 tSSPJ§

C S3

^ 01

C CO u

°0

I©©a,to

03

€ 2

0i «*

JC

2 1,4) 01

ID _C

S ^n. §>ex -

3 S3

2 -g

1 oE ex

Ca -i °o

c

£>a

ex

'C t>-

U <U4> >01 o6 exo ex

©»<

i

§5

s

Q

10i

01 q

T3

ex

>73

73©01 <i2

I oS a,0i K

a

o

i

0O

b 2

u S> .3w 5

« %§ ^03 T3

01 (0

01

E

01>^01

T3U•—

'

0)

Ccoo1-

exi>

c

ex

?^

•c3uu03

E

03>%01

u

Mo a

urr

u

i

3U

G

1

~i 0o

4j03

A-12

a

E£oU

IsS

i

a.

aco

uo

O co

& 8\

t-

Oco

00(

I

CO

En

u

cu6o5,

S

u

U Nis ;s

> CO

A-13

OS

X!

aVSS©

71 .2CO .8

i

1*> 2

J r8

S3

rj |J 5aE

"2

sa.

*7 Rsi

i/i

'3

W

H

v£••coV

o©

aoUw«=•sa>

Q.

4c©*«»

IB

tU—

-

soa

cu

1 =

'-S

2 «

s "32 ©

© u

3gG

1Vuh.

1

cu

© s

5 3

VX3

rr X

guuea

<nOfu©

cD

5*

T34)

*oa5u

1o

a,CO

So

T3

a, oE tu

00

Xi

oucuu

c S0 Oa c1 c-i .5?

-awu-a

cj ^3

"-I

C L S5 5 <

uc °i> CU

6 £P

uj 2<U JBco uc§

M ™•q w2 I2 MW £8

c: a>

-> J3

cU

00

00

ft,

CO

UiU3>

©

° &CO -f-i

0) CO

a>

EC Hr—< -»-»

cn1)

-auCuO13>u

cuu^3

00—1

I

cs

O0

S3

aoa<0

60.5

coO

2 Shp --»H-l CO

u

2>

X3U '

.

^

'

©'C

1 *

CO R>

00"-^

00

CO

CO

ca

EC

T3

o1

>

00C

o

o1couuaes

"EL

< ua• 4)

OO~>

oo

ft,

co

A-14

re

3c

EEag

1 ae

n 2

I*

i

3 1

§

31

3.1

3ST

'a

ua>

HT3Bre

to

Ia>'So"os-

eo

Cwwt/i

-a

CO

60

c x>

2 *9 113 53

00

I

§

re

2 c10

f^- 'to

—; c• o

3

00

g

_g

"a cu v-,N «

•n- co

- i hi si

C S3o re

E oo *»

60 oore g9 o

53 g33 o

* g3 5

-a .2S re

£ NU- . i—<U qa £0 op*a oc

1 re3

o „

to SE gto Oto CI.

|1i sare

aeDO

~ S<u re

B a>« aW ©

"re S

J £•** 5*^h-

U ». -G

<S **• to

"2 ro &

re»

.S 1to ©tO b.4U Q.

© M** «l

•p "2

a•

re »

coore

B,E8a-o«>

.9

P53

E

IES3

33

e-CO

.2"3cV

u

ZBou

A- 15

C5

9wCD

E0)

C3

0>

CO r—

I

t3 o

4J

Cfl to

—

'a

a0)

SEog

"8 aa o &i

«:pii

*1

a

J §a

In

9

u£a.

"""ft.

2a

'5

.=

oH•cB

_>•wuCJ

so

!coU

wCD

a

B

3ua*so

s

so

K

3cjis

0

1

Oo "n

En

£ E

so

Ecu t2i

i<B u« Sj

°" E

B .5

hi

£2 *

u "OV Bso «a e

CO XV) I—1 *- *-

>

I

Ia,

EuEu00

%E

Ecs

SO4)

to

Qj Fx

S5 <3

p,"0

.— IA

. a)in

OO00Ea

£, "5

O u

1oo

00*N

ei

ft,

»3

En50

o<L>aC/5

T3u

'Co

S oo

Eouhi

a

.a =S a

. -EfS -,

• to

A-16

"at

"3

c

EEog

T3

§1

IT. gJ i

B

*1

1S

Ja

0.

J<2

«5

a,

'S45W<u

H"3C«

U

es

"«u"5o

I(0

3 .23>

T3

COcO

T3Co+—

•

cuc3ou

53

IN

00

I

3

5; ^

u

9

W3si, j<

cs C

A-

0«

©b©U

c•303j-

aO

2 o*a "ao ,300 o

P, <U

3orcu

oo

"3, f?o01 C+3

_D D

cu~

-*-»

O oo

S £

a

<u

00

CM

"3 O

aCO

& .

5 ooO '—i

03

R, O o

00

C «3

WOW1112 CtJ oo1*5 c+h ™S O oo

a £>-3

g '£ ">O 3

oo <U c3 r3 CU

00

> o

ft 3

*§ s

& 8 §•

3 ILj^<u c &J

« 1 Iaj P, <tn

-5 ?»°

00 CO

8 -3 .2e S "£S O u° O oO Hi

4> X"3 oo tu3 aj __S Ja 73° C w^ r1 Nccj

1 i—\ COU oo

§ S 8DP,

H oo O

•c3ot/3

Baouo

Ph

00D 003 oo inoo c cu

.2 o £+3 00oo ccu Scr D

O w,£3

D DO +-«> g c

D © -g60 3? So

3 c2 <S

si oo

5b « <*H•r-< 00 O00 00D (5 r3T3 o ooo Cj O«3

3S e°s 5rj CO

3 2-3 DD^>'S

3

3P,

soo

cu>

CU

H

aD

'5 *3O oD 3oo £j

»- DS C3 --1

p,^2

§ 5d ."2

D .Soo D.22 S3^

33

13o

+- 00

2 S00

.5

o

00CU

3crcu

"a3

^ 00

a «5

abo 0/5

b dO j=3

cu ^3

SI

B

sEou

S sSou"I

«

aE

IS

1-1 &J »

a*

u

•O

O

g*-ao

£'Z

&

u3(Jaten"3

aa©

0,

§ 37* a£ s

a «£ «O C3** acu -r

« 3!

a a

a; a.2 «3 wc

? f<u £>- u< a

O

Si

5; ^

CD

>CU

a2 ^&«CO UT3 3JO ^O T3•—i a)73 B,

c «« S3

S*

a oo u

CD

Si £L -

5 S

Q% ^.2 ^a ^« S2a Cl

uHOX)u«13

c^i* C

Oo,

CU

ODaoea•a

T3

»1

-2sG

G

1

5 &

>'£ -a

Cu,

^ (Ut.

A-18

J9

42a

E

I

1

J If

"1

IES

3 iaE

8a

a.

eg

>

0)

os»

aoUw

ao

c«g

oCuCus

ea |»

T3

Ecu

>%>/>

B

c

c1-

55

wa

•5

uH

DOc

43

^ cu o

a, «0 .=

CO 43

1 -50 O3 «£8 <L>

<u rSa> S3

S cc OOh09CU

Is

I

u

*2 e—. 53. CO

>0 3

5;

cu

to T3c u§ -sJ3 .50

s «

r- Ov-<

00 u.

CO

y oo

8 so 13

1/3 si/i eguy oo

>- .3O, 358 3£ "15 oo

•3 -S ,

ft,

to

5

00»-<

I

CO

33Oy

uj uCU c3

00 40

tm

aDOeacu9w»

e3©

5 xi

a

S95in

s *•

w -S s 1CS c« w

•C £U aw ar4 w c« 2VO « « Of 43

o ~C3

co

S6 "2

aID cn

C8 CJO

OwO

fT3UC4>

S3

2 ft,

3 55

c

1

^ en

- S3

CCS

o'•5

5•ccua,

acu

CCJ

COUC

uw .« a,

Eu

i &2 *oc 2cu -55T3 3« ST

o

cu 3

* I

00C3

3cuCO

o

A-19

cs

^ c

-acu

asU3

< E

22

1C

a

E

I

a

* «—

a

1 I

Q.

S

3lJ ©r Pa

,6O5u*iaQuu5u

ucs

oB

eS3"O

-ac

Cs

Q

,1C 91 ^

wuuea

.2-—

»

at

.s .g

(J C

2 S

00C"5 ^£ o° c13 .2

c 65 °

s °G -o o

U Ct,

0 h

1)

u DOC S3

e

A-20

so33

©

a

Eaoim•ml>aw

«"3u

J*

0 S3

1 ais >—

<

.£) "e3

do -j2

.a -c

O 4J

II ao

B 60 ta

*—' (—i

wT3 O <U

5. 3 2„ * -

fl N 2fl 3

3 £? u

CO CD Q

to C <L>

05-ft %CO c

o 3

a a a

GOcaIs

iS ^ „.

oo ^ *a

5a a

8 ?

-a 13

CO

.8 a «CO>~> 'ea

1- BSouilli

•a

2c

sseU

"> 2J 2?

H

3

aS

31

a.

a*

9.21'5

X

HB«

>•auo»mmXO

1CO

a©aw**o

Cm

s

esola'>

Sw"Oa99

xa-

B

I

.8

5

09</>

4»9u

eVU

2 ua 3a 9

3 W

<* a

*aa

E

cuEu5 a"_ CS

SSu

•e "a

C9

5cr « -r" a u

E ,

2 ~ JS

c- "?

S3 o

«i E

-a xx 5C enO T3

'fl §s ta

5! a

uu(0

-a «xo3

Bo

o4J

uu">u-a

^ B

I s_ in>\ wi

M 8

It

cs?

EmCen O

5;

oa u «

o, ux(N O X^ 2 1r- x >x

y"2

a T3UEIsa3

u (0

u. O

1 &

° g-ca a

ou u

u x< u*t a b

A-21

ISB'5

«EEey

1

"O

o.

1

nft,

onO)

9CJ1'5

au

H"Baes

41

«2Oo

ce

uu*>w

J3

cj

T3Ucn

333

uSgy.-

T3

s

P N3 'CV oCJ — U

3 1

es jC" ej

H ° 2

C3

o

X3CJ

-2IS<u

3 mu c00 3

S 3

CJ :n

© SQ 3

^ 8 .

CJ o3 "5

3 „O i/J

r-- ftcj "Cft -a

-acj

300

58cj

13

w>

G

O

g "a

-5 8CO

Ts ^iic<u CO

a>oo3COXIocj

T3Ou

•~ ,o £q

c/s

Uuucs

C3

no,oi-.

ft8-

ft i3 -aus Hi

S3 "5M00

2 «. CJ

!-« >K .S

JS003O

•a"O CJ33

3eS

esO

<ys-

o J

tn 5ii OO cn

ipw tL>

.23 ft> CJ

5 3

r- C3

r-^ E

0

3

oftftes

s ijS 4>

ft «8 3

° o

3 3CJ cj

r3 "0it.

003 3

•2 5ui oa *&§s §

a 3CJ -S

2 cc?3

a cj

o. >CS

CJ _

^1

S5

CO CO

Co £2

3cj

>CJ

ft

A-22

.aes

!5

c41

EEoU

1 =

V5 g

^1J 8

1a

aS

1

to<U

3siBJ5u

H13a

•Iu

o1•IB3

3:1

4> OoU CO3 Uo 2CO >O

Oa,u

CO .2-a

•c 0i -c

a,

4>u

5 E4) gop £2 .2P >

w5, 5O co

S. S3

.3 O

1

I

60

EEo

<i

00

a,S3

m55

V Bs .E

2 C« '1

oo E•S >>

8 |U 00

| B

> CO>»

00eooo

T35•aa

e5

•/-> E

t~- CO

oo_c

u

5 S2 —

£ 4)

co J3-5 oui -a4) e

rr oo

'£ *y 4)35 co

"3

u

IP

CO

c

a

4>

u

2 ^3 11

4)"

co" *0

illr- a, a,

1 CO

e "94) O

M -a

a 34) CO4> „JD co

CO 4)"3 *

b§yuSXas

CO

atCO

U

f

24)

CO4)

3 8-

Is

s.12

uu0>

« Ea o

W t>— <U

.2 £a

A-23

CO

5

1

•5'

cw /-va,C/°< c< K

•-»

c4*

££

g

"2

« 1

1

.2 Q

J »E

-•1

—J uaE

-J 8ohi

ft*

oa.

t/j

v>s>

a.51"E-=

vH73=

£

p

sc

£ceyuC"3

a cn

00

o °c

-a Co

'Co"3

c3P>^

X>DOc

">

4)

c

uu

.a T>C/3 . r

C.2 o

u

00

5

I

-5

.. 3«• «c "C

a 0

fcd 5cs

15c£

C3

.—

u

!>"3V

ofa.

a

£

M

co

U

00

3«•a

.> t>.

£uto

< «

<*! 5

o Co

5 a,

3 J°

JOCS

oexw

A-24

03

01 C3if. •!-!

Q0

i

42(3

EEo

1 cO V

* 8

Si

aE

23gl'5

uVH"OsOS

«

w

£>

OofecOuuC

ou«»aoU3a.-**

s

$s

e.2

w3T3OUa.

sU

00

03•C

os00

V)<o-oaT3

00 «J

C500

S3

s

E

2 "g

Eau.is

u -s

rs S00 <

a*. ort oJ3 -~ -ou cat-, u3 u

C O« a

2 §« <->

* "3en 2U 3O TJo ri-i >a, ;g

2 c

2 I5 5

I

oo

C<1

CO

T3Vc•Sa

£ o1-, RSO a

oo 3 «s .5

3 4)

c S

8 eO W

oo

a, 3

« S

oo o

3&3OT3

3

« to

"3 E

°0

Io

a,ST)

Es,

I

-a

1 *

4)

< .£

^ g00 U5

o60a

oaen

«3

t

C3

00

a,to

ti <k. 3•a f

"a, Bc .Sc

&,"3 ba °a 23 ^2 E< op

00 E

A-25

I«

-8 a

3

J a1

J i—J w

D.

B

jfi

J 8o

6-

Itl

3cx

au3H•eeC3

to<V>

ua*

0ogco

u£'3u

oo

CO

X

C8

00

I

00

En

u(U

p,CO

00

.5

C3

00"-I

l

©oo

En

IIU O

I- to

to 00c

oo .O

ocu>c

Pu

oo*n

i

55cs00

55

En

EG

« §

(N CO

oo 6

> oo

^ OO

UN

T34>

00

T3

§"9

-ato

ET3W00«S

E-a

oo

i

555500

§3

En5T>

a

CO4)

00 "O

O

« fc

"° -nl- <u

45 Wco C

"O 00

E §^ oo 2

£J= >to "Oi—h CD

o &

OO"N

I

55©00

§3

En

CO0)

OO T3

A-26

on

.saaC3

s^>UaOAa•5aoU

*

ON

« boCU B

o .5

•9 a00

1-3

w SW ™ «8

« 3 g0 «5 <U

a 2 wu al—I

V3 CO

'18

CO £3 C8

-I h .a

Sis1 S »3 a *o

u,CC5

CO

CO CO

CD

a -a

00 —• </)

.£ S aa .55 to

S C 6co cj mPi en "3

^ a *3y o -

Cfl

ao

a -a .g

oo S 'Ca -3 3 .g

S 11 aO *3 EX

.3

sa

42s

sEo

1 =o v

*S J

1«Q 2-J £

I

3 i

aS

"8

—3 °

cn

ss

o'3

VHaa05

50V

u•«£>

oI*sao

uISwaCO

a*3<JIk

0

1MQeaa«

e

a•aa©

U9aco

"Oa

u•ai.u

a

E

©X

la3*»aa.

aowwoa

a ^3a •CO «Wt. a•a 13

-a "S*• .«

"2 °a *>

8 1SB ~a v>

© *».5 W« a

a. «

52 &S 32a ycs as6" -Q

°3

o

ucu3O"

CO

0CO

co

ci

oo

3

^ c

a

auo

J3w

cu

a'fio

&m £>•

p ia

° &

if

o\ o

fo

a ^o

oo U

T3

au4>-QCOu

co"COh00 >.9 281 s

(3oS "°

• CO

8CUat

a03

>>waooaaa©

•s s aa >a 2a aat at

s -g— ua a•a S

• 2 S©s S "O

"5Su<S

U

•au>s

§

u

C. co

Ox

COU

1a

u>o

COCOaCO

s

^ CCN Op

CNON Bj

CO

JO

A-27

&

3=4)

ssoCJ

3 s_ opa 1

1

So

e

aE

.2"'3

4=4*sHt)aea

co<u>"Ccj

o

tooOustCfl

o

2u

cfl

eo

f!cu

IDOc•co

uto

•S 5*GO r»

SS §

o 2u

00

a-»—

'

CO

E(L>—

i

"3 wCJCCS

c

Os cn

CuE

cfl <D— CU

6bcs

cfl

fOS3X>T3CU

Go-*-*

CSo_o

ua ftcfl D

in

"1 I<N UcK IS

°0

I

CsOSoo

f<3

O —

2 5

oo.£'5

cu

«CUCOCU

3

E |CO ,0

<U cfc

^ CD

00 OCN to

ON' 2

E gcu G« -cct3 p.T3 a>

S -SUS *E

CO

3

00 T3

° 1co C

5 >»cj 55

93 IE

cu

<as

ca

&>Ocu

00cuCN «-»

TJCU•*>»

oCU-*-»

£

S3OCO>,XIa,

aea

CU

6 ?3CJ "S

X> O Co

s £ £a «>> £cj «s

S'

c

s°sc n.O S3CJ _cu 13

£ o

O rQ

(N co

os "5

01

oCJ

s-

Ix

aCO

.. ^~ CJ

a sa> <u

E g>

3 c_ oes «.2 T»

•C"

SI ">

U «_ cu

o\ •<

T3cu

JS&,cu

CuOu

S3

•a

^cuCJ

cu

Su

_ cu<3\ co

A-28

Initials

Comments

Risk

Based

Decision Made

3"2 2J 5?

5

L.4

Tested

L.3

Implemented

i

3.1mi U£

Specific

Control

Objectives

and

Techniques

9.3.2

Are

employees

trained

in

their

roles

and

responsibilities?

FISCAMSC-2.3

NISTSP

800-18

9.3.3

Is

the

plan

periodically

tested

and

readjusted

as

appropriate?

FISCAMSC-3.

1

NISTSP

800-18

XI

o

<U .S co

» ^ s« o -°

do "io « c

o3as(U

CO

CO

43

HS3

o

p 45, >^ to

u & J3

43

o .S

C3

Oto

>o

oX to

c

HC3

at

c3

C3

43 C3OooCO

£^X e+—i

a o3

CO

"2 6<L> Si

«*4o

o

ao

CO '

60 <

ga 43

.

33 °

tS oS3 Xu c<"1 • 1—*

+3 C3

eo

.503

sCO

1

1

O 'tS+> CO

bo §.a 3-

6 -53 g 1o *S

X oCO l-i

42 So -c-fcS O§ .22

O 43CD 03l-i

* 03

<D 43co +-*

03 XX o

S3 co

C3 CD

^43

COG5

CO

ao

93

co

gco CO

2 <u

S,43CT +3

s

E£

St =

1"2 £

a!

a

s 5i-" ii

a.

haI£0-

4 —ft.

4>

BO"

S3

J3u«H•ac«at

«u

|O

coguE'3<u

£M

u«

o

c3

M^>f/3

•as <Uea w" 2S3 C

a s

35 S

•aa

at

s4(

gS e

*-«

« 8.•B

'C « hUK CS

JUT)° « 2Fl H A

S ^_n """i w_

o -r 4- ^^ o ac co ~»o

.s. 3u fl k

•S 1 §uocesCV

a,X to

0 F-i

(9

E

5^O S

<NusU"5

8 » ^

£8 O

2^W5 O

o Cca KS

1—1 u

o g

O C3

l-, o

t+3•

c3Sca

on *3

CO Q£P c.5 o

65 wa, >o Ea> 3- gca

1

3

ca

'o

aouc

asu

ca q

A-30

53

a

£So

J §a

Sa.

e«

ucs

"2 a»

g >E V

S «

:| 5

o i

>ouc,o,

•as

co

T5<u

.2uoJ3

3C?

4*k.PS

I©

3oto

c •$

J °o" .5

<L> 38 1S -

o is

- 50 o

^ 5-+»» o

g 8

1 §?

4> "55

5 >?T3 1)

c«6w"a

i

so

a,CO

•au•owuc00p'5'5

T3 C--

a hsr s4) O

*-»to>>

•a sow a

a>

1

1

P o

E Poo aE

% §»P 8

C^ u<N E

3cjO

POoEouo,oI-ocp.

~. 00 <N oo

co

u.3 (>•

ex aa ois vs

Si

s 3a-

Of) ea

" 5^

i B

t+5

O

-a

T353

E «o 5

& ^« T3T3 CU r3

13 g.<upu

8

35;

T3U3w

¥ 1»J E

o °

d00

p-

p. ft:

O S3 ST3 3 D,

cn 2 >

2 3 &

< ts

PuE00

o cL

•c3US !>•

<+i TJO O

°*B «'S £

T3 OOJ P< W

3

KUS

cyto

o -33—< to

A-31

S3

5 JU3

T3Ceta

GO

aCU

£E©y

<3 .2 £a .s 13

s

a

1s

—< «aE

a.

a*sa1

aw

HTSS«

s

Oi-*-coUej

E•8

-a

>u

.2, * »

o

Cfl1

00

s

J2

— «co

« xi•p s3fe oO oB ZO S

co

5 o

5 *0

s I

.5 ex

<N

oo

S3

JS

00

CN©

"O o-iCJ I

•C U

§ §.S U

•s

ES3l-i

oo0cxCJ

d

-a4)

u

o

eg

c

w

<3

H cx

2 I

T3CJ

CJ

'?uIx

-a

T3a>-+-»

cu6a5T3

u

*o Eeg egu ooO CO

fc C£X s5

CJ Poo u

JSa

>oucx

cj

CJ FT"

S3

CJ00

CJ*-»

Ccj

E3ooT3

cj

ujs

occx

CJ

JS

*5 CJ

00

cx>>CJ S3^ c

o

CJ

g3uoT3

=0

00

CO

o g -a

CJ

cS3

CuEg,3crCJ

oj^-<

COO J3 Oin

w

T3a>oocs

cca

S

CJ m+S cj

>> s^ X5

•<. «»

S 5

00

d00

§5CJ

R) H mi K|F

ible,

tc-,

00alls)?

CAcaO

u CJ

In

a u oCO

hen rvic ervi

uCO up

sary

CO

Eu CO

if"CJ—J

ccj unne

ain—E

A-32

a0)

EEey

i

H2 %S

1

*1

1 1

21

a.

BJBu

•aa53

«>

>

so"©k.**BO

i«5

> aS u* S3

00

I

<=>

S3

So c >;— J2 a.

B

A-33

i-

00

i-i

o 53-»-»

23COI/)

o3

cuo

T> O ^g to^ do <u

S C 3

g 8 §

N X>

00 ^

O o-a g -2

03 CO

<-> 00

.2 -23 **

<U 3 <U

CO

cc3

03

03

BO -£ o£ -ao 0)

DO

75

52 .tj

C0>

E£©

<9

§.2

J 8f

•o

H

-J «aE

1U8

"a.

sJST

'SJ=

Haa«Eii

o>>u

so"o

Isc9gUIt-

's*

a

<"0

•5

Q

1

SJDO!

a

1-

I

so•C«e

2%a a>

3 -g

5 «© uXI os

1*8

«;3 B

i-5 -2

— —

acu

Ea>

w .2"3

'u

U

.5

3Ohf

<D

5(0

c.SP'35

t/5

=0

I

S3

— .woJ

— ex— 3

oo

<i

oo

S3

Eo3ni

i>

ou

4<

3© a

K OS

© *^ 0)

« 2 41

° - i'3 « 3

- a>

"O os ga = "°

3 3

c- Su at

BJD -3O) >3 O— hi

3«3 i^ -a S

3 3

-a 3

§ I

.si3 c/f

© 3hi 33 J«

2 -2V3 o3 U

a °3Oou

00

doo

S3

CM

0)

3OU"Ohj

o

3O

TO

.> o-*-»

U 33 "C

O.

s

CO

5;

5 §

3c

-ao3150

3 .S

o tu

00

ioc0O

S3

8 ^ ^o 2 ^

2 ^

3 hi.3 o

3 mT3

s -1

u w

5s

— O

3

A-34

03

a

EsoU

a

o

1e

iOh

acr

'Sxtw

HT3a

o1co

c2cau

•cu

00

cO En

£o

0 -

1 §2 «

wC"5CM

Cfl

3 g

8*1* I

cn CO

3 T3

oo

Iou««»

go

J Eu «

< >">en

—• c

CO~^

I

90

ft,

E-,

I

s 1O «gft

c c

li* 8.

C ^O'5 S3

0Q

00

E-,

S3

8 "O "3_ -o•S >

Si B

• 3

00S3

Oucd

T5—

S3O"Oo

ft

S3

S3O

1uS3uftus*** i>-

oo E

• 1*1

oo•">,

t

00

-a«on

9CoCOo

su

3ca

UE

OnfN

oo

I

00

ft,

5

A-35

Ba

u rvO, c^ 4)

.2

«a0)

E

oQ

5 2£? 3O w

8 -S

ii(/J

'3 a>

S3

G3

^3 «

<D o

as

CO

CD

C3

0)

co

«3

CO

a

CO

3cr

j2

at

£SoU

oS .2 '£

5

i-3 If

B

rr"2

1

n.

S

i

J 8©

-3 2

ena>

a

"3

JSatat

H"OcC3

at

«uwa0o

co

»a>

CM

f*1

59

"-1I

Ik

as«Sk

c

1

co

s

3ato

at

JB"5 ©

S »J3 cu

2 *fl Vs I2 g5 «

~Sat o

<3

as*g

atJ3

i-i »—i at

Q. at- i«

3

oo

S ^

I i9 s.

C CKU Cm> O

uE3uO

c.o

icuE3uoT3

3OCQ r^.U «^3 CDh oCO IB

- JSa &-S a.

oo

i

o00

mS2

tN

uon3OJS

T3 -a

J3 «g

5 o,

OO

I

°0

p-

m£3

< c

E -<9ft CJ

3 .|

T3 cn

0>

•a

JS

i

00

00

P-

E<5

5 T3« SO 03

JS ^3

K 2

^ cf

A-36

42aVE

1

1 a3 .2 ±«5 «

IP

•* ej

If

3 i

a5

ml wo

a.

'5

J5

Haacs

(A

>

o

eoU

s

auuuSP o

IS w2 «S3 SS- S3

° a

1.3S w•2 6

°0

CS

oo

a,to

pi fvi72

3

£po

00»N

l

cs00

ft,

"c3

33ca

e

o

OO•"•I

8 ft,

3 ^cj Co

£ *>>usw00

u

uv.

<OO

cs

OO

©©=0

isIsouoa.

,5soC3

JS

w•A

tN

«ao«a>aoas

£ SC 3

B S<u —

S I

llb< L.

i-i <

-a

G

E3Uo

<Ba>k.3"O0)

cS

—II

i Oo

^O oo

3 O

22

fS

OO

i©©OO

ka £2« >:

>,ucu00

.3

eoo

OO

i

C5

% =°

a?K on

E09

•c

au

6«

O "O

"3 S

•c s

c o

* 3o> o

oo

oo

S5

O. Co

us

o

< 3 N

ca

4>

003NCo

3 I

A-37

u1-'3

„ c< §

•5 1/1

« s

>^GO

cO

S3us

wa«WDa

.2«5-

HV)

B0*ha03

I

3u

u is

1:1

xi«S hii +-•

0)CD

CO Xl

<U CO

<D

0)

a<v

E

|©

1ir> ft

H

IB

<"1 gmi Sta

«Sfcl*3

w

a«

«3

O"ouc©U«=-—

«

u

oaOS

OAa

H

i

-23Si

0

1

09VaVmeg

•r es2 w3 su -3-« "O

DJD

IS

el

3cr

T503

T3eV

rs totrf CD— <u

OSU O

jo

co«J

»-

•c3u4>V)

s g<$>

u § S

u43

O

5"oC3

T3U_>'53

o

COu

O <

Cc

EuHi>cq

PC

00-I

I

CS

00

§3

E-i

£3

>es

ucq

2c§

uXI

CS

3CcCS

O»-»

CST3CCS

E

4)Xi

00

sSi

c

1

CO|Hu Oj

makpost

o*»»

u>>o

"C5,

em sec

CO Cf-c

oOareeth

E ?u CO

yelets

oA<o1 o

u X

OO

I

cso00

5

o

C3

C3oCOCO

>%oC cS;

U CO

S).g

2 |coCO

" SCS

£/)

s Iw oS; °CO Mi43 e,

oo

oo

A-38

en I

t/3 r

?5

S

I

A-39

01

sso

T3CUft c< w

;>>

N ~D

0>

«aaUa>

aoa<S

c-o•»"<

a a

a>

1/3

3 S

og

"11

"2

J s

afO

I

aS

SB01

3cr

c.B

o»

Ht»ccc

t/1

>u»

o"oEj

BOUwS3

o>

CM

I

3

ct QU

eoaSO0>

a0)

!5*3

c

oo

60U

13 a-b

£ u

U£ o

O CvJ

** a1*1

-

£

h. 95 a41 c S- X! «<«>;»•>3 £

&ouCOCoft,

c4)

oB

C3

—, cei

5:

oo

I

00

§3

?o

tO Oo

ooS'5

oft,w

u

3

2.1

13UUea

T3S

-a

Bu

"o &>•

E "O— a>

Si &% g

t S

oo

CI00

ft,

E«<

Eo

N5OJO

oo

"St- oo

^ -r

to oo

tO

U K&3 ^2

B

1T3Bg

B Bft u

T3i-. u< .9

<* JS

B^ S3

c

u'5uu

00—

i

<i

OO

to

ao">T3-5

en o

< «

in B• O— ft~

1)

A-40

sa

e

EEoU

I

J la5

sift.

soiaX!

"Oa«

s

u

Ioo

§

U

CM

3

So

issoy•a <>

§ |

g°

•g s

kgc s

c w•E CO

E<L)

-2 E~o 8t; «g

e

g.3

5^

91

o

.S §

§ y

09

CJ ug iCJT3U

Bu

S3Ew

os

IBo

cuuO+*on

E'3

§p1/5

B RJ

0 °

1 §

'C >-

g <£

U S

a3ft <L>

cO "W

00™

.E

tje£9

.Eu

eoUS00f-»cnW>S

•E'5 obft- E

£is

8U

4)

u

>oOin

W3 ,B

y b

3b ce a

a «<u oPi OEii

^2'3

wU*-»

Bft,

Eoyi~.

<uT3Od>

y

y-a

en

Du•S

yPi

ul-l

3o

.2

A-41

•3"

H

a,

00

S

I

A-42

CO

©

aoU«—«

at

su

H

1/1

SO

asy

a

3<

ao••cS5uCa

1/5

1/1 > cco £ as

H 3 T?

g ^

—I

<u 03

o .o

N

1'43

s

a

EEoo

"2

5

-r

J

a5

1

to

3a'aJS<y<u

HISs85

U4>

2©"a

ba0Uu

o

CO

ao'43

Mw•mm

C41J3

3<a«a©'43

S5uC•4=

av

3

Q

1

5 8

55

•?

XJ4)

«"43

a«

"S.. OS** ^c s11

« 1.a .5« «>

M 4>

. S

i-x -< O. —

09CO

uuues

§ §

is•S £ %*1

T3<BNcO

3

C01

t3u

_ >. a

-a

i•au

i

oo

a,to

?o

3

a:•7 SOto 00

CO00 CL

•— i-*"3 Uh

1 o

E^ Jm o

T3O•ao

I

00

i

s

ExCO

to C

J3Omm

to(h to

roO

to

sa.

A-43

aCU

S£oO

73

- O 41

cS 3

1

» i S•1°

V5 2J If

Q

1

aB

"8

uoi5-

1-5 9m £

'=

pSuVHtsees

>u.Si2O1coOuIS

uvP.

uoocs

o

Iu

§

iE?1)

E cw T3CO CUi— nVg

- +-»

I—i CO

<N

0

3

3»

-a ou -o43 a)

03 He Ico F

S Z— CS<U 43a 13

o bso 3i-i so1> Cp, cu

cu o<£ co

s

CO

c3 S3

in Cou

in cj

ocoT3to

3

E

.£

Ufc c-

co

03 -C

<N °o

cu

CU CUap -ac ocs cu

to —-O u.i- cuO US5

'

so

0 h

034>

* bP, Oo co^

<? 03

&

ca

3uF

S «

g|S 5-3. W

5 "3

3so O

CS O

Ua>a,CO

-a

«COC3UCD

OsucmD, s>

3-

CO

t) U UCO W B)

E'

. CUm 3r-i OJO

3 JSc o

CO U

o .5

^ OO

>J Coo £2

O•cua.

u, T3W «S 5S

5 sd

.5 p,*-» CO

C3 =3

.S

< -a

si— T3

c4=

•ao>,

"S,SO

-*0cca-a

Ososocfl

p.UAt

s>-asU£

C

<N oo

0§-s- oo

5 5

COT3t-i

o

so

ss1

p,

d>CO

ao

^ OO

U ^

p. I

2 c

W to

00o c

—;"3

• cir> ca— 4=

u3CU

oo

o- OS

g Co

.s §cu

3

to i- 2TJ p 'y

% T3so "so 3CS) F

I'

wco

—. CU

• 3

r— CO

co

O

COCS5

p.

A-44

J303

ae

aat

ESou

1 s

IJ J1 1 S

os

J ff

J 8

IB

«J IaE

•J 2

839ajs -

H .

o .

s .

es

>at« .

O3**BO

o

1sBV

o

wC'5at

a ,

cs

u.2fc.

3ouo

eis

ft,

1s1/1

celau U

as in

3a

> >B

"5b

oso•c«Ifuox0tVi

aatu

sat

Bat

£at

3uXI ">

uu

cJ3ceu

at

at X!i 3

BO

'-*->

u<a

at

_«"at

fcouE

e/s

>>tn

4}JS

41oQ

• Bl

in «*-« 3

Cs

1

i

Q.a -b> w2 -B

3 41«t St> 'SX) gO u'S

"

41 caB C£ .2

11a oo 6

m o

41

?Sc§•u.

&B

'S3

at

A-45

B

<

00

o

CoU

<"5u'Soo

SO

"5 *o

5b «o a >J3 £ J2

s

ESoU

pa .a"8

3a

1«« e«j if

H

2 I

a

5

(«at

sS""8

«a>

Ha«tO

>

ISo"3-aoUuC"Z«CM

c

aoUvwu<

"Sjd

©—

1

i

v.

-2"3

0

1

CS

so

k JV.

8 *»

£ e3 o

E c

B«OA

Ou

Cit <fi

e ">s <u01 u— uW 05

8 SflU « «'5 w>£S © fe

Sc! ©

uCD+*Ux>CO

is to

o ^u E

'C »3 tou to

to CJ

IIs 8u §— •£

. caVO B—

' 3

<N op

0343

« C

o -=

§1

S8 .2 ^ 00to V, D

» £ x 55

« o 0 h53

I 2? s 3E o

s .s

* s1—1 L/l

es OE 5a *

c 2O B

? 3

to^

u ou S

1^

13

o

3S3

3 gU COto £3O to

—• "C^ 3V

. to

1*3

w O

2 &i ^B 425o uU PL,to E?"O ca

to

BO

5 ^

^ gto r;

b to

S ^

Q o

^ 2 •

=

^ is §

A-46

2a*>

sEoU

3

s

IBj

2a2"'3

JSev4>

HT3B«

V•«u4>

Oia

C"3

8 13to -a

oCO <i>

53c

> a

o *3

•a ~a

^ E</-> «

C« r-H

touo*0

<uto

3to

a

£ S3

a •§

—

i

i

o

a i>

£ 'E

53 c*o\Sw ISCO fo

3§co C~ u

a c*

.2 >>

a<u to

°° "g

SO 8

00

00 0,a &3

> h£ So

COUT3

Uto3<u00

i3 £lS

2•au

0

5

213

u'>

"3o'5bo

43

c£? 3rS to

a w

o aW CO

T3 to«> a

2 .2 cv.

E > "Oco >> *jco *; co

y & «sCO C\> o

o a -S

*- 8 ca >

J3!

O

ehCU>eco

.. "S+» utu aS g

3 S

.a 5tSJJ

©

SXI ce<-» c«

£ 8

S3« O

A-47

as

c«u

S£

a

1 ao v

« | "S

PS

J f

Tf 18

I

S

8

SB

CO<U

ac-

Bw<u

H-aa«CO

"•Cu

Obp©UuCua >

t/3

3.2CDXX-

TEL,a3COI

oxicu>

ft*

oE2xwN

E'Ci-<

(3uuX)CO

uCD O'ECO2 .S

40

c S3 3o oCO CDCO CO

CO4>.R

-Si

33513*»R

S«0SO

ea

cs

Co

I

43

8

J3

Oo

So

6wCO?>CO

CD

43

»©"

X(D

gas

ECO

u

3 ^3CD

So

e oO X

"43 cU CD

a »

§5cj ca

OccoCJ

«N

0

C

.3 Xco

© 2 3S .2

<N O co• *-» CO

^£3 3 u

T342 §S .2ja £5P 8s ^

§ B

1 B.

1 25 ft•2 &CQrS CO4> CD

>~ VB

3 aH CD

CD CCJ

1

1

. CD

co

« co 5

CO

5

T3 Co

8 §+*»

'5

oECOCOCDOCJCO

00

ts

co

* 3• i-i CCJ

2 CD

E •£

8 tM 8CD CO

CD

O*-»

co -fSCO CJ1> jCOCJ ^CJ >~ ^« ° %CO CD CD

' i-_ CO QON ^ .43

fN XI 'EI" d

S3

5

C3

as00

CDU

u

o

°0

I

00

Co

—CD

<n 4S

2 S

io

x S,

-3 1

O •

X*xCD

43 >L

S.2o

«a

"3 ^? 8CD «

c*h -r

" "a.cn a

o

x

COCD

S)CD

coCU

•5•-CI

S

Rcu

SCO

SP

COO- coX "T

3 »oE co

n ^s ^

< •g

o

NO 3— C8

A-48

2

a

se©

1 aa .2 a

1w 1

1

aS

e

£a.

•iSo

S3

"S b« %

"5 ft,u o"9

3 S*"

55to 4)

IN

3S35:

I. OCO V}

" C u

uvpfl**a>™ s

a z& It« o?> h.

£ e

8 1an B

8 «u a.

SIg.J2

|"|*-» B(m OM U

X!

aB

a

C w

.a xi

B) a°> aTw |•S

"S *J

* gOA !S

* SB 9

•8

&u6(3OT30)

en

Oa>>w

IuCO

caCO

I

I

*0

A-49

OSuH-<>

•3

as

"2 c

OS

c

ESoU

"i 2J If

a

a

a1

ft.

3glasucu

H•asee

COn>•au'£

o"Ski

cog«is

"Z*>

CM

to —< °o

^ ^ ~T

^ ^ &5

a 0 h

Q£9

C3

H

s<

CD

!S

O w

to wu >u .-«

s

»s.5 *>^ CO

f 1

« ©£ B

coCOOa

OST5 M g

a a

ECOeo .2

M .2M O

p

oo

§a,

Eo

u-c

COOJ

OQ

60Goo

— 3

a- Sa, §co r

OO*-«.

i

S3

a -a

5,™ to

(N C

W3uaCOao

60

3 I

to60O

T3

.£

o

COcoU(J

& jro Om -b

cr- o

I

C3

OO

S3

m

co .aojo „

O O

T33 -OCO C

Ct_, ca

° »BO fe

2'•=

•3 O^ T3

-S 'C~ D

O CO

§ c2

^ I

Oo

I

C5

oo

c-. p,

oo

CO

COooo

T3

CO

j A-50

s'3

-3au5EoW

1IT'

jj

5

£a.

s&|'3

J3a<a

H•os«en

>39

o"3s-

B5

u

o

uX!

2 A «uX5

.a «

oO

IT)

£

IS

1

o5

n

I

00

5

COl~U

o S4> Oen cj

S

x>oc °o

VS3

eq En

*u

8cn

"8

to

-63cu

8<

00

Bp** K S3

en 4>3 Cen wO °O <U

1

1

as <a

a 82 c3 •-c3 en

8 "B

3 S

• "dP- 3—• CO

C«J

"D4>+-»

esM"-**»

enu>c

I

Is% 3o a'3 .2

-Co,ooo

•8en300Cso'3oEuO T3h Wtn ISSt" V38 Q

£ g

oo

00

A-51

Appendix BSource of Control Criteria

Appendix B - Source of Control Criteria

Office of Management and Budget Circular A- 130.

"Management of Federal Information Resources",

Section 8B3 and Appendix III, "Security of Federal

Automated Information Resources."

Establishes a minimum set of controls to be included in Federal IT

security programs.

Computer Security Act of 1987.

This statute set the stage for protecting systems by codifying the

requirement for Government-wide IT security planning and training.

Paperwork Reduction Act of 1995. The PRA established a comprehensive information resources

management framework including security and subsumed the

security responsibilities of the Computer Security Act of 1987.

Clinaer-Cohen Act of 1996. This Act linked security to agency capital planning and budget

processes, established agency Chief Information Officers, and re-

codified the Computer Security Act of 1987.

Presidential Decision Directive 63, "Protecting

America's Critical Infrastructures."

This directive specifies agency responsibilities for protecting the

nation's infrastructure, assessing vulnerabilities of public and private

sectors, and eliminating vulnerabilities.

OMB Memorandum 99-18, "Privacy Policies on

Federal Web Sites."

This memorandum directs Departments and Agencies to post clear

privacy policies on World Wide Web sites, and provides guidance

for doing so.

General Accounting Office "Federal Information

System Control Audit Manual" (TISCAM).

The FISCAM methodology provides guidance to auditors in

evaluating internal controls over the confidentiality, integrity, and

availability of data maintained in computer-based information

systems.

NIST Special Publication 800-14, "Generally Accepted

Principles and Practices for Security Information

Technology Systems."

This publication guides organizations on the types of controls,

objectives, and procedures that comprise an effective security

program.

NIST Special Publication 800-18, "Guide for

Developing Security Plans for Information Technology

Systems."

This publication details the specific controls that should be

documented in a system security plan.

Defense Authorization Act (T.L. 106-398) including

Title X, Subtitle G, "Government Information Security

Reform" (GISRA)

The act primarily addresses the program management and evaluation

aspects of security.

Office of the Manager, National Communications

Systems, "Public Switched Network Security

Assessment Guidelines."

The guide describes a risk assessment procedure, descriptions of a

comprehensive security program, and a summary checklist.

Federal Information Processing Standards. These documents contain mandates and/or guidance for improving

the utilization and management of computers and IT systems in the

Federal Government.

B- 1

Appendix CFederal IT Security Assessment Framework

Federal

Information Technology

Security Assessment Framework

November 28, 2000

Prepared for

Security, Privacy, and Critical Infrastructure Committee

by

National Institute of Standards and Technology (NIST)

Computer Security Division

C-l

Appendix CFederal IT Security Assessment Framework

Overview

Information and the systems that process it are among the most valuable assets of any

organization. Adequate security of these assets is a fundamental management responsibility.

Consistent with Office of Management and Budget (OMB) policy, each agency must

implement and maintain a program to adequately secure its information and system assets.

Agency programs must: 1) assure that systems and applications operate effectively and

provide appropriate confidentiality, integrity, and availability; and 2) protect information

commensurate with the level of risk and magnitude of harm resulting from loss, misuse,

unauthorized access, or modification.

Agencies must plan for security, and ensure that the appropriate officials are assigned

security responsibility and authorize system processing prior to operations and periodically

thereafter. These management responsibilities presume that responsible agency officials

understand the risks and other factors that could negatively impact their mission goals.

Moreover, these officials must understand the current status of security programs and

controls in order to make informed judgments and investments that appropriately mitigate

risks to an acceptable level.

The Federal Information Technology (IT) Security Assessment Framework (or Framework)

provides a method for agency officials to 1 ) determine the current status of their security

programs relative to existing policy and 2) where necessary, establish a target for

improvement. It does not establish new security requirements. The Framework may be used

to assess the status of security controls for a given asset or collection of assets. These assets

include information, individual systems (e.g., major applications, general support systems,

mission critical systems), or a logically related grouping of systems that support operational

programs, or operational programs (e.g., Air Traffic Control, Medicare, Student Aid).

Assessing all asset security controls and all interconnected systems that the asset depends on

produces a picture of both the security condition of an agency component and of the entire

agency.

The Framework comprises five levels to guide agency assessment of their security programs

and assist in prioritizing efforts for improvement. Coupled with the NIST-prepared self-

assessment questionnaire5

, the Framework provides a vehicle for consistent and effective

measurement of the security status for a given asset. The security status is measured by

determining if specific security controls are documented, implemented, tested and reviewed,

and incorporated into a cyclical review/improvement program, as well as whether

unacceptable risks are identified and mitigated. The NIST questionnaire provides specific

questions that identify the control criteria against which agency policies, procedures, and

security controls can be compared. Appendix A contains a sample of the upcoming NISTSpecial Publication.

The Framework is divided into five levels: Level 1 of the Framework reflects that an asset

has documented security policy. At level 2, the asset also has documented procedures and

controls to implement the policy. Level 3 indicates that procedures and controls have been

implemented. Level 4 shows that the procedures and controls are tested and reviewed. At

level 5, the asset has procedures and controls fully integrated into a comprehensive program.

5The NIST Self-assessment Questionnaire will be issued in 2001 as a NIST Special Publication.

C-2

Appendix CFederal IT Security Assessment Framework

Each level represents a more complete and effective security program. OMB and the Council

recognize that the security needs for the tens of thousands of Federal information systems

differ. Agencies should note that testing the effectiveness of the asset and all interconnected

systems that the asset depends on is essential to understanding whether risk has been properly

mitigated. When an individual system does not achieve level 4, agencies should determine

whether that system meets the criteria found in OMB Memorandum M00-07 (February 28,

2000) "Incorporating and Funding Security in Information Systems Investments." Agencies

should seek to bring all assets to level 4 and ultimately level 5.

Integral to all security programs whether for an asset or an entire agency is a risk assessment

process that includes determining the level of sensitivity of information and systems. Manyagencies have developed their own methods of making these determinations. For example,

the Department of Health and Human Services uses a four—track scale for confidentiality,

integrity, and availability. The Department of Energy uses five groupings or "clusters" to

address sensitivity. Regardless of the method used, the asset owner is responsible for

determining how sensitive the asset is, what level of risk is acceptable, and which specific

controls are necessary to provide adequate security to that asset. Again, each implemented

security control must be periodically tested for effectiveness. The decision to implement and

the results of the testing should be documented.

C-3

Appendix CFederal IT Security Assessment Framework

1. Framework Description

The Federal Information Technology Security Assessment Framework (Framework)

identifies five levels of IT security program effectiveness (see Figure 1). The five levels

measure specific management, operational, and technical control objectives. Each of the five

levels contains criteria to determine if the level is adequately implemented. For example, in

Level 1, all written policy should contain the purpose and scope of the policy, the

individual(s) responsible for implementing the policy, and the consequences and penalties for

not following the policy. The policy for an individual control must be reviewed to ascertain

that the criteria for level 1 are met. Assessing the effectiveness of the individual controls, not

simply their existence, is key to achieving and maintaining adequate security.

The asset owner, in partnership with those responsible for administering the information

assets (which include IT systems), must determine whether the measurement criteria are

being met at each level. Before making such a determination, the degree of sensitivity of

information and systems must be determined by considering the requirements for

confidentiality, integrity, and availability of both the information and systems — the value of

information and systems is one of the major factors in risk management.

A security program may be assessed at various levels within an organization. For example, a

program could be defined as an agency asset, a major application, general support system,

high impact program, physical plant, mission critical system, or logically related group of

systems. The Framework refers to this grouping as an asset.

The Framework describes an asset self-assessment and provides levels to guide and prioritize

agency efforts as well as a basis to measure progress. In addition, the National Institute of

Standards and Technology (NIST) will develop a questionnaire that gives the implementation

tools for the Framework. The questionnaire will contain specific control objectives that

should be applied to secure a system.

Figure 1 - Federal IT Security Assessment Framework

Level 1 Documented Policy

Level 2 Documented Procedures

Level 3 Implemented Procedures and Controls

Level 4 Tested and Reviewed Procedures and Controls

Level 5 Fully Integrated Procedures and Controls

C-4

Appendix CFederal IT Security Assessment Framework

The Framework approach begins with the premise that all agency assets must meet the

minimum security requirements of the Office of Management and Budget Circular

A- 130, "Management of Federal Resources", Appendix III, "Security of Federal Automated

Information Resources" (A- 130). The criteria that are outlined in the Framework and

provided in detail in the questionnaire are abstracted directly from long-standing

requirements found in statute, policy, and guidance on security and privacy. It should be

noted that an agency might have additional laws, regulations, or policies that establish

specific requirements for confidentiality, integrity, or availability. Each agency should decide

if additional security controls should be added to the questionnaire and, if so, customize the

questionnaire appropriately. A list of the documents that the Framework and the

questionnaire draw upon is provided in Figure 2.

C-5

Appendix CFederal IT Security Assessment Framework

Figure 2 - Source of Control Criteria

Office of Management and Budget Circular A- 130,

"Management of Federal Information Resources",

Appenuix in, occuniy 01 reucrai Auiuuidieu

Information Resources."

Establishes a minimum set of controls to be included in Federal IT

security programs.

Computer Security Act of 1 987.

This statute set the stage for protecting systems by codifying the

requirement for Government-wide IT security planning and training.

Paperwork Reduction Act of 1995. The PRA established a comprehensive information resources

management framework including security and subsumed the

security responsibilities of the Computer Security Act of 1987.

Clinger-Cohen Act of 1996. This Act linked security to agency capital planning and budget

processes, established agency Chief Information Officers, and re-

codified the Computer Security Act of 1987.

Presidential Decision Directive 63, "Protecting

Amf*rif*fi'^ CVitipal TirfraQtritPtnrpQ "/A.IHV1 iva j V 1 u!Lai Hill floll UWLUl W^n

This directive specifies agency responsibilities for protecting the

nation's infrastructure, assessing vulnerabilities of public and private

sectors, and eliminating vulnerabilities.

Presidential Decision Directive 67, "Enduring

(""nnQtitntinnftl nnvprnmfnt firtH f^fYntiriiiifrv nfV. tU UUlkll VJUVtl IlillLlll O.UU J 11 1 1 U I ly \J 1

Government."

Relates to ensuring constitutional government, continuity of

operations (COOP) planning, and continuity of government (COG)operations

OMB Memorandum 99-05, Instructions on Complying

with President's Memorandum of Mav 14, 1998,

"Privacy and Personal Information in Federal Records."

This memorandum provides instructions to agencies on how to

comply with the President's Memorandum of May 14, 1998 on

"Privacy and Personal Information in Federal Records."

OMB Memorandum 99-18, "Privacy Policies on

Federal Web Sites."

This memorandum directs Departments and Agencies to post clear

privacy policies on World Wide Web sites, and provides guidance

for doing so.

OMB Memorandum 00-13, "Privacy Policies and Data

Collection on Federal Web Sites."

The purpose of this memorandum is a reminder that each agency is

required by law and policy to establish clear privacy policies for its

web activities and to comply with those policies.

General Accounting Office "Federal Information The FISCAM methodology provides guidance to auditors in

evaluating internal controls over the confidentiality, integrity, and

availability of data maintained in computer-based information

systems.

System Control Audit Manual" (FISCAM).

NIST Special Publication 800-14, "Generally Accepted This publication guides organizations on the types of controls,

objectives, and procedures that comprise an effective security

program.Principles and Practices for Security Information

Technology Systems."

NIST Special Publication 800-18, "Guide for

Developing Security Plans for Information Technology

Systems."

This publication details the specific controls that should be

documented in a system security plan.

Federal Information Processing Standards. This document contains legislative and executive mandates for

improving the utilization and management of computers and IT

systems in the Federal Government.

C-6

Appendix CFederal IT Security Assessment Framework

2. Documented Policy - Level 1

2.1 Description

Level 1 of the Framework includes:

• Formally documented and disseminated security policy covering agency headquarters

and major components (e.g., bureaus and operating divisions). The policy may be asset

specific.

• Policy that references most of the basic requirements and guidance issued from the

documents listed in Figure 2 - Source of Control Criteria.

An asset is at level 1 if there is a formally, up-to-date documented policy that establishes a

continuing cycle of assessing risk, implements effective security policies including training,

and uses monitoring for program effectiveness. Such a policy may include major agency

components, (e.g., bureaus and operating divisions) or specific assets.

A documented security policy is necessary to ensure adequate and cost effective

organizational and system security controls. A sound policy delineates the security

management structure and clearly assigns security responsibilities, and lays the foundation

necessary to reliably measure progress and compliance. The criteria listed below should be

applied when assessing the policy developed for the controls that are listed in the NISTquestionnaire.

2.2 Criteria

Level 1 criteria describe the components of a security policy.

Criteria for Level 1

a. Purpose and scope. An up-to-date security policy is written that covers all major facilities and

operations agency-wide or for the asset. The policy is approved by key affected parties and covers

security planning, risk management, review of security controls, rules of behavior, life-cycle

management, processing authorization, personnel, physical and environmental aspects, computer support

and operations, contingency planning, documentation, training, incident response, access controls, and

audit trails. The policy clearly identifies the purpose of the program and its scope within the organization.

b. Responsibilities. The security program comprises a security management structure with adequate

authority, and expertise. IT security manager(s) are appointed at an overall level and at appropriate

subordinate levels. Security responsibilities and expected behaviors are clearly defined for asset owners

and users, information resources management and data processing personnel, senior management, and

security administrators.

c. Compliance. General compliance and specified penalties and disciplinary actions are also identified in

the policy.

C-7

Appendix CFederal IT Security Assessment Framework

3. Documented Procedures - Level 2

3.1 Description

Level 2 of the Framework includes:

• Formal, complete, well-documented procedures for implementing policies established at

level one.

• The basic requirements and guidance issued from the documents listed in Figure 2 -

Source of Control Criteria.

An asset is at level 2 when formally documented procedures are developed that focus on

implementing specific security controls. Formal procedures promote the continuity of the

security program. Formal procedures also provide the foundation for a clear, accurate, and

complete understanding of the program implementation. An understanding of the risks and

related results should guide the strength of the control and the corresponding procedures. The

procedures document the implementation of and the rigor in which the control is applied.

Level 2 requires procedures for a continuing cycle of assessing risk and vulnerabilities,

implementing effective security policies, and monitoring effectiveness of the security

controls. Approved system security plans are in place for all assets.

Well-documented and current security procedures are necessary to ensure that adequate and

cost effective security controls are implemented. The criteria listed below should be applied

when assessing the quality of the procedures for controls outlined in the NIST questionnaire.

3.2 Criteria

Level 2 criteria describe the components of security procedures.

Criteria for Level 2

a. Control areas listed and organization's position stated. Up-to-date procedures are written that

covers all major facilities and operations within the asset. The procedures are approved by key

responsible parties and cover security policies, security plans, risk management, review of security

controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and

environmental aspects, computer support and operations, contingency planning, documentation, training,

incident response, access controls, and audit trails. The procedures clearly identify management's

position and whether there are further guidelines or exceptions.

b. Applicability of procedures documented. Procedures clarify where, how, when, to, whom, and about

what a particular procedure applies.

c. Assignment of IT security responsibilities and expected behavior. Procedures clearly define

security responsibilities and expected behaviors for (1) asset owners and users, (2) information resources

management and data processing personnel, (3) management, and (4) security administrators.

d. Points of contact and supplementary information provided. Procedures contain appropriate

individuals to be contacted for further information, guidance, and compliance.

C- 8

Appendix CFederal IT Security Assessment Framework

4. Implemented Procedures and Controls - Level 3

4.1 Description

Level 3 of the Framework includes:

• Security procedures and controls that are implemented.

• Procedures that are communicated and individuals who are required to follow them.

At level 3, the IT security procedures and controls are implemented in a consistent manner

and reinforced through training. Ad hoc approaches that tend to be applied on an individual

or case-by-case basis are discouraged. Security controls for an asset could be implemented

and not have procedures documented, but the addition of formal documented procedures at

level 2 represents a significant step in the effectiveness of implementing procedures and

controls at level 3. While testing the on-going effectiveness is not emphasized in level 3,

some testing is needed when initially implementing controls to ensure they are operating as

intended. The criteria listed below should be used to determine if the specific controls listed

in the NIST questionnaire are being implemented.

4.2 Criteria

Level 3 criteria describe how an organization can ensure implementation of their security

procedures.

Criteria for Level 3

a. Owners and users are made aware of security policies and procedures. Security policies and

procedures are distributed to all affected personnel, including system/application rules and expected

behaviors. Requires users to periodically acknowledge their awareness and acceptance of responsibility

for security.

b. Policies and procedures are formally adopted and technical controls installed. Automated and

other tools routinely monitor security. Established policy governs review of system logs, penetration

testing, and internal/external audits.

c. Security is managed throughout the life cycle of the system. Security is considered in each of the

life-cycle phases: initiation, development/acquisition, implementation, operation, and disposal.

d. Procedures established for authorizing processing (certification and accreditation). Management

officials must formally authorize system operations and manage risk.

e. Documented security position descriptions. Skill needs and security responsibilities in job

descriptions are accurately identified.

f. Employees trained on security procedures. An effective training and awareness program tailored for

varying job functions is planned, implemented, maintained, and evaluated.

C-9

Appendix CFederal IT Security Assessment Framework

5. Tested and Evaluated Procedures and Controls - Level 4

5.7 Description

Level 4 of the Framework includes:

• Routinely evaluating the adequacy and effectiveness of security policies, procedures, and

controls.

• Ensuring that effective corrective actions are taken to address identified weaknesses,

including those identified as a result of potential or actual security incidents or through

security alerts issued by FedCIRC, vendors, and other trusted sources.

Routine evaluations and response to identified vulnerabilities are important elements of risk

management, which includes identifying, acknowledging, and responding, as appropriate, to

changes in risk factors (e.g., computing environment, data sensitivity) and ensuring that

security policies and procedures are appropriate and are operating as intended on an ongoing

basis.

Routine self-assessments are an important means of identifying inappropriate or ineffective

security procedures and controls, reminding employees of their security-related

responsibilities, and demonstrating management's commitment to security. Self-assessments

can be performed by agency staff or by contractors or others engaged by agency

management. Independent audits such as those arranged by the General Accounting Office

(GAO) or an agency Inspector General (IG), are an important check on agency performance,

but should not be viewed as a substitute for evaluations initiated-by agency management.

To be effective, routine evaluations must include tests and examinations of key controls.

Reviews of documentation, walk-throughs of agency facilities, and interviews with agency

personnel, while providing useful information, are not sufficient to ensure that controls,

especially computer-based controls, are operating effectively. Examples of tests that should

be conducted are network scans to identify known vulnerabilities, analyses of router and

switch settings and firewall rules, reviews of other system software settings, and tests to see

if unauthorized system access is possible (penetration testing). Tests performed should

consider the risks of authorized users exceeding authorization as well as unauthorized users

(e.g., external parties, hackers) gaining access. Similar to levels 1 through 3, to be

meaningful, evaluations must include security controls of interconnected assets, e.g., network

supporting applications being tested.

When assets are first implemented or are modified, they should be tested and certified to

ensure that controls are initially operating as intended. (This would occur at Level 3.)

Requirements for subsequent testing and recertification should be integrated into an agency's

ongoing test and evaluation program.

In addition to test results, agency evaluations should consider information gleaned from

records of potential and actual security incidents and from security alerts, such as those

issued by software vendors. Such information can identify specific vulnerabilities and

provide insights into the latest threats and resulting risks.

C- 10

Appendix CFederal IT Security Assessment Framework

The criteria listed below should be applied to each control area listed in the NISTquestionnaire to determine if the asset is being effectively evaluated.

5.2 Criteria

Level 4 criteria are listed below.

Criteria for Level 4

a. Effective program for evaluating adequacy and effectiveness of security policies, procedures, and

controls. Evaluation requirements, including requirements regarding the type and frequency of testing,

should be documented, approved, and effectively implemented. The frequency and rigor with which

individual controls are tested should depend on the risks that will be posed if the controls are not

operating effectively. At a minimum, controls should be evaluated whenever significant system changes

are made or when other risk factors, such as the sensitivity of data processed, change. Even controls for

inherently low-risk operations should be tested at a minimum of every 3 years.

b. Mechanisms for identifying vulnerabilities revealed by security incidents or security alerts.

Agencies should routinely analyze security incident records, including any records of anomalous or

suspicious activity that may reveal security vulnerabilities. In addition, they should review security alerts

issued by FedCIRC, vendors, and others.

c. Processfor reporting significant security weaknesses and ensuring effective remedial

action. Such a process should providefor routine reports to senior management on weaknesses

identified through testing or other means, development ofaction plans, allocation ofneeded

resources, andfollow-up reviews to ensure that remedial actions have been effective. Expedited

processes should be implementedfor especially significant weaknesses that may present undue

risk ifnot addressed immediately.

C- 11

Appendix CFederal IT Security Assessment Framework

6. Fully Integrated Procedures and Controls - Level 5

6.1 Description

Level 5 of the Framework includes:

• A comprehensive security program that is an integral part of an agency's organizational

culture.

• Decision-making based on cost, risk, and mission impact.

The consideration of IT security is pervasive in the culture of a level 5 asset. A proven life-

cycle methodology is implemented and enforced and an ongoing program to identify and

institutionalize best practices has been implemented. There is active support from senior

management. Decisions and actions that are part of the IT life cycle include:

Improving security program

Improving security program procedures

Improving or refining security controls

Adding security controls

Integrating security within existing and evolving IT architecture

Improving mission processes and risk management activities

Each of these decisions result from a continuous improvement and refinement program

instilled within the organization. At level 5, the understanding of mission-related risks and

the associated costs of reducing these risks are considered with a full range of

implementation options to achieve maximum mission cost-effectiveness of security

measures. Entities should apply the principle of selecting controls that offer the lowest cost

implementation while offering adequate risk mitigation, versus high cost implementation and

low risk mitigation. The criteria listed below should be used to assess whether a specific

control contained in the NIST questionnaire has been fully implemented.

6.2 Criteria

Level 5 criteria describe components of a fully integrated security

program. „_____________„^

Criteria for Level 5

a. There is an active enterprise-wide security program that achieves cost-effective security.

b. IT security is an integrated practice within the asset.

c. Security vulnerabilities are understood and managed.

d. Threats are continually re-evaluated, and controls adapted to changing security environment.

e. Additional or more cost-effective security alternatives are identified as the need arises.

f. Costs and benefits of security are measured as precisely as practicable.

g. Status metrics for the security program are established and met.

C- 12

Appendix CFederal IT Security Assessment Framework

7. Future of the Framework

This version of the Framework primarily addresses security management issues. It describes

a process for agencies to assess their compliance with long-standing basic requirements and

guidance. With the Framework in place, agencies will have an approach to begin the

assessment process. The NIST questionnaire provides the tool to determine whether agencies

are meeting these requirements and following the guidance.

The Framework is not static; it is a living document. Revisions will focus on expanding,

refining, and providing more granularity for existing criteria. In addition, the establishment of

a similar companion framework devoted to the evolution of agency electronic privacy polices

may be considered in time.

The Framework can be viewed as both an auditing tool and a management tool.

A balance between operational needs and cost effective security for acceptable risk will need

to be made to achieve an adequate level of security.

Currently, the NIST self-assessment tool is under development and will be available in 200 1

.

Appendix A provides a sample questionnaire to assist agencies until NIST officially releases

the questionnaire.

C- 13

Appendix CFederal IT Security Assessment Framework

Appendix AConceptual Sample of NIST Self-Assessment Questionnaire

Below is a conceptual sample of the Hypothetical Government Agency's (HGA) completion

of the NIST questionnaire for their Training Database. Before the questionnaire was

completed, the sensitivity of the information stored within, processed by and transmitted by

this asset was assessed. The premise behind determining the level of sensitivity is that each

asset owner is responsible for determining what level of risk is acceptable, and which specific

security controls are necessary to provide adequate security.

The sensitivity of this asset was determined to be high for confidentiality and low for

integrity and availability. The confidentiality of the system is high due to the system

containing personnel information. Employee social security numbers, course lists, and grades

are contained in the system. The integrity of the database is considered low because if the

information were modified by unauthorized, unanticipated or unintentional means,

employees, who can read their own training file, would detect the modifications. The

availability of the system is considered low because hard copies of the training forms are

available as a backup.

The questionnaire was completed for the database with the understanding that security

controls that protect the integrity or availability of the data did not have to be rigidly applied.

The questionnaire contains a field that can be checked when a risk-based decision has been

made to either reduce or enhance a security control. There may be certain situations where

management will grant a waiver either because compensating controls exist or because the

benefits of operating without the control (at least temporarily) outweigh the risk of waiting

for full control implementation. Alternatively, there may be times where management

implements more stringent controls than generally applied elsewhere. In the example

provided the specific control objectives for personnel security and for authentication were

assessed. The questionnaire is an excerpt and by no means contains all the questions that

would be asked in the area of personnel security and authentication. For brevity, only a few

questions were provided in this sample.

An analysis of the levels checked determined that the agency should target improving their

background screening implementation and testing. System administrators, programmers, and

managers should all have background checks completed prior to accessing the system. The

decision to allow access prior to screening was made and checked in the Risk Based Decision

Made box. Because this box was checked, there should be specific controls implemented to

ensure access is not abused, i.e., access is reviewed daily through audit trails, and users have

minimal system authority.

Additionally, HGA should improve implementing and testing their password procedures

because of the strong need for confidentiality. Without good password management,

passwords can be easily guessed and access to the system obtained. The questionnaire's list

of objectives is incomplete for both personnel security controls and for authentication

controls. Even though the sample is lacking many controls, the completed questionnaire

clearly depicts that HGA has policies and procedures in place but there is a strong need for

implementing, testing, and reviewing the procedures and controls. The sample indicates that

the Training Database would be at level 2.

C- 14

Appendix CFederal IT Security Assessment Framework

Category of Sensitivity Confidentiality Integrity Availability

High XMediumLow X X

Specific Control Objectives

i tL. 1

Policy

Yj.L

Procedures

Yj.5

Implemented

T A

Tested Integrated

Rick Rnsprl

Decision

Made

Personnel Security

Are all positions reviewed for sensitivity

level?

A A A

Is appropriate background screening for

assigned positions completed prior to granting

access?

A A YA

Are there conditions for allowing system

access prior 10 completion 01 screening:

X X

/\re sensitive runctions oiviaeu among

different individuals?

YA YA YA

Are mecnamsms in piace ior noiuing users

responsible for their actions?

YA YA

Are termination proceuures esiaoiisneu; YA YA

Authentication

Are passwords, tokens, or biometrics used? VA -vrA A

Do passwords contain alpha numeric,

upper/lower case, and special characters?

X X

Are passwords changed at least every ninety

days or earlier if needed?

X X

Is there guidance for handling lost and

compromised passwords?

X X

Are passwords transmitted and stored with

one-way encryption?

X X

Is there a limit to the number of invalid access

attempts that may occur for a given user?

X X

C- 15

Appendix CFederal IT Security Assessment Framework

References

Automated Information Systems Security Program Handbook (Release 2.0, May 1994),

Department of Health and Human Services, May 1994.

Ginger-Cohen Act of 1996 (formerly known as the Information Management Reform Act),

February 10, 1996.

Computer Security Act of 1987, 40 U.S. Code 759, (Public Law 100-235), January 8, 1988.

Control Objectives for Information and Related Technology (COBIT) 3rd

Edition,

Information Systems Audit and Control Foundation, July 2000.

General Accounting Office, Federal Information System Control Audit Manual (FISCAM),

GOA/AIMD-12.19.6, January 1999.

General Accounting Office, Information Security Risk Assessment Practices of Leading

Organizations, GAO/AIMD-99-139, August 1999.

Office of Management and Budget, Security of Federal Automated Information Resources,

Appendix III to OMB Circular A- 130, Management of Federal Information Resources,

February 8, 1996.

Office of Management and Budget, Memorandum 99-05, Instructions on Complying with

President's Memorandum ofMay 14, 1998, Privacy and Personal Information in Federal

Records, July 1, 1999.

Office of Management and Budget, Memorandum 99-18, Privacy Policies on Federal WebSites, June 2, 1999.

Office of Management and Budget, Memorandum 00-13, Policies and Data Collection on

Federal Web Sites, June 22, 2000.

Paperwork Reduction Act of 1995, 35 U.S. Code 44, January 4, 1995.

Presidential Decision Directive 63, Protecting America's Critical Infrastructures, May 22,

1998.

Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of

Government, October 21, 1998.

Swanson, Marianne and Barbara Guttman, NIST Special Publication 800-14, Generally

Accepted Principles and Practices for Security Information Technology Systems (GSSP),

Gaithersburg, MD, National Institute of Standards and Technology, September 20, 1995.

Swanson, Marianne and Federal Computer Security Program Managers' Forum Working

Group, NIST Special Publication 800-18, Guide for Developing Security Plans for

Information Technology Systems, Gaithersburg, MD, National Institute of Standards and

Technology, December 1998.

C- 16

Appendix CFederal IT Security Assessment Framework

Terminology

Acceptable Risk is a concern that is acceptable to responsible management, due to the cost

and magnitude of implementing controls.

Accreditation is synonymous with the term authorize processing. Accreditation is the

authorization and approval granted to a major application or general support system to

process in an operational environment. It is made on the basis of a certification by

designated technical personnel that the system meets pre-specified technical requirements for

achieving adequate system security. See also Authorize Processing, Certification, and

Designated Approving Authority.

Asset is a major application, general support system, high impact program, physical plant,

mission critical system, or a logically related group of systems.

Authorize Processing occurs when management authorizes in writing a system based on an

assessment of management, operational, and technical controls. By authorizing processing in

a system the management official accepts the risks associated with it. See also Accreditation,

Certification, and Designated Approving Authority.

Availability Protection requires backup of system and information, contingency plans,

disaster recovery plans, and redundancy. Examples of systems and information requiring

availability protection are time-share systems, mission-critical applications, time and

attendance, financial, procurement, or life-critical.

Awareness, Training, and Education includes (1) awareness programs set the stage for

training by changing organizational attitudes towards realization of the importance of

security and the adverse consequences of its failure; (2) the purpose of training is to teach

people the skills that will enable them to perform their jobs more effectively; and (3)

education is more in-depth than training and is targeted for security professionals and those

whose jobs require expertise in IT security.

Certification is synonymous with the term authorize processing. Certification is a major

consideration prior to authorizing processing, but not the only consideration. Certification is

the technical evaluation that establishes the extent to which a computer system, application,

or network design and implementation meets a pre-specified set of security requirements.

See also Accreditation and Authorize Processing.

General Support System is an interconnected information resource under the same direct

management control that shares common functionality. It normally includes hardware,

software, information, data, applications, communications, facilities, and people and provides

support for a variety of users and/or applications. Individual applications support different

mission-related functions. Users may be from the same or different organizations.

Individual Accountability requires individual users to be held accountable for their actions

after being notified of the rules of behavior in the use of the system and the penalties

associated with the violation of those rules.

C- 17

Appendix CFederal IT Security Assessment Framework

Information Owner is responsible for establishing the rules for appropriate use and

protection of the data/information. The information owner retains that responsibility even

when the data/information are shared with other organizations.

Major Application is an application that requires special attention to security due to the risk

and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or

modification of, the information in the application. A breach in a major application might

comprise many individual application programs and hardware, software, and

telecommunications components. Major applications can be either a major software

application or a combination of hardware/software where the only purpose of the system is to

support a specific mission-related function.

Material Weakness or significant weakness is used to identify control weaknesses that pose

a significant risk or a threat to the operations and/or assets of an audited entity. "Material

weakness" is a very specific term that is defined one way for financial audits and another wayfor weaknesses reported under the Federal Managers Financial Integrity Act of 1982. Such

weaknesses may be identified by auditors or by management.

Networks include communication capability that allows one user or system to connect to

another user or system and can be part of a system or a separate system. Examples of

networks include local area network or wide area networks, including public networks such

as the Internet.

Operational Controls address security methods that focus on mechanisms that primarily are

implemented and executed by people (as opposed to systems).

Policy a document that delineates the security management structure and clearly assigns

security responsibilities and lays the foundation necessary to reliably measure progress and

compliance.

Procedures are contained in a document that focuses on the security control areas and

management's position.

Risk is the possibility of harm or loss to any software, information, hardware, administrative,

physical, communications, or personnel resource within an automated information system or

activity.

Risk Management is the ongoing process of assessing the risk to automated information

resources and information, as part of a risk-based approach used to determine adequate

security for a system by analyzing the threats and vulnerabilities and selecting appropriate

cost-effective controls to achieve and maintain an acceptable level of risk.

Rules ofBehavior are the rules that have been established and implemented concerning use

of, security in, and acceptable level of risk for the system. Rules will clearly delineate

responsibilities and expected behavior of all individuals with access to the system. Rules

should cover such matters as work at home, dial-in access, connection to the Internet, use of

C- 18

Appendix CFederal IT Security Assessment Framework

copyrighted works, unofficial use of Federal government equipment, assignment and

limitation of system privileges, and individual accountability.

Sensitive Information refers to information whose loss, misuse, or unauthorized access to or

modification of could adversely affect the national interest or the conduct of Federal

programs or the privacy to which individuals are entitled.

Sensitivity an information technology environment consists of the system, data, and

applications that must be examined individually and in total. All systems and applications

require some level of protection for confidentiality, integrity, and/or availability that is

determined by an evaluation of the sensitivity of the information processed, the relationship

of the system to the organizations mission, and the economic value of the system

components.

System is a generic term used for briefness to mean either a major application or a general

support system.

System Operational Status is either (1) Operational - system is currently in operation, (2)

Under Development - system is currently under design, development, or implementation, or

(3) Undergoing a Major Modification - system is currently undergoing a major conversion or

transition.

Technical Controls consist of hardware and software controls used to provide automated

protection to the system or applications. Technical controls operate within the technical

system and applications.

Threat is an event or activity, deliberate or unintentional, with the potential for causing harm

to an IT system or activity.

Vulnerability is a flaw or weakness that may allow harm to occur to an IT system or activity.

C- 19

Appendix DReferences

Appendix D - References

Clinger-Cohen Act of 1996 (formerly known as the Information Management Reform Act),

February 10, 1996.

Computer Security Act of 1987, 40 U.S. Code 759, (Public Law 100-235), January 8, 1988.

Control Objectives for Information and Related Technology (COBIT) 3rd

Edition,

Information Systems Audit and Control Foundation, July 2000.

Defense Authorization Act (P.L. 106-398) including Title X, Subtitle G, "Government

Information Security Reform," October 28, 2000.

Department of State, Draft Best Security Practices Checklist Appendix A, January 22, 2001

.

General Accounting Office, Federal Information System Control Audit Manual (FISCAM),

GOA/AIMD-12.19.6, January 1999.

General Accounting Office, Information Security Risk Assessment Practices of Leading

Organizations, GAO/AIMD-99-139, August 1999.

ISSO 17799, A Code of Practice for Information Security Management (British Standard

7799),

National Communications System, Public Switched Network Security Assessment

Guidelines, September 2000.

Office of Management and Budget, Security of Federal Automated Information Resources,

Appendix III to OMB Circular A- 130, Management of Federal Information Resources,

February 8, 1996.

Office of Management and Budget, Memorandum 99-05, Instructions on Complying with

President's Memorandum ofMay 14, 1998, Privacy and Personal Information in Federal

Records, July 1, 1999.

Office of Management and Budget, Memorandum 99-18, Privacy Policies on Federal WebSites, June 2, 1999.

Office of Management and Budget, Memorandum 00-13, Policies and Data Collection on

Federal Web Sites, June 22, 2000.

Paperwork Reduction Act of 1995, 35 U.S. Code 44, January 4, 1995.

Presidential Decision Directive 63, Protecting America's Critical Infrastructures, May 22,

1998.

Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of

Government, October 21, 1998.

D- 1

it U.S. GOVERNMENT PRINTING OFFICE: 2002 485-536

Technical Publications

Periodical

Journal of Research of the National Institute of Standards and Technology—Reports NIST research

and development in metrology and related fields of physical science, engineering, applied mathematics,

statistics, biotechnology, and information technology. Papers cover a broad range of subjects, with major

emphasis on measurement methodology and the basic technology underlying standardization. Also included

from time to time are survey articles on topics closely related to the Institute's technical and scientific

programs. Issued six times a year.

Nonperiodicals

Monographs—Major contributions to the technical literature on various subjects related to the

Institute's scientific and technical activities.

Handbooks—Recommended codes of engineering and industrial practice (including safety codes) devel-

oped in cooperation with interested industries, professional organizations, and regulatory bodies.

Special Publications—Include proceedings of conferences sponsored by NIST, NIST annual reports, and

other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.

National Standard Reference Data Series—Provides quantitative data on the physical and chemical

properties of materials, compiled from the world's literature and critically evaluated. Developed under a

worldwide program coordinated by NIST under the authority of the National Standard Data Act (Public

Law 90-396). NOTE: The Journal of Physical and Chemical Reference Data (JPCRD) is published

bimonthly for NIST by the American Institute of Physics (AIP). Subscription orders and renewals are

available from AIP, P.O. Box 503284, St. Louis, MO 63150-3284.

Building Science Series—Disseminates technical information developed at the Institute on building

materials, components, systems, and whole structures. The series presents research results, test methods, and

performance criteria related to the structural and environmental functions and the durability and safety

characteristics of building elements and systems.

Technical Notes—Studies or reports which are complete in themselves but restrictive in their treatment of

a subject. Analogous to monographs but not so comprehensive in scope or definitive in treatment of the

subject area. Often serve as a vehicle for final reports of work performed at NIST under the sponsorship of

other government agencies.

Voluntary Product Standards—Developed under procedures published by the Department of Commercein Part 10, Title 15, of the Code of Federal Regulations. The standards establish nationally recognized

requirements for products, and provide all concerned interests with a basis for common understanding of

the characteristics of the products. NIST administers this program in support of the efforts of private-sector

standardizing organizations.

Order the following NIST publications—FIPS and NISTIRs—from the National Technical Information

Service, Springfield, VA 22161.

Federal Information Processing Standards Publications (FIPS PUB)—Publications in this series

collectively constitute the Federal Information Processing Standards Register. The Register serves as the

official source of information in the Federal Government regarding standards issued by NIST pursuant to

the Federal Property and Administrative Services Act of 1949 as amended, Public Law 89-306 (79 Stat.

1127), and as implemented by Executive Order 11717 (38 FR 12315, dated May 11, 1973) and Part 6 of

Title 15 CFR (Code of Federal Regulations).

NIST Interagency or Internal Reports (NIST1K)—The series includes interim or final reports on work

performed by NIST for outside sponsors (both government and nongovernment). In general, initial

distribution is handled by the sponsor; public distribution is handled by sales through the National Technical

Information Service, Springfield, VA 22161, in hard copy, electronic media, or microfiche form. NISTIR's

may also report results of NIST projects of transitory or limited interest, including those that will be

published subsequently in more comprehensive form.

£ O OB ZGa »-h p S bs •

c

< 3

8

2. E2.

too00

8

3* — re

O 3 05K" w —O &. "1

< c g° 5.

ijo ©

w3n3