Archived NIST Technical Series Publication
The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below).
Archived Publication
Series/Number:
Title:
Publication Date(s):
Withdrawal Date:
Withdrawal Note:
Superseding Publication(s)
The attached publication has been superseded by the following publication(s):
Series/Number:
Title:
Author(s):
Publication Date(s):
URL/DOI:
Additional Information (if applicable)
Contact:
Latest revision of the
attached publication:
Related information:
Withdrawal announcement (link):
Date updated: June 9, 2015
NIST Special Publication 800-26
Security Self-Assessment Guide for Information TechnologySystems
November 2001December 19, 2007
SP 800-26 is superseded in its entirety by the publication ofSP 800-53 and SP 800-53A.
NIST Special Publication 800-53
Recommended Security Controls for Federal Information Systems
Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson, Gary Stoneburner, George Rogers,Annabelle Lee
February 2005http://dx.doi.org/10.6028/NIST.SP.800-53
Computer Security Division (Information Technology Lab)
SP 800-53 Revision 4 (as of June 19, 2015)
http://csrc.nist.gov/groups/SMA/fisma/assessment.html
N/A
NIST Special Publication 800-26
NisrNational Institute of Standardsand Technology
Technology Administration
U.S. Department of Commerce
Security Self-Assessment Guide
for Information Technology
Systems
Marianne Swanson
COMPUTER SECURITY
rhe National Institute of Standards and Technology was established in 1988 by Congress to "assist industry in
the development of technology . . . needed to improve product quality, to modernize manufacturing processes,
to ensure product reliability . . . and to facilitate rapid commercialization ... of products based on new scientific
discoveries."
NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's
competitiveness; advance science and engineering; and improve public health, safety, and the environment. One
of the agency's basic functions is to develop, maintain, and retain custody of the national standards of
measurement, and provide the means and methods for comparing standards used in science, engineering,
manufacturing, commerce, industry, and education with the standards adopted or recognized by the Federal
Government.
As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and
applied research in the physical sciences and engineering, and develops measurement techniques, test
methods, standards, and related services. The Institute does generic and precompetitive work on new and
advanced technologies. NIST's research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303.
Major technical operating units and their principal activities are listed below. For more information contact the
Publications and Program Inquiries Desk, 301-975-3058.
Office of the Director• National Quality Program
• International and Academic Affairs
Technology Services• Standards Services
• Technology Partnerships
• Measurement Services
• Information Services
Advanced Technology Program• Economic Assessment
• Information Technology and Applications
• Chemistry and Life Sciences
• Materials and Manufacturing Technology
• Electronics and Photonics Technology
Manufacturing Extension PartnershipProgram• Regional Programs
• National Programs
• Program Development
Electronics and Electrical EngineeringLaboratory• Microelectronics
• Law Enforcement Standards
• Electricity
• Semiconductor Electronics
• Radio-Frequency Technology1
• Electromagnetic Technology'
• Optoelectronics1
Materials Science and EngineeringLaboratory• Intelligent Processing of Materials
• Ceramics
• Materials Reliability'
• Polymers
• Metallurgy
• NIST Center for Neutron Research
Chemical Science and TechnologyLaboratory• Biotechnology
• Physical and Chemical Properties2
• Analytical Chemistry
• Process Measurements
• Surface and Microanalysis Science
Physics Laboratory• Electron and Optical Physics
• Atomic Physics
• Optical Technology
• Ionizing Radiation
• Time and Frequency'
• Quantum Physics'
Manufacturing EngineeringLaboratory• Precision Engineering
• Manufacturing Metrology
• Intelligent Systems
• Fabrication Technology
• Manufacturing Systems Integration
Building and Fire ResearchLaboratory• Applied Economics
• Structures
• Building Materials
• Building Environment
• Fire Safety Engineering
• Fire Science
Information Technology Laboratory• Mathematical and Computational Sciences
2
• Advanced Network Technologies
• Computer Security
• Information Access
• Convergent Information Systems
• Information Services and Computing
• Software Diagnostics and Conformance Testing
• Statistical Engineering
'At Boulder, CO 80303.2Some elements at Boulder, CO.
NIST Special Publication 800-26 Security Self-Assessment Guide
for Information Technology
Systems
Marianne Swanson
COMPUTER SECURITY
Computer Security Division
Information Technology
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930
November 2001
U.S. Department of CommerceDonald L. Evans, Secretary
Technology Administration
Phillip J. Bond, Under Secretary for Technology
National Institute of Standards and Technology
Karen H. Brown, Acting Director
Reports on Information Security Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST)
promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and
standards infrastructure for information technology. ITL develops tests, test methods, reference data, proof of concept
implementations and technical analyses to advance the development and productive use of information technology.
ITL's responsibilities include the development of technical, physical, administrative, and management standards and
guidelines for the cost-effective security and privacy of sensitive unclassified information in federal computer systems.
This Special Publication 800 series reports on ITL's research, guidance, and outreach efforts in computer security, and
its collaborative activities with industry, government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-26
Natl. Inst. Stand. Technol. Spec. Publ. 800-26, 94 pages (Nov. 2001)
CODEN: NSPUE2
U.S. GOVERNMENT PRINTING OFFICEWASHINGTON: 2001
For sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov— Phone: (202) 5 1 2- 1 800— Fax: (202) 5 1 2-2250
Mail Stop SSOP, Washington, DC 20402-0001
Acknowledgements
Many people have contributed to this document, directly or indirectly. I would like to thank
our NIST Technical Editor, Elizabeth Lennon, for spending a significant amount of her time
editing this document. The questionnaire was field tested by Jim Craft, U.S. Agency for
International Development, who provided a team to use the questionnaire on two systems.
His team's input was invaluable in finalizing the document. I would also like to thank the
many people who have provided comments on the draft and expressed their enthusiasm and
support for the document. The development of the document was a consolidated effort by
many people.
iii
Executive Summary
Adequate security of information and the systems that process it is a fundamental
management responsibility. Agency officials must understand the current status of their
information security program and controls in order to make informed judgments and
investments that appropriately mitigate risks to an acceptable level.
Self-assessments provide a method for agency officials to determine the current status of
their information security programs and, where necessary, establish a target for improvement.
This self-assessment guide utilizes an extensive questionnaire containing specific control
objectives and techniques against which an unclassified system or group of interconnected
systems can be tested and measured. The guide does not establish new security requirements.
The control objectives and techniques are abstracted directly from long-standing
requirements found in statute, policy, and guidance on security.
This document builds on the Federal IT Security Assessment Framework (Framework)
developed by NIST for the Federal Chief Information Officer (CIO) Council. TheFramework established the groundwork for standardizing on five levels of security status and
criteria agencies could use to determine if the five levels were adequately implemented. This
document provides guidance on applying the Framework by identifying 17 control areas,
such as those pertaining to identification and authentication and contingency planning. In
addition, the guide provides control objectives and techniques that can be measured for each
area.
The questionnaire can be used for the following purposes:
> Agency managers who know their agency's systems and security controls can quickly
gain a general understanding of needed security improvements for a system (major
application or general support system), group of interconnected systems, or the entire
agency.
> The security of an agency's system can be thoroughly evaluated using the questionnaire
as a guide. The results of such a thorough review produce a reliable measure of security
effectiveness and may be used to 1) fulfill reporting requirements; 2) prepare for audits;
and 3) identify resources.
> The results of the questionnaire will assist, but not fulfill, agency budget requests as
outlined in Office of Management and Budget (OMB) Circular A-l 1, "Preparing and
Submitting Budget Estimates."
It is important to note that the questionnaire is not intended to be an all-inclusive list of
control objectives and related techniques. Accordingly, it should be used in conjunction with
the more detailed guidance listed in Appendix B. In addition, details associated with certain
technical controls are not specifically provided due to their voluminous and dynamic nature.
Agency managers should obtain information on such controls from other sources, such as
vendors, and use that information to supplement this guide.
iv
Consistent with OMB policy, each agency must implement and maintain a program to
adequately secure its information and system assets. An agency program must: 1) assure that
systems and applications operate effectively and provide appropriate confidentiality,
integrity, and availability; and 2) protect information commensurate with the level of risk and
magnitude ofharm resulting from loss, misuse, unauthorized access, or modification.
Performing a self-assessment and mitigating any of the weaknesses found in the assessment
is one way to determine if the system and the information are adequately secured.
v
Table of Contents
Acknowledgements m
Executive Summary iv
1. Introduction 1
1 . 1 Self -Assessments 1
1 .2 Federal IT Security Assessment Framework 2
1.3 Audience... .3
1 .4 Structure of this Document 3
2. System Analysis 4
2. 1 System Boundaries 4
2.2 Sensitivity Assessment 5
3. Questionnaire Structure 7
3.1 Questionnaire Cover Sheet 7
3.1.1 Questionnaire Control 7
3.1.2 System Identifica tion 8
3.1.3 Purpose and Assessor Informa tion 8
3.1.4 Crjticality ofInforma tion 9
3.2 Questions 9
3.3 Applicability of Control Objectives 11
4. Utilizing the Completed Questionnaire 13
4.1 Questionnaire Analysis 13
4.2 Action Plans 13
4.3 Agency IT Security Program Reports 13
4.3.1 SecurityProgramManagement. 14
4.3.2 Management Controls, Operational Controls, and Technical Controls 15
Appendix A - System Questionnaire A-l
Appendix B - Source of Control Criteria B-l
Appenddc C - Federal Information Technology Security Assessment Framework C-l
Appendix D - References D-l
vi
Security Self-Assessment
Guide For IT Systems
1. Introduction
A self-assessment conducted on a system (major application or general support system) or
multiple self-assessments conducted for a group of interconnected systems (internal or
external to the agency) is one method used to measure information technology (IT) security
assurance. IT security assurance is the degree of confidence one has that the managerial,
technical and operational security measures work as intended to protect the system and the
information it processes. Adequate security of these assets is a fundamental management
responsibility. Consistent with Office of Management and Budget (OMB) policy, each
agency must implement and maintain a program to adequately secure its information and
system assets. Agency programs must: 1) assure that systems and applications operate
effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect
information commensurate with the level of risk and magnitude ofharm resulting from loss,
misuse, unauthorized access, or modification.
Agencies must plan for security, ensure that the appropriate officials are assigned security
responsibility, and authorize system processing prior to operations and periodically
thereafter. These management responsibilities presume that responsible agency officials
understand the risks and other factors that could negatively impact their mission goals.
Moreover, these officials must understand the current status of security programs and
controls in order to make informed judgments and investments that appropriately mitigate
risks to an acceptable level.
An important element of ensuring an organizations' IT security health is performing routine
self-assessments of the agency security program. For a self-assessment to be effective, a risk
assessment should be conducted in conjunction with or prior to the self-assessment. A self-
assessment does not eliminate the need for a risk assessment.
There are many methods and tools for agency officials to help determine the current status of
their security programs relative to existing policy. Ideally many of these methods and tools
would be implemented on an ongoing basis to systematically identify programmatic
weaknesses and where necessary, establish targets for continuing improvement. This
document provides a method to evaluate the security of unclassified systems or groups of
systems; it guides the reader in performing an IT security self-assessment. Additionally, the
document provides guidance on utilizing the results of the system self-assessment to ascertain
the status of the agency-wide security program. The results are obtained in a form that can
readily be used to determine which of the five levels specified in the Federal IT Security
Assessment Framework the agency has achieved for each topic area covered in the
questionnaire. For example, the group of systems under review may have reached level 4
(Tested and Evaluated Procedures and Controls) in the topic area of physical and
environmental protection, but only level 3 (Implemented Procedures and Controls) in the area
of logical access controls.
1.1 Self -Assessments
This self-assessment guide utilizes an extensive questionnaire (Appendix A) containing
specific control objectives and suggested techniques against which the security of a system or
1
Security Self-Assessment
Guide For IT Systems
group of interconnected systems can be measured. The questionnaire can be based primarily
on an examination of relevant documentation and a rigorous examination and test of the
controls. This guide does not establish new security requirements. The control objectives are
abstracted directly from long-standing requirements found in statute, policy, and guidance on
security and privacy. However the guide is not intended to be a comprehensive list of control
objectives and related techniques. The guide should be used in conjunction with the more
detailed guidance listed in Appendix B. In addition, specific technical controls, such as those
related to individual technologies or vendors, are not specifically provided due to their
volume and dynamic nature. It should also be noted that an agency might have additional
laws, regulations, or policies that establish specific requirements for confidentiality, integrity,
or availability. Each agency should decide if additional security controls should be added to
the questionnaire and, if so, customize the questionnaire appropriately.
The goal of this document is to provide a standardized approach to assessing a system. This
document strives to blend the control objectives found in the many requirement and guidance
documents. To assist the reader, a reference source is listed after each control objective
question listed in the questionnaire. Specific attention was made to the control activities
found in the General Accounting Office's (GAO) Federal Information System Control Audit
Manual (FISCAM). FISCAM is the document GAO auditors and agency inspector generals
use when auditing an agency. When FISCAM is referenced in the questionnaire, the major
category initials along with the control activity number are provided, e.g., FISCAM SP-3.1
.
The cross mapping of the two documents will form a road map between the control
objectives and techniques the audit community assess and the control objectives and
techniques IT security program managers and program officials need to assess. The mapping
provides a common point of reference for individuals fulfilling differing roles in the
assessment process. The mapping ensures that both parties are reviewing the same types of
controls.
The questionnaire may be used to assess the status of security controls for a system, an
interconnected group of systems, or agency-wide. These systems include information,
individual systems (e.g., major applications, general support systems, mission critical
systems), or a logically related grouping of systems that support operational programs (e.g.,
Air Traffic Control, Medicare, Student Aid). Assessing all security controls and all
interconnected system dependencies provides a metric of the IT security conditions of an
agency. By using the procedures outlined in Chapter 4, the results of the assessment can be
used as input on the status of an agency's IT security program.
1.2 Federal IT Security Assessment Framework
The Federal IT Security Assessment Framework issued by the federal Chief Information
Officer Council in November 2000 provides a tool that agencies can use to routinely evaluate
the status of their IT security programs. The document established the groundwork for
standardizing on five levels of security effectiveness and measurements that agencies could
use to determine which of the five levels are met. By utilizing the Framework levels, an
agency can prioritize agency efforts as well as use the document over time to evaluate
progress. The NIST Self-Assessment Guide builds on the Framework by providing questions
on specific areas of control, such as those pertaining to access and service continuity, and a
means of categorizing evaluation results in the same manner as the Framework. See
Appendix C for a copy of the Framework.
2
Security Self-Assessment
Guide For IT Systems
1.3 Audience
The control objectives and techniques presented are generic and can be applied to
organizations in private and public sectors. This document can be used by all levels of
management and by those individuals responsible for IT security at the system level and
organization level. Additionally, internal and external auditors may use the questionnaire to
guide their review of the IT security of systems. To perform the examination and testing
required to complete the questionnaire, the assessor must be familiar with and able to apply a
core knowledge set of IT security basics needed to protect information and systems. In some
cases, especially in the area of examining and testing technical controls, assessors with
specialized technical expertise will be needed to ensure that the questionnaire's answers are
reliable.
1.4 Structure of this Document
Chapter 1 introduces the document and explains IT security assessments and the relationship
to other documents. Chapter 2 provides a method for determining the system boundaries and
criticality of the data. Chapter 3 describes the questionnaire. Chapter 4 provides guidance on
using the completed system questionnaire(s) as input into obtaining an assessment of an
agency-wide IT security program. Appendix A contains the questionnaire. Appendix B lists
the documents used in compiling the assessment control objective questions. Appendix Ccontains a copy of the Federal IT Security Assessment Framework. Appendix D lists
references used in developing this document.
3
Security Self-Assessment
Guide For IT Systems
2. System Analysis
The questionnaire is a tool for completing an internal assessment of the controls in place for a
major application or a general support system. The security of every system or group of
interconnected system(s) must be described in a security plan. The system may consist of a
major application or be part of a general support system. The definition of major application
and general support system are contained in Appendix C. Before the questionnaire can be
used effectively, a determination must be made as to the boundaries of the system and the
sensitivity and criticality of the information stored within, processed by, or transmitted by the
system(s). A completed general support system or major application security plan, which is
required under OMB Circular A- 130, Appendix III, should describe the boundaries of the
system and the criticality level of the data. If a plan has not been prepared for the system, the
completion of this self-assessment will aid in developing the system security plan. Many of
the control objectives addressed in the assessment are to be described in the system security
plan. The following two sections, Section 2.1 and Section 2.2, contain excerpts from NISTSpecial Publication 800-18, Guidefor Developing Security Plansfor Information Technology
Systems, and will assist the reader in determining the physical and logical boundaries of the
system and the criticality of the information.
2.1 System Boundaries
Defining the scope of the assessment requires an analysis of system boundaries and
organizational responsibilities. Networked systems make the boundaries much harder to
define. Many organizations have distributed client-server architectures where servers and
workstations communicate through networks. Those same networks are connected to the
Internet. A system, as defined in NIST Special Publication 800-18, Guidefor Developing
Security Plansfor Information Technology Systems, is identified by defining boundaries
around a set of processes, communications, storage, and related resources. The elements
within these boundaries constitute a single system requiring a system security plan and a
security evaluation whenever a major modification to the system occurs. Each element of the
system must1
:
• Be under the same direct management control;
• Have the same function or mission objective;
• Have essentially the same operating characteristics and security needs; and
• Reside in the same general operating environment.
All components of a system need not be physically connected (e.g., [1] a group of stand-
alone personal computers (PCs) in an office; [2] a group of PCs placed in employees' homes
under defined telecommuting program rules; [3] a group of portable PCs provided to
employees who require mobile computing capability to perform their jobs; and [4] a system
OMB Circular A-130, Appendix III defines general support system or "system" in similar terms
.
4
Security Self-Assessment
Guide For IT Systems
with multiple identical configurations that are installed in locations with the same
environmental and physical controls).
An important element of the assessment will be determining the effectiveness of the
boundary controls when the system is part of a network. The boundary controls must protect
the defined system or group of systems from unauthorized intrusions. If such boundary
controls are not effective, then the security of the systems under review will depend on the
security of the other systems connected to it. In the absence of effective boundary controls,
the assessor should determine and document the adequacy of controls related to each system
that is connected to the system under review.
2.2 Sensitivity Assessment
Effective use of the questionnaire presumes a comprehensive understanding of the value of
the systems and information being assessed. Value can be expressed in terms of the degree of
sensitivity or criticality of the systems and information relative to each of the five protection
categories in section 3534(a)(1)(A) of the Government Information Security Reform
provisions of the National Defense Authorization Act of 2000, i.e., integrity, confidentiality,
availability, authenticity, and non-repudiation. The addition of authenticity and non-
repudiation as protection categories within the Reform Act was to stress the need for these
assurances as the government progresses towards a paperless workplace. There are differing
opinions on what constitutes protection categories, for continuity within several NIST Special
Publication 800 documents; authenticity, non-repudiation, and accountability are associated
with the integrity of the information.
• Confidentiality - The information requires protection from unauthorized disclosure.
• Integrity - The information must be protected from unauthorized, unanticipated, or
unintentional modification. This includes, but is not limited to:
• Authenticity - A third party must be able to verify that the content of a message
has not been changed in transit.
• Non-repudiation - The origin or the receipt of a specific message must be
verifiable by a third party.
• Accountability - A security goal that generates the requirement for actions of an
entity to be traced uniquely to that entity.
• Availability - The information technology resource (system or data) must be available on
a timely basis to meet mission requirements or to avoid substantial losses. Availability
also includes ensuring that resources are used only for intended purposes.
When determining the value, consider any laws, regulations, or policies that establish specific
requirements for integrity, confidentiality, authenticity, availability, and non-repudiation of
data and information in the system. Examples might include Presidential Decision Directive
63, the Privacy Act, or a specific statute or regulation concerning the information processed
(e.g., tax or census information).
5
Security Self-Assessment
Guide For IT Systems
Consider the information processed by the system and the need for protective measures.
Relate the information processed to each of the three basic protection requirements above
(confidentiality, integrity, and availability). In addition, it is helpful to categorize the
system or group of systems by sensitivity level. Three examples of such categories for
sensitive unclassified information are described below:
• High — Extremely grave injury accrues to U.S. interests if the information is
compromised; could cause loss of life, imprisonment, major financial loss, or require
legal action for correction
• Medium—Serious injury accrues to U.S. interests if the information is compromised;
could cause significant financial loss or require legal action for correction
• Low—Injury accrues to U.S. interests if the information is compromised; would cause
only minor financial loss or require only administrative action for correction
For example, a system and its information may require a high degree of integrity and
availability, yet have no need for confidentiality.
Many agencies have developed their own methods of making these determinations.
Regardless of the method used, the system owner/program official is responsible for
determining the sensitivity of the system and information. The sensitivity should be
considered as each control objective question in the questionnaire is answered. When a
determination is made to either provide more rigid controls than are addressed by the
questionnaire or not to implement the control either temporarily or permanently, there is a
risk based decision field in the questionnaire that can be checked to indicate that a
determination was made. The determination for lesser or more stringent protection should be
made due to either the sensitivity of the data and operations affected or because there are
compensating controls that lessen the need for this particular control technique. It should be
noted in the comments section of the questionnaire that the system security plan contains
supporting documentation as to why the specific control has or has not been implemented.
6
Security Self-Assessment
Guide For IT Systems
3. Questionnaire Structure
The self-assessment questionnaire contains three sections: cover sheet, questions, and notes.
The questionnaire begins with a cover sheet requiring descriptive information about the
major application, general support system, or group of interconnected systems being
assessed. The questionnaire provides a hierarchical approach to assessing a system by
containing critical elements and subordinate questions. The critical element level should be
determined based on the answers to the subordinate questions. The critical elements are
derived primarily from OMB Circular A- 130. The subordinate questions address the control
objectives and techniques that can be implemented to meet the critical elements. Assessors
will need to carefully review the levels of subordinate control objectives and techniques in
order to determine what level has been reached for the related critical element. The control
objectives were obtained from the list of source documents located in Appendix B. There is
flexibility in implementing the control objectives and techniques. It is feasible that not all
control objectives and techniques may be needed to achieve the critical element.
The questionnaire section may be customized by the organization. An organization can add
questions, require more descriptive information, and even pre-mark certain questions if
applicable. For example, many agencies may have personnel security procedures that apply
to all systems within the agency. The level 1 and level 2 columns in the questionnaire can be
pre-marked to reflect the standard personnel procedures in place. Additional columns may be
added to reflect the status of the control, i.e., planned action date, non-applicable, or location
of documentation. The questionnaire should not have questions removed or questions
modified to reduce the effectiveness of the control.
After each question, there is a comment field and an initial field. The comment field can be
used to note the reference to supporting documentation that is attached to the questionnaire or
is obtainable for that question. The initial field can be used when a risk based decision is
made concerning not to implement a control or if the control is not applicable for the system.
At the end of each set of questions, there is an area provided for notes. This area may be used
for denoting where in a system security plan specific sections should be modified. It can be
used to document the justification as to why a control objective is not being implemented
fully or why it is overly rigorous. The note section may be a good place to mark where
follow-up is needed or additional testing, such as penetration testing or product evaluations,
needs to be initiated. Additionally, the section may reference supporting documentation on
how the control objectives and techniques were tested and a summary of findings.
3.1 Questionnaire Cover Sheet
This section provides instruction on completing the questionnaire cover sheet, standardizing
on how the completed evaluation should be marked, how systems are titled, and labeling the
criticality of the system.
3.1.1 Questionnaire Control
All completed questionnaires should be marked, handled, and controlled at the level of
sensitivity determined by organizational policy. It should be noted that the information
7
Security Self-Assessment
Guide For IT Systems
contained in a completed questionnaire could easily depict where the system or group of
systems is most vulnerable.
3.1.2 System Identification
The cover page of the questionnaire begins with the name and title of the system to be
evaluated. As explained in NIST Special Publication 800-18, each major application or
general support system should be assigned a unique name/identifier.
Assigning a unique identifier to each system helps to ensure that appropriate security
requirements are met based on the unique requirements for the system, and that allocated
resources are appropriately applied. Further, the use of unique system identifiers is integral
to the IT system investment models and analyses established under the requirements of the
Information Technology Management Reform Act of 1996 (also known as the Clinger-Cohen
Act). The identifiers are required by OMB Circular A-l 1 and used in the annual OMB budget
submissions of the Exhibit 53 and 300. In light ofOMB policies concerning capital planning
and investment control, the unique name/identifier should remain the same throughout the
life of the system to allow the organization to track completion of security requirements over
time. Please see OMB Circular A-l 1, Section 53.7 for additional information on assigning
unique identifiers. If no unique name/identifier has been assigned or is not known, contact the
information resource management office for assistance.
In many cases the major application or general support system will contain interconnected
systems. The connected systems should be listed and once the assessment is complete, a
determination should be made and noted on the cover sheet as to whether the boundary
controls are effective. The boundary controls should be part of the assessment. If the
boundary controls are not adequate, the connected systems should be assessed as well.
The line below the System Name and Title requires the assessor to mark the system category
(General Support or Major Application). If an agency has additional system types or system
categories, i.e., mission critical or non-mission critical, the cover sheet should be customized
to include them.
3.1.3 Purpose and Assessor Information
The purpose and objectives of the assessment should be identified. For example, the
assessment is intended to gain a high-level indication of system security in preparation for a
more detailed review or the assessment is intended to be a thorough and reliable evaluation
for purposes of developing an action plan. The name, title, and organization of the
individuals who perform the assessment should be listed. The organization should customize
the cover page accordingly.
The start date and completion date of the evaluation should be listed. The length of time
required to complete an evaluation will vary. The time and resources needed to complete the
assessment will vary depending on the size and complexity of the system, accessibility of
system and user data, and how much information is readily available for the assessors to
evaluate. For example, if a system has undergone extensive testing, certification, and
8
Security Self-Assessment
Guide For IT Systems
documentation, the self-assessment is easy to use and serves as a baseline for future
evaluations. If the system has undergone very limited amounts of testing and has poor
documentation, completing the questionnaire will require more time.
3.1.4 Criticality ofInformation
The level of sensitivity of information as determined by the program official or system owner
should be documented using the table on the questionnaire cover sheet. If an organization
has designed their own method of determining system criticality or sensitivity, the table
should be replaced with the organization's criticality or sensitivity categories. The premise
behind formulating the level of sensitivity is that systems supporting higher risk operations
would be expected to have more stringent controls than those that support lower risk
operations.
3.2 Questions
The questions are separated into three major control areas: 1) management controls, 2)
operational controls, and 3) technical controls. The division of control areas in this manner
complements three other NIST Special Publications: NIST Special Publication 800-12, AnIntroduction to Computer Security: The NISTHandbook (Handbook), NIST Special
Publication 800-14, Generally Accepted Principles and Practicesfor Securing Information
Technology Systems (Principles and Practices), and NIST Special Publication 800-18, Guide
for Developing Security Plansfor Information Technology Systems (Planning Guide). All
three documents should be referenced for further information. The Handbook should be used
to obtain additional detail for any of the questions (control objectives) listed in the
questionnaire. The Principles and Practices document should be used as a reference to
describe the security controls. The Planning Guide formed the basis for the questions listed in
the questionnaire. The documents can be obtained from the NIST Computer Security
Resource Center web site at the URL: http://csrc.nist.gov .
The questions portion of this document easily maps to the three NIST documents described
above since the chapters in all three documents are organized by the same control areas, i.e.,
management, operational, and technical.
Within each of the three control areas, there are a number of topics; for example, personnel
security, contingency planning, and incident response are topics found under the operational
control area. There are a total of 17 topics contained in the questionnaire; each topic contains
critical elements and supporting security control objectives and techniques (questions) about
the system. The critical elements are derived primarily from OMB Circular A- 130 and are
integral to an effective IT security program. The control objectives and techniques support
the critical elements. If a number of the control objectives and techniques are not
implemented, the critical elements have not been met.
Each control objective and technique may or may not be implemented depending on the
system and the risk associated with the system. Under each control objective and technique
question, one or more of the source documents is referenced. The reference points to the
9
Security Self-Assessment
Guide For IT Systems
specific control activity in the GAO FISCAM document or to the title of any of the other
documents listed in Appendix B, Source of Control Criteria.
\ /I qn cxrif* yy\ n t i Antrf\lcIVlallatiCIUCIU ^UllLIUl3
1 . KiSK Management 9. Contingency Planning
z. Keview 01 occuniy v_omrois 10. Hardware and Systems Software
j. L.ue i_ycie Maintenance
4. Authorize Processing (Certification 1 1 . Data Integrity
and Accreditation) 12. Documentation
5. System Security Plan 13. Security Awareness, Training, and Education
14. Incident Response Capability
Operational Controls
6. Personnel Security Technical Controls
7. Physical Security 15. Identification and Authentication
8. Production, Input/Output Controls 16. Logical Access Controls
17. Audit Trails
Figure 1 . Topic Areas
In order to measure the progress of effectively implementing the needed security control, five
levels of effectiveness are provided for each answer to the security control question:
• Level 1 - control objective documented in a security policy
• Level 2 - security controls documented as procedures
• Level 3 - procedures have been implemented
• Level 4 - procedures and security controls are tested and reviewed
• Level 5 - procedures and security controls are fully integrated into a comprehensive
program.
The method for answering the questions can be based primarily on an examination of
relevant documentation and a rigorous examination and test of the controls. The review, for
example, should consist of testing the access control methods in place by performing a
penetration test; examining system documentation such as software change requests forms,
test plans, and approvals; and examining security logs and audit trails. Supporting
documentation describing what has been tested and the results of the tests add value to the
assessment and will make the next review of the system easier.
Once the checklist, including all references, is completed for the first time, future
assessments of the system will require considerably less effort. The completed questionnaire
would establish a baseline. If this year's assessment indicates that most of the controls in
place are at level 2 or level 3, then that would be the starting point for the next evaluation.
More time can be spent identifying ways to increase the level of effectiveness instead of
having to gather all the initial information again. Use the comment section to list whether
there is supporting documentation and the notes section for any lengthy explanations.
The audit techniques to test the implementation or effectiveness of each control objective and
technique are beyond the scope of this document. The GAO FISCAM document provides
audit techniques that can be used to test the control objectives.
10
Security Self-Assessment
Guide For IT Systems
When answering the questions about whether a specific control objective has been met,
consider the sensitivity of the system. The questionnaire contains a field that can be checked
when a risk-based decision has been made to either reduce or enhance a security control.
There may be certain situations where management will grant a waiver either because
compensating controls exists or because the benefits of operating without the control (at least
temporarily) outweigh the risk of waiting for full control implementation. Alternatively,
there may be times when management implements more stringent controls than generally
applied elsewhere. When the risk-based decision field is checked, note the reason in the
comment field of the questionnaire and have management review and initial the decision.
Additionally, the system security plan for the system should contain supporting
documentation as to why the control has or has not been implemented.
The assessor must read each control objective and technique question and determine in
partnership with the system owner and those responsible for administering the system,
whether the system's sensitivity level warrants the implementation of the control stated in the
question. If the control is applicable, check whether there are documented policies (level 1),
procedures for implementing the control (level 2), the control has been implemented (level
3), the control has been tested and if found ineffective, remedied (level 4), and whether the
control is part of an agency's organizational culture (level 5). The shaded fields in the
questionnaire do not require a check mark. The five levels describing the state of the control
objective provide a picture of each operational control; however, how well each one of these
controls is met is subjective. Criteria have been established for each of the five levels that
should be applied when determining whether the control objective has fully reached one or
more of the five levels. The criteria are contained in Appendix C, Federal IT Security
Assessment Framework.
Based on the responses to the control objectives and techniques and in partnership with the
system owner and those responsible for system administration, the assessor should conclude
the level of the related critical element. The conclusion should consider the relative
importance of each subordinate objective/technique to achieving the critical element and the
rigor with which the technique is implemented, enforced, and tested.
3.3 Applicability of Control Objectives
As stated above, the critical elements are required to be implemented; the control objectives
and techniques, however, tend to be more detailed and leave room for reasonable subjective
decisions. If the control does not reasonably apply to the system, then a "non-applicable" or
"N/A" can be entered next to the question.
The control objectives and techniques in the questionnaire are geared for a system or group
of connected systems. It is possible to use the questionnaire for a program review at an
organizational level for ascertaining if the organization has policy and procedures in place
(level 1 or level 2). However, to ensure all systems have implemented, tested and fully
integrated the controls (level 3, level 4, and level 5), the assessment questionnaire must be
applied to each individual or interconnected group of systems. Chapter 4 describes how the
results of the assessment can be used as input into an IT security program review.
11
Security Self-Assessment
Guide For IT Systems
The policy and procedures for a control objective and technique can be found at the
Department level, agency level, agency component level, or application level. To effectively
assess a system, ensure that the control objectives being assessed are at the applicable level.
For example, if the system being reviewed has stringent authentication procedures, the
authentication procedures for the system should be assessed, instead of the agency-wide
minimum authentication procedures found in the agency IT security manual.
If a topic area is documented at a high level in policy, the level 1 box should be checked in
the questionnaire. If there are additional low level policies for the system, describe the
policies in the comment section of the questionnaire. If a specific control is described in
detail in procedures, and implemented, the level 2 and level 3 boxes should be checked in the
questionnaire. Testing and reviewing controls are an essential part of securing a system. For
each specific control, check whether it has been tested and/or reviewed when a significant
change occurred. The goal is to have all levels checked for each control. A conceptual sample
of completing the questionnaire is contained in Appendix C. The conceptual sample has
evolved into the questionnaire and differs slightly, i.e., there is now a comment and initial
field.
12
Security Self-Assessment
Guide For IT Systems
4. Utilizing the Completed Questionnaire
The questionnaire can be used for two purposes. First it can be used by agency managers who
know their agency's systems and security controls to quickly gain a general understanding of
where security for a system, group of systems, or the entire agency needs improvement.
Second, it can be used as a guide for thoroughly evaluating the status of security for a system.
The results of such thorough reviews provide a much more reliable measure of security
effectiveness and may be used to 1) fulfill reporting requirements; 2) prepare for audits; and
3) identify resource needs.
4.1 Questionnaire Analysis
Because this is a self-assessment, ideally the individuals assessing the system are the owners
of the system or responsible for operating or administering the system. The same individuals
who completed the assessment can conduct the analysis of the completed questionnaire. Bybeing familiar with the system, the supporting documentation, and the results of the
assessment, the next step that the assessor takes is an analysis, which summarizes the
findings. A centralized group, such as an agency's Information System Security Program
Office, can also conduct the analysis as long as the supporting documentation is sufficient.
The results of the analysis should be placed in an action plan, and the system security plan
should be created or updated to reflect each control objective and technique decision.
4.2 Action Plans
How the critical element is to be implemented, i.e., specific procedures written, equipment
installed and tested, and personnel trained, should be documented in an action plan. The
action plan must contain projected dates, an allocation of resources, and follow-up reviews to
ensure that remedial actions have been effective. Routine reports should be submitted to
senior management on weaknesses identified, the status of the action plans, and the resources
needed.
4.3 Agency IT Security Program Reports
Over the years, agencies have been asked to report on the status of their IT security program.
The reporting requests vary in how much detail is required and in the type of information that
should be reported. The completed self-assessment questionnaires are a useful resource for
compiling agency reports. Below are sample topics that should be considered in an agency-
wide security program report:
• Security Program Management
• Management Controls
• Operational Controls
• Technical Controls
13
Security Self-Assessment
Guide For IT Systems
• Planned Activities
4.3.1 Security Program Management
An agency's IT security program report needs to address programmatic issues such as:
• an established agency-wide security management structure,
• a documented up-to-date IT security program plan or policy (The assessment resultsfor
level 1 provides input.)
> an agency-developed risk management and mitigation plan,
> an agency-wide incident response capability,
y an established certification and accreditation policy,
y an agency-wide anti-virus infrastructure in place and operational at all agency
facilities,
> information security training and awareness programs established and available to
all agency employees,
> roles and relationships clearly defined and established between the agency and
bureau levels of information security program management,
• an understanding of the importance of protecting mission critical information assets,
• the integration of security into the capital planning process,
• methods used to ensure that security is an integral part of the enterprise architecture (The
assessment resultsfor the Life Cycle topic area provides input),
• the total security cost from this year's budget request and a breakdown of security costs
by each major operating division, and
• descriptions of agency-wide guidance issued in the past year.
14
Security Self-Assessment
Guide For IT Systems
4.3.2 Management Controls, Operational Controls, and Technical Controls
The results of the completed questionnaires' 17 control topic areas can be used to summarize
an agency's implementation of the management, operational, and technical controls. For the
report to project an accurate picture, the results must be summarized by system type, not
totaled into an overall agency grade level. For example, ten systems were assessed using the
questionnaire. Five of the ten systems assessed were major applications; the other five were
general support systems. The summary would separate the systems into general support
systems and major applications.
By further separating them into groups according to criticality, the report stresses which
systems and which control objectives require more attention based on sensitivity and
criticality. Not all systems require the same level of protection; the report should reflect that
diversity. The use of percentages for describing compliance (i.e., 50 percent of the major
applications and 25 percent of general support systems that are high in criticality have
complete and current system security plans within the past three years) can be used as long as
there is a distinct division provided between the types of systems being reported.
Additionally all or a sampling of the completed questionnaires can be analyzed to determine
which controls if implemented would impact the most systems. For example, if viruses
frequently plague systems, a stricter firewall policy that prevents attached files in E-mail maybe a solution. Also, systemic problems should be culled out. If an agency sees an influx of
poor password management controls in the questionnaire results, then possibly password
checkers should be used, awareness material issued, and password- aging software installed.
The report should conclude with a summary ofplanned IT security initiatives. The summary
should include goals, actions needed to meet the goals, projected resources, and anticipated
dates of completion.
15
J
I
I
I
.8«
_ c< ej oX «s
Pi
< uf-»
%&0
XI
t3Sat
aeu
'«
cao
•(•<
a>3asa>•*»»
CO
A-1
B<u**aoU•s
»-«
pQes
H
in o\ ^ oo
00WD
wH
00
IT)
< < < <
00I—
1
OHOUH
wa<5
on
ois
Hzw
wa<<
< < <
ZOP<
swetf
uu<
zop<usPPiWua
ononOJUOeAa,
uCO
* s-
u
^ > wffl u fc« « J
N2o
p<
00
OH§U
<oH
M m inwo
i i i i i i i i i i<<<<<<<<< <
zopuwHOKlPh
<
§
O
B wW QPW
z<
oon2wPh
\o r- oo
onPO
zouHPP OOu
f—p <A-. P
Ph
I*
z" Uo zCTl
wo
PQO §os;
Oh u00
sawPzi—
i
<<Q
P<z
P<upQWQZ<
I t1 a
on OZ tnW. Z
OPh<
< sp £
x w 7Q w 6O —i <N
00
O&
OU
<
uWH
m ot ti i i
< < <
HP<Q
onPOp"
§z u< on
onwUU<i-)
<u5o
zop<yEPzwa j <iri \D h
onJ—<
H
A-2
J
ft,Oft c^ 4)
C/2
s
1/2
uoaas09
"31*vc
3
o
a>
5+*aa>
"O*ma>
92"'3
TSCAS
ES3
z£
s
cs
a.a<uO
©V9
©
s
z
a#©05
"3
W©
Q
V3
s
(A>>(Z)
T3
<w
aaoU<*«
o*»<*)
4»
>•43
©a
a_©"•*-»
oC3
-a
aaJS
••c
"Su«-<
OOo
s-«
a3oJSK
£-**I/)>CZ!
o
£03
A-3
cuD. C/°- c< w
.22
(/I
«5a
o
o-J
o
E3
o
a
CO
s
ISSoU
OH
Xi
tpfl
><
>•au
oT3ccs
Voo.uS3
A-4
-o
ou4—
»
u
H
I/)
•c
u£4)
«5
£CD
-4—
»
T3C
£*">
>>
•c3o<uCO
a
S<vOA
c93
2
4) 4>
o 3
do -5 os
111ill<» .g <U
= £8s i^ _r w<5 u io
4> 4>tt3
*2oo 5 o^ sr 4>1/3 o
c
IS
a
EE©
"8 aw o «a 3 •s
3i s
J If
1a
J «a5
VI4>
3el"S
1q>HOB53
«oat
>
w<v
IooJsB9uvIS
^
<3><•<">
t
.3su
0
I
B
sM«B
J*
2
ta(A0)
•• i
I «
©?!
'
c"5 A
Bo
IeouEutS>«CO
CUbo
E <=>
tS °°
i~urSoo
00
.5
.3
-a"w*»Bu
Iuo
CD
•»3
o
C60u
a
•3%») I)
S3i/i "O
s s
a
A-5
-
sa*
EEoU
3 .2 £« .ffl «
2
a
1-1 4i
8
a.
ft.
aw4>
HT3a
v
«u1i
'So"3
coU
T3
crSo
t/Tuuu3O
s
0>
5s
8eg
a •
CO ,
T3USgu
c(Ua)-o
ca
6cca
E Z£ ogo
cfl St
M &<"< E«
Q G Q»,M <U Co
Si 3 S35 T3 Sfe
«J CB
^ c
CG —
•
xu
— *g ca
-2
f>u
cwaj
43
i©
C
5 4>
BJ ^>< 55
G U
1^U JO
a g
Ir—<
*-*
— T3
ca00
E
ca
cruTJC3
<UCJca
T3,
c
o
.a *** mmu 15
« s
Baa3 *i= C u3 O «h« « o*3 .is "3
•a « ?SJS 4)
B t« S!- 32* <*>
£ Se. «° 5,O 5?
u a.
T33C8
T31)*—
'
CwE3oo-oCO
ca q
6 goo «
nj 'ca
E E
35
ca
§oca
9?
i©
S3
5o
o
J3 a.rS p3
17 w <^2 iff
oJ= cO_ wao .SP
•a G
si
ootNca
§>
•a
C8T3
"uas
'3
aG(U
E00ca
AS
omioo
oo
GOCSO
3P,
Op,to
CO
ca
A-6
99
oU*<aoU>>-*»
TSS)wa»
C0
o
<u ."2
"si
s5
B
ES©U
1"J 2-J
I
j i
3
-3gsft.
ft.
TSa
wa* w
o .si
1|S HUuC
60
5
3
v. <=>
0 $
5S
a0y
i
05
S
>»«i
V Sjg <u
<m XIO Ifl
J8 S
ao
tf3 e
a>*-
>.
-= V C3
1- -a2 5
o 5
I o1'Sc aa Q
a o_ <aS
3
X")
Si
s *°
S3 wJ2 'C33 3 g—1 C 1
- §">
cuI
>cO
"9
c
9o
t— o< Im -a
a• ©
0O
A-7
.2
"5
B
EE©
•a
sl
«
«1Pi
V5 gJ
J?
J 8
1e
">|
cE
3
w2
—
a-
o
-a
O
o HUuC'3wo.
co
" X
i-iC «
- 1-1
e a
.5 ^
00 sE £
S 3^
ofc)
coo
8925cuP,
00c
CO
c^ 2•C Z3 Wo _CO • —
C3 E« Si
cu
3B
>>-oC N
CO c
< cm -a e
u
.£ 3
es >** u
3 Oi
C £« c5
E ^.
a « c« .s »s s
£ 8 J
COGOw
>>1 on?
*uE ac
cBT3 'aU 3
oE
> s <u
CO uffe
ing_>
u oro ffe
P« uu SJ001* 1-4V c
-5
CO
suri
CO cce
tN s nd(N
E
A- 8
9i
13>>US3
en
I * S
o 1/1
"43.{£
2 c<S3 «
13o
• i-«*->
c
4)H3&
H. ri
0) O
S3 S u
§ I s>> °r_ O
I!5 B
a
t-C
,o
13>
II*
3 «o
3 H
"a
s
13
-a
§ £ a 8
5 o 2 £
IS
2a
ca>
EEoU
s
*1
1c
E
2
-aa«
V
•au"ST* *
Oo 5Js
*
§HUwsw<wa
I
3
89
u
w
c oa* —s g
S E
w «
fi SB
a
ommt
4»
a"©
©
E
Eu»-»
ca
>>
O
>
i
"5
s
9
«N =0
=8
5;
C50
•5
m T3
U3
-a
c
aV.
ad
II>c
u
llS s
g s
i g3 3
a u
O tJ
S I
w O<u -a
<— o
I
3
o£Bc'5
E
A-9
V)
a«Ssou
a
2|1
a.
J 1£
m 0-
13a«Hi
1u-—> V
O .g1
£ J§2 u
o HUuC'w9a
u
*3
.S
requ ired
3u cr<u
<L>
u U
oenu <u
0Qin u
o to<u >•
rn c/1 C/3
Q
c
.5?
Su
3R
s
1
oo
„ o- toCUk'«
fc!
Elw
^ C
« s
C o3 CQ £>
m to
Cu."2 Hg «o is
5 &
C CD
o c« c
J? ^
<* ,« jS
c-i £ 53
s°o
-2
c ooo en
•5 ^o
g2uu
T3a
c .9
-c
w >i »
p ta
p, yp. o* S
< ?
O "p
u
TDOPho
Cu o
•auuo
-I
cs
S3
So
• om cj
S ft
co6
oocp,
60
3oc/5
caj
E3
-a 73c co -™
.a s
M
o <S
^ COr— OJ
• cr
ro Pi
IDU
-2
s
>OT3Ca
"S r"
u (U
S 5S -a.3 u3 <->
a- p>^ p.
oo
OO
S3
I
A-10
.23
3(3
aso
I"5 E
1a
a,
^ ft.
*0a
V
IV 09
O Ili5 HUoJK'3
8.CO
00
CB
is
trt
CO
•acCO
T3U£
T3
.5 c
U o
°o
i
"O Q_£ S3
5 ^eg
3 M.3 jb
8 2
o JB
S3
— to
IT- "o 8 jg
2'ob_o
Jou—
'
us
<9
s«ob S° iS
a o</> **« DC
"S .5a> -CS3 v)
© fis **
JSOA9©
ao
ai
en +;
2 <«
J3 £rj uexo
•c3oo>09
*m0DOc
aS3O
iu
OJu09
S3 ^
§oo-o•aeC8
uo3-acoo
to is
H §
-a E« |<U JO
h£ u
O trt
is «s *
c 65 tx
w utrt >
in a
-83U.3
o
tg•3oe
i
C.2
sg
I Eo13 rg
S o
T3U•a E E
3 uCB U
^>trts
«B9
whe
ols ve
t-. icont
itrt
secui
velopbeen
u"0
to u isu.s
on
cn "En u
oo
I
A-ll
c
EEoU
< i
1 1
< «
00
"5§ p8 .8 £pa 4S 1* a S2°
'.1
3
i E—J v
cE
I2
-3 oa.
X!cre
09
u.—, m5 BO _o
o HUwIS"u<uQ.c/3
a« -2
9 tSSPJ§
C S3
^ 01
C CO u
°0
I©©a,to
03
€ 2
0i «*
JC
2 1,4) 01
ID _C
S ^n. §>ex -
3 S3
2 -g
1 oE ex
Ca -i °o
c
£>a
ex
'C t>-
U <U4> >01 o6 exo ex
©»<
i
§5
s
Q
10i
01 q
T3
ex
>73
73©01 <i2
I oS a,0i K
a
o
i
0O
b 2
u S> .3w 5
« %§ ^03 T3
01 (0
01
E
01>^01
T3U•—
'
0)
Ccoo1-
exi>
c
ex
?^
•c3uu03
E
03>%01
u
Mo a
urr
u
i
3U
G
1
~i 0o
4j03
A-12
a
E£oU
IsS
i
a.
aco
uo
O co
& 8\
t-
Oco
00(
I
CO
En
u
cu6o5,
S
u
U Nis ;s
> CO
A-13
OS
X!
aVSS©
71 .2CO .8
i
1*> 2
J r8
S3
rj |J 5aE
"2
sa.
*7 Rsi
i/i
'3
W
H
v£••coV
o©
aoUw«=•sa>
Q.
4c©*«»
IB
tU—
-
soa
cu
1 =
'-S
2 «
s "32 ©
© u
3gG
1Vuh.
1
cu
© s
5 3
VX3
rr X
guuea
<nOfu©
cD
5*
T34)
*oa5u
1o
a,CO
So
T3
a, oE tu
00
Xi
oucuu
c S0 Oa c1 c-i .5?
-awu-a
cj ^3
"-I
C L S5 5 <
uc °i> CU
6 £P
uj 2<U JBco uc§
M ™•q w2 I2 MW £8
c: a>
-> J3
cU
00
00
ft,
CO
UiU3>
©
° &CO -f-i
0) CO
a>
EC Hr—< -»-»
cn1)
-auCuO13>u
cuu^3
00—1
I
cs
O0
S3
aoa<0
60.5
coO
2 Shp --»H-l CO
u
2>
X3U '
.
^
'
©'C
1 *
CO R>
00"-^
00
CO
CO
ca
EC
T3
o1
>
00C
o
o1couuaes
"EL
< ua• 4)
OO~>
oo
ft,
co
A-14
re
3c
EEag
1 ae
n 2
I*
i
3 1
§
31
3.1
3ST
'a
ua>
HT3Bre
to
Ia>'So"os-
eo
Cwwt/i
-a
CO
60
c x>
2 *9 113 53
00
I
§
re
2 c10
f^- 'to
—; c• o
3
00
g
_g
"a cu v-,N «
•n- co
- i hi si
C S3o re
E oo *»
60 oore g9 o
53 g33 o
* g3 5
-a .2S re
£ NU- . i—<U qa £0 op*a oc
1 re3
o „
to SE gto Oto CI.
|1i sare
aeDO
~ S<u re
B a>« aW ©
"re S
J £•** 5*^h-
U ». -G
<S **• to
"2 ro &
re»
.S 1to ©tO b.4U Q.
© M** «l
•p "2
a•
re »
coore
B,E8a-o«>
.9
P53
E
IES3
33
e-CO
.2"3cV
u
ZBou
A- 15
C5
9wCD
E0)
C3
0>
CO r—
I
t3 o
4J
Cfl to
—
'a
a0)
SEog
"8 aa o &i
«:pii
*1
a
J §a
In
9
u£a.
"""ft.
2a
'5
.=
oH•cB
_>•wuCJ
so
!coU
wCD
a
B
3ua*so
s
so
K
3cjis
0
1
Oo "n
En
£ E
so
Ecu t2i
i<B u« Sj
°" E
B .5
hi
£2 *
u "OV Bso «a e
CO XV) I—1 *- *-
>
I
Ia,
EuEu00
%E
Ecs
SO4)
to
Qj Fx
S5 <3
p,"0
.— IA
. a)in
OO00Ea
£, "5
O u
1oo
00*N
ei
ft,
»3
En50
o<L>aC/5
T3u
'Co
S oo
Eouhi
a
.a =S a
. -EfS -,
• to
A-16
"at
"3
c
EEog
T3
§1
IT. gJ i
B
*1
1S
Ja
0.
J<2
«5
a,
'S45W<u
H"3C«
U
es
"«u"5o
I(0
3 .23>
T3
COcO
T3Co+—
•
cuc3ou
53
IN
00
I
3
5; ^
u
9
W3si, j<
cs C
A-
0«
©b©U
c•303j-
aO
2 o*a "ao ,300 o
P, <U
3orcu
oo
"3, f?o01 C+3
_D D
cu~
-*-»
O oo
S £
a
<u
00
CM
"3 O
aCO
& .
5 ooO '—i
03
R, O o
00
C «3
WOW1112 CtJ oo1*5 c+h ™S O oo
a £>-3
g '£ ">O 3
oo <U c3 r3 CU
00
> o
ft 3
*§ s
& 8 §•
3 ILj^<u c &J
« 1 Iaj P, <tn
-5 ?»°
00 CO
8 -3 .2e S "£S O u° O oO Hi
4> X"3 oo tu3 aj __S Ja 73° C w^ r1 Nccj
1 i—\ COU oo
§ S 8DP,
H oo O
•c3ot/3
Baouo
Ph
00D 003 oo inoo c cu
.2 o £+3 00oo ccu Scr D
O w,£3
D DO +-«> g c
D © -g60 3? So
3 c2 <S
si oo
5b « <*H•r-< 00 O00 00D (5 r3T3 o ooo Cj O«3
3S e°s 5rj CO
3 2-3 DD^>'S
3
3P,
soo
cu>
CU
H
aD
'5 *3O oD 3oo £j
»- DS C3 --1
p,^2
§ 5d ."2
D .Soo D.22 S3^
33
13o
+- 00
2 S00
.5
o
00CU
3crcu
"a3
^ 00
a «5
abo 0/5
b dO j=3
cu ^3
SI
B
sEou
S sSou"I
«
aE
IS
1-1 &J »
a*
u
•O
O
g*-ao
£'Z
&
u3(Jaten"3
aa©
0,
§ 37* a£ s
a «£ «O C3** acu -r
« 3!
a a
a; a.2 «3 wc
? f<u £>- u< a
O
Si
5; ^
CD
>CU
a2 ^&«CO UT3 3JO ^O T3•—i a)73 B,
c «« S3
S*
a oo u
CD
Si £L -
5 S
Q% ^.2 ^a ^« S2a Cl
uHOX)u«13
c^i* C
Oo,
CU
ODaoea•a
T3
»1
-2sG
G
1
5 &
>'£ -a
Cu,
^ (Ut.
A-18
J9
42a
E
I
1
J If
"1
IES
3 iaE
8a
a.
eg
>
0)
os»
aoUw
ao
c«g
oCuCus
ea |»
T3
Ecu
>%>/>
B
c
c1-
55
wa
•5
uH
DOc
43
^ cu o
a, «0 .=
CO 43
1 -50 O3 «£8 <L>
<u rSa> S3
S cc OOh09CU
Is
I
u
*2 e—. 53. CO
>0 3
5;
cu
to T3c u§ -sJ3 .50
s «
r- Ov-<
00 u.
CO
y oo
8 so 13
1/3 si/i eguy oo
>- .3O, 358 3£ "15 oo
•3 -S ,
ft,
to
5
00»-<
I
CO
33Oy
uj uCU c3
00 40
tm
aDOeacu9w»
e3©
5 xi
a
S95in
s *•
w -S s 1CS c« w
•C £U aw ar4 w c« 2VO « « Of 43
o ~C3
co
S6 "2
aID cn
C8 CJO
OwO
fT3UC4>
S3
2 ft,
3 55
c
1
^ en
- S3
CCS
o'•5
5•ccua,
acu
CCJ
COUC
uw .« a,
Eu
i &2 *oc 2cu -55T3 3« ST
o
cu 3
* I
00C3
3cuCO
o
A-19
cs
^ c
-acu
asU3
< E
22
1C
a
E
I
a
* «—
a
1 I
Q.
S
3lJ ©r Pa
,6O5u*iaQuu5u
ucs
oB
eS3"O
-ac
Cs
Q
,1C 91 ^
wuuea
.2-—
»
at
.s .g
(J C
2 S
00C"5 ^£ o° c13 .2
c 65 °
s °G -o o
U Ct,
0 h
1)
u DOC S3
e
A-20
so33
©
a
Eaoim•ml>aw
«"3u
J*
0 S3
1 ais >—
<
.£) "e3
do -j2
.a -c
O 4J
II ao
B 60 ta
*—' (—i
wT3 O <U
5. 3 2„ * -
fl N 2fl 3
3 £? u
CO CD Q
to C <L>
05-ft %CO c
o 3
a a a
GOcaIs
iS ^ „.
oo ^ *a
5a a
8 ?
-a 13
CO
.8 a «CO>~> 'ea
1- BSouilli
•a
2c
sseU
"> 2J 2?
H
3
aS
31
a.
a*
9.21'5
X
HB«
>•auo»mmXO
1CO
a©aw**o
Cm
s
esola'>
Sw"Oa99
xa-
B
I
.8
5
09</>
4»9u
eVU
2 ua 3a 9
3 W
<* a
*aa
E
cuEu5 a"_ CS
SSu
•e "a
C9
5cr « -r" a u
E ,
2 ~ JS
c- "?
S3 o
«i E
-a xx 5C enO T3
'fl §s ta
5! a
uu(0
-a «xo3
Bo
o4J
uu">u-a
^ B
I s_ in>\ wi
M 8
It
cs?
EmCen O
5;
oa u «
o, ux(N O X^ 2 1r- x >x
y"2
a T3UEIsa3
u (0
u. O
1 &
° g-ca a
ou u
u x< u*t a b
A-21
ISB'5
«EEey
1
"O
o.
1
nft,
onO)
9CJ1'5
au
H"Baes
41
«2Oo
ce
uu*>w
J3
cj
T3Ucn
333
uSgy.-
T3
s
P N3 'CV oCJ — U
3 1
es jC" ej
H ° 2
C3
o
X3CJ
-2IS<u
3 mu c00 3
S 3
CJ :n
© SQ 3
^ 8 .
CJ o3 "5
3 „O i/J
r-- ftcj "Cft -a
-acj
300
58cj
13
w>
G
O
g "a
-5 8CO
Ts ^iic<u CO
a>oo3COXIocj
T3Ou
•~ ,o £q
c/s
Uuucs
C3
no,oi-.
ft8-
ft i3 -aus Hi
S3 "5M00
2 «. CJ
!-« >K .S
JS003O
•a"O CJ33
3eS
esO
<ys-
o J
tn 5ii OO cn
ipw tL>
.23 ft> CJ
5 3
r- C3
r-^ E
0
3
oftftes
s ijS 4>
ft «8 3
° o
3 3CJ cj
r3 "0it.
003 3
•2 5ui oa *&§s §
a 3CJ -S
2 cc?3
a cj
o. >CS
CJ _
^1
S5
CO CO
Co £2
3cj
>CJ
ft
A-22
.aes
!5
c41
EEoU
1 =
V5 g
^1J 8
1a
aS
1
to<U
3siBJ5u
H13a
•Iu
o1•IB3
3:1
4> OoU CO3 Uo 2CO >O
Oa,u
CO .2-a
•c 0i -c
a,
4>u
5 E4) gop £2 .2P >
w5, 5O co
S. S3
.3 O
1
I
60
EEo
<i
00
a,S3
m55
V Bs .E
2 C« '1
oo E•S >>
8 |U 00
| B
> CO>»
00eooo
T35•aa
e5
•/-> E
t~- CO
oo_c
u
5 S2 —
£ 4)
co J3-5 oui -a4) e
rr oo
'£ *y 4)35 co
"3
u
IP
CO
c
a
4>
u
2 ^3 11
4)"
co" *0
illr- a, a,
1 CO
e "94) O
M -a
a 34) CO4> „JD co
CO 4)"3 *
b§yuSXas
CO
atCO
U
f
24)
CO4)
3 8-
Is
s.12
uu0>
« Ea o
W t>— <U
.2 £a
A-23
CO
5
1
•5'
cw /-va,C/°< c< K
•-»
c4*
££
g
"2
« 1
1
.2 Q
J »E
-•1
—J uaE
-J 8ohi
ft*
oa.
t/j
v>s>
a.51"E-=
vH73=
£
p
sc
£ceyuC"3
a cn
00
o °c
-a Co
'Co"3
c3P>^
X>DOc
">
4)
c
uu
.a T>C/3 . r
C.2 o
u
00
5
I
-5
.. 3«• «c "C
a 0
fcd 5cs
15c£
C3
.—
u
!>"3V
ofa.
a
£
M
co
U
00
3«•a
.> t>.
£uto
< «
<*! 5
o Co
5 a,
3 J°
JOCS
oexw
A-24
03
01 C3if. •!-!
Q0
i
42(3
EEo
1 cO V
* 8
Si
aE
23gl'5
uVH"OsOS
«
w
£>
OofecOuuC
ou«»aoU3a.-**
s
$s
e.2
w3T3OUa.
sU
00
03•C
os00
V)<o-oaT3
00 «J
C500
S3
s
E
2 "g
Eau.is
u -s
rs S00 <
a*. ort oJ3 -~ -ou cat-, u3 u
C O« a
2 §« <->
* "3en 2U 3O TJo ri-i >a, ;g
2 c
2 I5 5
I
oo
C<1
CO
T3Vc•Sa
£ o1-, RSO a
oo 3 «s .5
3 4)
c S
8 eO W
oo
a, 3
« S
oo o
3&3OT3
3
« to
"3 E
°0
Io
a,ST)
Es,
I
-a
1 *
4)
< .£
^ g00 U5
o60a
oaen
«3
t
C3
00
a,to
ti <k. 3•a f
"a, Bc .Sc
&,"3 ba °a 23 ^2 E< op
00 E
A-25
I«
-8 a
3
J a1
J i—J w
D.
B
jfi
J 8o
6-
Itl
3cx
au3H•eeC3
to<V>
ua*
0ogco
u£'3u
oo
CO
X
C8
00
I
00
En
u(U
p,CO
00
.5
C3
00"-I
l
©oo
En
IIU O
I- to
to 00c
oo .O
ocu>c
Pu
oo*n
i
55cs00
55
En
EG
« §
(N CO
oo 6
> oo
^ OO
UN
T34>
00
T3
§"9
-ato
ET3W00«S
E-a
oo
i
555500
§3
En5T>
a
CO4)
00 "O
O
« fc
"° -nl- <u
45 Wco C
"O 00
E §^ oo 2
£J= >to "Oi—h CD
o &
OO"N
I
55©00
§3
En
CO0)
OO T3
A-26
on
.saaC3
s^>UaOAa•5aoU
*
ON
« boCU B
o .5
•9 a00
1-3
w SW ™ «8
« 3 g0 «5 <U
a 2 wu al—I
V3 CO
'18
CO £3 C8
-I h .a
Sis1 S »3 a *o
u,CC5
CO
CO CO
CD
a -a
00 —• </)
.£ S aa .55 to
S C 6co cj mPi en "3
^ a *3y o -
Cfl
ao
a -a .g
oo S 'Ca -3 3 .g
S 11 aO *3 EX
.3
sa
42s
sEo
1 =o v
*S J
1«Q 2-J £
I
3 i
aS
"8
—3 °
cn
ss
o'3
VHaa05
50V
u•«£>
oI*sao
uISwaCO
a*3<JIk
0
1MQeaa«
e
a•aa©
U9aco
"Oa
u•ai.u
a
E
©X
la3*»aa.
aowwoa
a ^3a •CO «Wt. a•a 13
-a "S*• .«
"2 °a *>
8 1SB ~a v>
© *».5 W« a
a. «
52 &S 32a ycs as6" -Q
°3
o
ucu3O"
CO
0CO
co
ci
oo
3
^ c
a
auo
J3w
cu
a'fio
&m £>•
p ia
° &
if
o\ o
fo
a ^o
oo U
T3
au4>-QCOu
co"COh00 >.9 281 s
(3oS "°
• CO
8CUat
a03
>>waooaaa©
•s s aa >a 2a aat at
s -g— ua a•a S
• 2 S©s S "O
"5Su<S
U
•au>s
§
u
C. co
Ox
COU
1a
u>o
COCOaCO
s
^ CCN Op
CNON Bj
CO
JO
A-27
&
3=4)
ssoCJ
3 s_ opa 1
1
So
e
aE
.2"'3
4=4*sHt)aea
co<u>"Ccj
o
tooOustCfl
o
2u
cfl
eo
f!cu
IDOc•co
uto
•S 5*GO r»
SS §
o 2u
00
a-»—
'
CO
E(L>—
i
"3 wCJCCS
c
Os cn
CuE
cfl <D— CU
6bcs
cfl
fOS3X>T3CU
Go-*-*
CSo_o
ua ftcfl D
in
"1 I<N UcK IS
°0
I
CsOSoo
f<3
O —
2 5
oo.£'5
cu
«CUCOCU
3
E |CO ,0
<U cfc
^ CD
00 OCN to
ON' 2
E gcu G« -cct3 p.T3 a>
S -SUS *E
CO
3
00 T3
° 1co C
5 >»cj 55
93 IE
cu
<as
ca
&>Ocu
00cuCN «-»
TJCU•*>»
oCU-*-»
£
S3OCO>,XIa,
aea
CU
6 ?3CJ "S
X> O Co
s £ £a «>> £cj «s
S'
c
s°sc n.O S3CJ _cu 13
£ o
O rQ
(N co
os "5
01
oCJ
s-
Ix
aCO
.. ^~ CJ
a sa> <u
E g>
3 c_ oes «.2 T»
•C"
SI ">
U «_ cu
o\ •<
T3cu
JS&,cu
CuOu
S3
•a
^cuCJ
cu
Su
_ cu<3\ co
A-28
Initials
Comments
Risk
Based
Decision Made
3"2 2J 5?
5
L.4
Tested
L.3
Implemented
i
3.1mi U£
Specific
Control
Objectives
and
Techniques
9.3.2
Are
employees
trained
in
their
roles
and
responsibilities?
FISCAMSC-2.3
NISTSP
800-18
9.3.3
Is
the
plan
periodically
tested
and
readjusted
as
appropriate?
FISCAMSC-3.
1
NISTSP
800-18
XI
o
<U .S co
» ^ s« o -°
do "io « c
o3as(U
CO
CO
43
HS3
o
p 45, >^ to
u & J3
43
o .S
C3
Oto
>o
oX to
c
HC3
at
c3
C3
43 C3OooCO
£^X e+—i
a o3
CO
"2 6<L> Si
«*4o
o
ao
CO '
60 <
ga 43
.
33 °
tS oS3 Xu c<"1 • 1—*
+3 C3
eo
.503
sCO
1
1
O 'tS+> CO
bo §.a 3-
6 -53 g 1o *S
X oCO l-i
42 So -c-fcS O§ .22
O 43CD 03l-i
* 03
<D 43co +-*
03 XX o
S3 co
C3 CD
^43
COG5
CO
ao
93
co
gco CO
2 <u
S,43CT +3
s
E£
St =
1"2 £
a!
a
s 5i-" ii
a.
haI£0-
4 —ft.
4>
BO"
S3
J3u«H•ac«at
«u
|O
coguE'3<u
£M
u«
o
c3
M^>f/3
•as <Uea w" 2S3 C
a s
35 S
•aa
at
s4(
gS e
*-«
« 8.•B
'C « hUK CS
JUT)° « 2Fl H A
S ^_n """i w_
o -r 4- ^^ o ac co ~»o
.s. 3u fl k
•S 1 §uocesCV
a,X to
0 F-i
(9
E
5^O S
<NusU"5
8 » ^
£8 O
2^W5 O
o Cca KS
1—1 u
o g
O C3
l-, o
t+3•
c3Sca
on *3
CO Q£P c.5 o
65 wa, >o Ea> 3- gca
1
3
ca
'o
aouc
asu
ca q
A-30
53
a
£So
J §a
Sa.
e«
ucs
"2 a»
g >E V
S «
:| 5
o i
>ouc,o,
•as
co
T5<u
.2uoJ3
3C?
4*k.PS
I©
3oto
c •$
J °o" .5
<L> 38 1S -
o is
- 50 o
^ 5-+»» o
g 8
1 §?
4> "55
5 >?T3 1)
c«6w"a
i
so
a,CO
•au•owuc00p'5'5
T3 C--
a hsr s4) O
*-»to>>
•a sow a
a>
1
1
P o
E Poo aE
% §»P 8
C^ u<N E
3cjO
POoEouo,oI-ocp.
~. 00 <N oo
co
u.3 (>•
ex aa ois vs
Si
s 3a-
Of) ea
" 5^
i B
t+5
O
-a
T353
E «o 5
& ^« T3T3 CU r3
13 g.<upu
8
35;
T3U3w
¥ 1»J E
o °
d00
p-
p. ft:
O S3 ST3 3 D,
cn 2 >
2 3 &
< ts
PuE00
o cL
•c3US !>•
<+i TJO O
°*B «'S £
T3 OOJ P< W
3
KUS
cyto
o -33—< to
A-31
S3
5 JU3
T3Ceta
GO
aCU
£E©y
<3 .2 £a .s 13
s
a
1s
—< «aE
a.
a*sa1
aw
HTSS«
s
Oi-*-coUej
E•8
-a
>u
.2, * »
o
Cfl1
00
s
J2
— «co
« xi•p s3fe oO oB ZO S
co
5 o
5 *0
s I
.5 ex
<N
oo
S3
JS
00
CN©
"O o-iCJ I
•C U
§ §.S U
•s
ES3l-i
oo0cxCJ
d
-a4)
u
o
eg
c
w
<3
H cx
2 I
T3CJ
CJ
'?uIx
-a
T3a>-+-»
cu6a5T3
u
*o Eeg egu ooO CO
fc C£X s5
CJ Poo u
JSa
>oucx
cj
CJ FT"
S3
CJ00
CJ*-»
Ccj
E3ooT3
cj
ujs
occx
CJ
JS
*5 CJ
00
cx>>CJ S3^ c
o
CJ
g3uoT3
=0
00
CO
o g -a
CJ
cS3
CuEg,3crCJ
oj^-<
COO J3 Oin
w
T3a>oocs
cca
S
CJ m+S cj
>> s^ X5
•<. «»
S 5
00
d00
§5CJ
R) H mi K|F
ible,
tc-,
00alls)?
CAcaO
u CJ
In
a u oCO
hen rvic ervi
uCO up
sary
CO
Eu CO
if"CJ—J
ccj unne
ain—E
A-32
a0)
EEey
i
H2 %S
1
*1
1 1
21
a.
BJBu
•aa53
«>
>
so"©k.**BO
i«5
> aS u* S3
00
I
<=>
S3
So c >;— J2 a.
B
A-33
i-
00
i-i
o 53-»-»
23COI/)
o3
cuo
T> O ^g to^ do <u
S C 3
g 8 §
N X>
00 ^
O o-a g -2
03 CO
<-> 00
.2 -23 **
<U 3 <U
CO
cc3
03
03
BO -£ o£ -ao 0)
DO
75
52 .tj
C0>
E£©
<9
§.2
J 8f
•o
H
-J «aE
1U8
"a.
sJST
'SJ=
Haa«Eii
o>>u
so"o
Isc9gUIt-
's*
a
<"0
•5
Q
1
SJDO!
a
1-
I
so•C«e
2%a a>
3 -g
5 «© uXI os
1*8
«;3 B
i-5 -2
— —
acu
Ea>
w .2"3
'u
U
.5
3Ohf
<D
5(0
c.SP'35
t/5
=0
I
S3
— .woJ
— ex— 3
oo
<i
oo
S3
Eo3ni
i>
ou
4<
3© a
K OS
© *^ 0)
« 2 41
° - i'3 « 3
- a>
"O os ga = "°
3 3
c- Su at
BJD -3O) >3 O— hi
3«3 i^ -a S
3 3
-a 3
§ I
.si3 c/f
© 3hi 33 J«
2 -2V3 o3 U
a °3Oou
00
doo
S3
CM
0)
3OU"Ohj
o
3O
TO
.> o-*-»
U 33 "C
O.
s
CO
5;
5 §
3c
-ao3150
3 .S
o tu
00
ioc0O
S3
8 ^ ^o 2 ^
2 ^
3 hi.3 o
3 mT3
s -1
u w
5s
— O
3
A-34
03
a
EsoU
a
o
1e
iOh
acr
'Sxtw
HT3a
o1co
c2cau
•cu
00
cO En
£o
0 -
1 §2 «
wC"5CM
Cfl
3 g
8*1* I
cn CO
3 T3
oo
Iou««»
go
J Eu «
< >">en
—• c
CO~^
I
90
ft,
E-,
I
s 1O «gft
c c
li* 8.
C ^O'5 S3
0Q
00
E-,
S3
8 "O "3_ -o•S >
Si B
• 3
00S3
Oucd
T5—
S3O"Oo
ft
S3
S3O
1uS3uftus*** i>-
oo E
• 1*1
oo•">,
t
00
-a«on
9CoCOo
su
3ca
UE
OnfN
oo
I
00
ft,
5
A-35
Ba
u rvO, c^ 4)
.2
«a0)
E
oQ
5 2£? 3O w
8 -S
ii(/J
'3 a>
S3
G3
^3 «
<D o
as
CO
CD
C3
0)
co
«3
CO
a
CO
3cr
j2
at
£SoU
oS .2 '£
5
i-3 If
B
rr"2
1
n.
S
i
J 8©
-3 2
ena>
a
"3
JSatat
H"OcC3
at
«uwa0o
co
»a>
CM
f*1
59
"-1I
Ik
as«Sk
c
1
co
s
3ato
at
JB"5 ©
S »J3 cu
2 *fl Vs I2 g5 «
~Sat o
<3
as*g
atJ3
i-i »—i at
Q. at- i«
3
oo
S ^
I i9 s.
C CKU Cm> O
uE3uO
c.o
icuE3uoT3
3OCQ r^.U «^3 CDh oCO IB
- JSa &-S a.
oo
i
o00
mS2
tN
uon3OJS
T3 -a
J3 «g
5 o,
OO
I
°0
p-
m£3
< c
E -<9ft CJ
3 .|
T3 cn
0>
•a
JS
i
00
00
P-
E<5
5 T3« SO 03
JS ^3
K 2
^ cf
A-36
42aVE
1
1 a3 .2 ±«5 «
IP
•* ej
If
3 i
a5
ml wo
a.
'5
J5
Haacs
(A
>
o
eoU
s
auuuSP o
IS w2 «S3 SS- S3
° a
1.3S w•2 6
°0
CS
oo
a,to
pi fvi72
3
£po
00»N
l
cs00
ft,
"c3
33ca
e
o
OO•"•I
8 ft,
3 ^cj Co
£ *>>usw00
u
uv.
<OO
cs
OO
©©=0
isIsouoa.
,5soC3
JS
w•A
tN
«ao«a>aoas
£ SC 3
B S<u —
S I
llb< L.
i-i <
-a
G
E3Uo
<Ba>k.3"O0)
cS
—II
i Oo
^O oo
3 O
22
fS
OO
i©©OO
ka £2« >:
>,ucu00
.3
eoo
OO
i
C5
% =°
a?K on
E09
•c
au
6«
O "O
"3 S
•c s
c o
* 3o> o
oo
oo
S5
O. Co
us
o
< 3 N
ca
4>
003NCo
3 I
A-37
u1-'3
„ c< §
•5 1/1
« s
>^GO
cO
S3us
wa«WDa
.2«5-
HV)
B0*ha03
I
3u
u is
1:1
xi«S hii +-•
0)CD
CO Xl
<U CO
<D
0)
a<v
E
|©
1ir> ft
H
IB
<"1 gmi Sta
«Sfcl*3
w
a«
«3
O"ouc©U«=-—
«
u
oaOS
OAa
H
i
-23Si
0
1
09VaVmeg
•r es2 w3 su -3-« "O
DJD
IS
el
3cr
T503
T3eV
rs totrf CD— <u
OSU O
jo
co«J
»-
•c3u4>V)
s g<$>
u § S
u43
O
5"oC3
T3U_>'53
o
COu
O <
Cc
EuHi>cq
PC
00-I
I
CS
00
§3
E-i
£3
>es
ucq
2c§
uXI
CS
3CcCS
O»-»
CST3CCS
E
4)Xi
00
sSi
c
1
CO|Hu Oj
makpost
o*»»
u>>o
"C5,
em sec
CO Cf-c
oOareeth
E ?u CO
yelets
oA<o1 o
u X
OO
I
cso00
5
o
C3
C3oCOCO
>%oC cS;
U CO
S).g
2 |coCO
" SCS
£/)
s Iw oS; °CO Mi43 e,
oo
oo
A-38
en I
t/3 r
?5
S
I
A-39
01
sso
T3CUft c< w
;>>
N ~D
0>
«aaUa>
aoa<S
c-o•»"<
a a
a>
1/3
3 S
og
"11
"2
J s
afO
I
aS
SB01
3cr
c.B
o»
Ht»ccc
t/1
>u»
o"oEj
BOUwS3
o>
CM
I
3
ct QU
eoaSO0>
a0)
!5*3
c
oo
60U
13 a-b
£ u
U£ o
O CvJ
** a1*1
-
£
h. 95 a41 c S- X! «<«>;»•>3 £
&ouCOCoft,
c4)
oB
C3
—, cei
5:
oo
I
00
§3
?o
tO Oo
ooS'5
oft,w
u
3
2.1
13UUea
T3S
-a
Bu
"o &>•
E "O— a>
Si &% g
t S
oo
CI00
ft,
E«<
Eo
N5OJO
oo
"St- oo
^ -r
to oo
tO
U K&3 ^2
B
1T3Bg
B Bft u
T3i-. u< .9
<* JS
B^ S3
c
u'5uu
00—
i
<i
OO
to
ao">T3-5
en o
< «
in B• O— ft~
1)
A-40
sa
e
EEoU
I
J la5
sift.
soiaX!
"Oa«
s
u
Ioo
§
U
CM
3
So
issoy•a <>
§ |
g°
•g s
kgc s
c w•E CO
E<L)
-2 E~o 8t; «g
e
g.3
5^
91
o
.S §
§ y
09
CJ ug iCJT3U
Bu
S3Ew
os
IBo
cuuO+*on
E'3
§p1/5
B RJ
0 °
1 §
'C >-
g <£
U S
a3ft <L>
cO "W
00™
.E
tje£9
.Eu
eoUS00f-»cnW>S
•E'5 obft- E
£is
8U
4)
u
>oOin
W3 ,B
y b
3b ce a
a «<u oPi OEii
^2'3
wU*-»
Bft,
Eoyi~.
<uT3Od>
y
y-a
en
Du•S
yPi
ul-l
3o
.2
A-41
•3"
H
a,
00
S
I
A-42
CO
©
aoU«—«
at
su
H
1/1
SO
asy
a
3<
ao••cS5uCa
1/5
1/1 > cco £ as
H 3 T?
g ^
—I
<u 03
o .o
N
1'43
s
a
EEoo
"2
5
-r
J
a5
1
to
3a'aJS<y<u
HISs85
U4>
2©"a
ba0Uu
o
CO
ao'43
Mw•mm
C41J3
3<a«a©'43
S5uC•4=
av
3
Q
1
5 8
55
•?
XJ4)
«"43
a«
"S.. OS** ^c s11
« 1.a .5« «>
M 4>
. S
i-x -< O. —
09CO
uuues
§ §
is•S £ %*1
T3<BNcO
3
C01
t3u
_ >. a
-a
i•au
i
oo
a,to
?o
3
a:•7 SOto 00
CO00 CL
•— i-*"3 Uh
1 o
E^ Jm o
T3O•ao
I
00
i
s
ExCO
to C
J3Omm
to(h to
roO
to
sa.
A-43
aCU
S£oO
73
- O 41
cS 3
1
» i S•1°
V5 2J If
Q
1
aB
"8
uoi5-
1-5 9m £
'=
pSuVHtsees
>u.Si2O1coOuIS
uvP.
uoocs
o
Iu
§
iE?1)
E cw T3CO CUi— nVg
- +-»
I—i CO
<N
0
3
3»
-a ou -o43 a)
03 He Ico F
S Z— CS<U 43a 13
o bso 3i-i so1> Cp, cu
cu o<£ co
s
CO
c3 S3
in Cou
in cj
ocoT3to
3
E
.£
Ufc c-
co
03 -C
<N °o
cu
CU CUap -ac ocs cu
to —-O u.i- cuO US5
'
so
0 h
034>
* bP, Oo co^
<? 03
&
ca
3uF
S «
g|S 5-3. W
5 "3
3so O
CS O
Ua>a,CO
-a
«COC3UCD
OsucmD, s>
3-
CO
t) U UCO W B)
E'
. CUm 3r-i OJO
3 JSc o
CO U
o .5
^ OO
>J Coo £2
O•cua.
u, T3W «S 5S
5 sd
.5 p,*-» CO
C3 =3
.S
< -a
si— T3
c4=
•ao>,
"S,SO
-*0cca-a
Ososocfl
p.UAt
s>-asU£
C
<N oo
0§-s- oo
5 5
COT3t-i
o
so
ss1
p,
d>CO
ao
^ OO
U ^
p. I
2 c
W to
00o c
—;"3
• cir> ca— 4=
u3CU
oo
o- OS
g Co
.s §cu
3
to i- 2TJ p 'y
% T3so "so 3CS) F
I'
wco
—. CU
• 3
r— CO
co
O
COCS5
p.
A-44
J303
ae
aat
ESou
1 s
IJ J1 1 S
os
J ff
J 8
IB
«J IaE
•J 2
839ajs -
H .
o .
s .
es
>at« .
O3**BO
o
1sBV
o
wC'5at
a ,
cs
u.2fc.
3ouo
eis
ft,
1s1/1
celau U
as in
3a
> >B
"5b
oso•c«Ifuox0tVi
aatu
sat
Bat
£at
3uXI ">
uu
cJ3ceu
at
at X!i 3
BO
'-*->
u<a
at
_«"at
fcouE
e/s
>>tn
4}JS
41oQ
• Bl
in «*-« 3
Cs
1
i
Q.a -b> w2 -B
3 41«t St> 'SX) gO u'S
"
41 caB C£ .2
11a oo 6
m o
41
?Sc§•u.
&B
'S3
at
A-45
B
<
00
o
CoU
<"5u'Soo
SO
"5 *o
5b «o a >J3 £ J2
s
ESoU
pa .a"8
3a
1«« e«j if
H
2 I
a
5
(«at
sS""8
«a>
Ha«tO
>
ISo"3-aoUuC"Z«CM
c
aoUvwu<
"Sjd
©—
1
i
v.
-2"3
0
1
CS
so
k JV.
8 *»
£ e3 o
E c
B«OA
Ou
Cit <fi
e ">s <u01 u— uW 05
8 SflU « «'5 w>£S © fe
Sc! ©
uCD+*Ux>CO
is to
o ^u E
'C »3 tou to
to CJ
IIs 8u §— •£
. caVO B—
' 3
<N op
0343
« C
o -=
§1
S8 .2 ^ 00to V, D
» £ x 55
« o 0 h53
I 2? s 3E o
s .s
* s1—1 L/l
es OE 5a *
c 2O B
? 3
to^
u ou S
1^
13
o
3S3
3 gU COto £3O to
—• "C^ 3V
. to
1*3
w O
2 &i ^B 425o uU PL,to E?"O ca
to
BO
5 ^
^ gto r;
b to
S ^
Q o
^ 2 •
=
^ is §
A-46
2a*>
sEoU
3
s
IBj
2a2"'3
JSev4>
HT3B«
V•«u4>
Oia
C"3
8 13to -a
oCO <i>
53c
> a
o *3
•a ~a
^ E</-> «
C« r-H
touo*0
<uto
3to
a
£ S3
a •§
—
i
i
o
a i>
£ 'E
53 c*o\Sw ISCO fo
3§co C~ u
a c*
.2 >>
a<u to
°° "g
SO 8
00
00 0,a &3
> h£ So
COUT3
Uto3<u00
i3 £lS
2•au
0
5
213
u'>
"3o'5bo
43
c£? 3rS to
a w
o aW CO
T3 to«> a
2 .2 cv.
E > "Oco >> *jco *; co
y & «sCO C\> o
o a -S
*- 8 ca >
J3!
O
ehCU>eco
.. "S+» utu aS g
3 S
.a 5tSJJ
©
SXI ce<-» c«
£ 8
S3« O
A-47
as
c«u
S£
a
1 ao v
« | "S
PS
J f
Tf 18
I
S
8
SB
CO<U
ac-
Bw<u
H-aa«CO
"•Cu
Obp©UuCua >
t/3
3.2CDXX-
TEL,a3COI
oxicu>
ft*
oE2xwN
E'Ci-<
(3uuX)CO
uCD O'ECO2 .S
40
c S3 3o oCO CDCO CO
CO4>.R
-Si
33513*»R
S«0SO
ea
cs
Co
I
43
8
J3
Oo
So
6wCO?>CO
CD
43
»©"
X(D
gas
ECO
u
3 ^3CD
So
e oO X
"43 cU CD
a »
§5cj ca
OccoCJ
«N
0
C
.3 Xco
© 2 3S .2
<N O co• *-» CO
^£3 3 u
T342 §S .2ja £5P 8s ^
§ B
1 B.
1 25 ft•2 &CQrS CO4> CD
>~ VB
3 aH CD
CD CCJ
1
1
. CD
co
« co 5
CO
5
T3 Co
8 §+*»
'5
oECOCOCDOCJCO
00
ts
co
* 3• i-i CCJ
2 CD
E •£
8 tM 8CD CO
CD
O*-»
co -fSCO CJ1> jCOCJ ^CJ >~ ^« ° %CO CD CD
' i-_ CO QON ^ .43
fN XI 'EI" d
S3
5
C3
as00
CDU
u
o
°0
I
00
Co
—CD
<n 4S
2 S
io
x S,
-3 1
O •
X*xCD
43 >L
S.2o
«a
"3 ^? 8CD «
c*h -r
" "a.cn a
o
x
COCD
S)CD
coCU
•5•-CI
S
Rcu
SCO
SP
COO- coX "T
3 »oE co
n ^s ^
< •g
o
NO 3— C8
A-48
2
a
se©
1 aa .2 a
1w 1
1
aS
e
£a.
•iSo
S3
"S b« %
"5 ft,u o"9
3 S*"
55to 4)
IN
3S35:
I. OCO V}
" C u
uvpfl**a>™ s
a z& It« o?> h.
£ e
8 1an B
8 «u a.
SIg.J2
|"|*-» B(m OM U
X!
aB
a
C w
.a xi
B) a°> aTw |•S
"S *J
* gOA !S
* SB 9
•8
&u6(3OT30)
en
Oa>>w
IuCO
caCO
I
I
*0
A-49
OSuH-<>
•3
as
"2 c
OS
c
ESoU
"i 2J If
a
a
a1
ft.
3glasucu
H•asee
COn>•au'£
o"Ski
cog«is
"Z*>
CM
to —< °o
^ ^ ~T
^ ^ &5
a 0 h
Q£9
C3
H
s<
CD
!S
O w
to wu >u .-«
s
»s.5 *>^ CO
f 1
« ©£ B
coCOOa
OST5 M g
a a
ECOeo .2
M .2M O
p
oo
§a,
Eo
u-c
COOJ
OQ
60Goo
— 3
a- Sa, §co r
OO*-«.
i
S3
a -a
5,™ to
(N C
W3uaCOao
60
3 I
to60O
T3
.£
o
COcoU(J
& jro Om -b
cr- o
I
C3
OO
S3
m
co .aojo „
O O
T33 -OCO C
Ct_, ca
° »BO fe
2'•=
•3 O^ T3
-S 'C~ D
O CO
§ c2
^ I
Oo
I
C5
oo
c-. p,
oo
CO
COooo
T3
CO
j A-50
s'3
-3au5EoW
1IT'
jj
5
£a.
s&|'3
J3a<a
H•os«en
>39
o"3s-
B5
u
o
uX!
2 A «uX5
.a «
oO
IT)
£
IS
1
o5
n
I
00
5
COl~U
o S4> Oen cj
S
x>oc °o
VS3
eq En
*u
8cn
"8
to
-63cu
8<
00
Bp** K S3
en 4>3 Cen wO °O <U
1
1
as <a
a 82 c3 •-c3 en
8 "B
3 S
• "dP- 3—• CO
C«J
"D4>+-»
esM"-**»
enu>c
I
Is% 3o a'3 .2
-Co,ooo
•8en300Cso'3oEuO T3h Wtn ISSt" V38 Q
£ g
oo
00
A-51
Appendix BSource of Control Criteria
Appendix B - Source of Control Criteria
Office of Management and Budget Circular A- 130.
"Management of Federal Information Resources",
Section 8B3 and Appendix III, "Security of Federal
Automated Information Resources."
Establishes a minimum set of controls to be included in Federal IT
security programs.
Computer Security Act of 1987.
This statute set the stage for protecting systems by codifying the
requirement for Government-wide IT security planning and training.
Paperwork Reduction Act of 1995. The PRA established a comprehensive information resources
management framework including security and subsumed the
security responsibilities of the Computer Security Act of 1987.
Clinaer-Cohen Act of 1996. This Act linked security to agency capital planning and budget
processes, established agency Chief Information Officers, and re-
codified the Computer Security Act of 1987.
Presidential Decision Directive 63, "Protecting
America's Critical Infrastructures."
This directive specifies agency responsibilities for protecting the
nation's infrastructure, assessing vulnerabilities of public and private
sectors, and eliminating vulnerabilities.
OMB Memorandum 99-18, "Privacy Policies on
Federal Web Sites."
This memorandum directs Departments and Agencies to post clear
privacy policies on World Wide Web sites, and provides guidance
for doing so.
General Accounting Office "Federal Information
System Control Audit Manual" (TISCAM).
The FISCAM methodology provides guidance to auditors in
evaluating internal controls over the confidentiality, integrity, and
availability of data maintained in computer-based information
systems.
NIST Special Publication 800-14, "Generally Accepted
Principles and Practices for Security Information
Technology Systems."
This publication guides organizations on the types of controls,
objectives, and procedures that comprise an effective security
program.
NIST Special Publication 800-18, "Guide for
Developing Security Plans for Information Technology
Systems."
This publication details the specific controls that should be
documented in a system security plan.
Defense Authorization Act (T.L. 106-398) including
Title X, Subtitle G, "Government Information Security
Reform" (GISRA)
The act primarily addresses the program management and evaluation
aspects of security.
Office of the Manager, National Communications
Systems, "Public Switched Network Security
Assessment Guidelines."
The guide describes a risk assessment procedure, descriptions of a
comprehensive security program, and a summary checklist.
Federal Information Processing Standards. These documents contain mandates and/or guidance for improving
the utilization and management of computers and IT systems in the
Federal Government.
B- 1
Appendix CFederal IT Security Assessment Framework
Federal
Information Technology
Security Assessment Framework
November 28, 2000
Prepared for
Security, Privacy, and Critical Infrastructure Committee
by
National Institute of Standards and Technology (NIST)
Computer Security Division
C-l
Appendix CFederal IT Security Assessment Framework
Overview
Information and the systems that process it are among the most valuable assets of any
organization. Adequate security of these assets is a fundamental management responsibility.
Consistent with Office of Management and Budget (OMB) policy, each agency must
implement and maintain a program to adequately secure its information and system assets.
Agency programs must: 1) assure that systems and applications operate effectively and
provide appropriate confidentiality, integrity, and availability; and 2) protect information
commensurate with the level of risk and magnitude of harm resulting from loss, misuse,
unauthorized access, or modification.
Agencies must plan for security, and ensure that the appropriate officials are assigned
security responsibility and authorize system processing prior to operations and periodically
thereafter. These management responsibilities presume that responsible agency officials
understand the risks and other factors that could negatively impact their mission goals.
Moreover, these officials must understand the current status of security programs and
controls in order to make informed judgments and investments that appropriately mitigate
risks to an acceptable level.
The Federal Information Technology (IT) Security Assessment Framework (or Framework)
provides a method for agency officials to 1 ) determine the current status of their security
programs relative to existing policy and 2) where necessary, establish a target for
improvement. It does not establish new security requirements. The Framework may be used
to assess the status of security controls for a given asset or collection of assets. These assets
include information, individual systems (e.g., major applications, general support systems,
mission critical systems), or a logically related grouping of systems that support operational
programs, or operational programs (e.g., Air Traffic Control, Medicare, Student Aid).
Assessing all asset security controls and all interconnected systems that the asset depends on
produces a picture of both the security condition of an agency component and of the entire
agency.
The Framework comprises five levels to guide agency assessment of their security programs
and assist in prioritizing efforts for improvement. Coupled with the NIST-prepared self-
assessment questionnaire5
, the Framework provides a vehicle for consistent and effective
measurement of the security status for a given asset. The security status is measured by
determining if specific security controls are documented, implemented, tested and reviewed,
and incorporated into a cyclical review/improvement program, as well as whether
unacceptable risks are identified and mitigated. The NIST questionnaire provides specific
questions that identify the control criteria against which agency policies, procedures, and
security controls can be compared. Appendix A contains a sample of the upcoming NISTSpecial Publication.
The Framework is divided into five levels: Level 1 of the Framework reflects that an asset
has documented security policy. At level 2, the asset also has documented procedures and
controls to implement the policy. Level 3 indicates that procedures and controls have been
implemented. Level 4 shows that the procedures and controls are tested and reviewed. At
level 5, the asset has procedures and controls fully integrated into a comprehensive program.
5The NIST Self-assessment Questionnaire will be issued in 2001 as a NIST Special Publication.
C-2
Appendix CFederal IT Security Assessment Framework
Each level represents a more complete and effective security program. OMB and the Council
recognize that the security needs for the tens of thousands of Federal information systems
differ. Agencies should note that testing the effectiveness of the asset and all interconnected
systems that the asset depends on is essential to understanding whether risk has been properly
mitigated. When an individual system does not achieve level 4, agencies should determine
whether that system meets the criteria found in OMB Memorandum M00-07 (February 28,
2000) "Incorporating and Funding Security in Information Systems Investments." Agencies
should seek to bring all assets to level 4 and ultimately level 5.
Integral to all security programs whether for an asset or an entire agency is a risk assessment
process that includes determining the level of sensitivity of information and systems. Manyagencies have developed their own methods of making these determinations. For example,
the Department of Health and Human Services uses a four—track scale for confidentiality,
integrity, and availability. The Department of Energy uses five groupings or "clusters" to
address sensitivity. Regardless of the method used, the asset owner is responsible for
determining how sensitive the asset is, what level of risk is acceptable, and which specific
controls are necessary to provide adequate security to that asset. Again, each implemented
security control must be periodically tested for effectiveness. The decision to implement and
the results of the testing should be documented.
C-3
Appendix CFederal IT Security Assessment Framework
1. Framework Description
The Federal Information Technology Security Assessment Framework (Framework)
identifies five levels of IT security program effectiveness (see Figure 1). The five levels
measure specific management, operational, and technical control objectives. Each of the five
levels contains criteria to determine if the level is adequately implemented. For example, in
Level 1, all written policy should contain the purpose and scope of the policy, the
individual(s) responsible for implementing the policy, and the consequences and penalties for
not following the policy. The policy for an individual control must be reviewed to ascertain
that the criteria for level 1 are met. Assessing the effectiveness of the individual controls, not
simply their existence, is key to achieving and maintaining adequate security.
The asset owner, in partnership with those responsible for administering the information
assets (which include IT systems), must determine whether the measurement criteria are
being met at each level. Before making such a determination, the degree of sensitivity of
information and systems must be determined by considering the requirements for
confidentiality, integrity, and availability of both the information and systems — the value of
information and systems is one of the major factors in risk management.
A security program may be assessed at various levels within an organization. For example, a
program could be defined as an agency asset, a major application, general support system,
high impact program, physical plant, mission critical system, or logically related group of
systems. The Framework refers to this grouping as an asset.
The Framework describes an asset self-assessment and provides levels to guide and prioritize
agency efforts as well as a basis to measure progress. In addition, the National Institute of
Standards and Technology (NIST) will develop a questionnaire that gives the implementation
tools for the Framework. The questionnaire will contain specific control objectives that
should be applied to secure a system.
Figure 1 - Federal IT Security Assessment Framework
Level 1 Documented Policy
Level 2 Documented Procedures
Level 3 Implemented Procedures and Controls
Level 4 Tested and Reviewed Procedures and Controls
Level 5 Fully Integrated Procedures and Controls
C-4
Appendix CFederal IT Security Assessment Framework
The Framework approach begins with the premise that all agency assets must meet the
minimum security requirements of the Office of Management and Budget Circular
A- 130, "Management of Federal Resources", Appendix III, "Security of Federal Automated
Information Resources" (A- 130). The criteria that are outlined in the Framework and
provided in detail in the questionnaire are abstracted directly from long-standing
requirements found in statute, policy, and guidance on security and privacy. It should be
noted that an agency might have additional laws, regulations, or policies that establish
specific requirements for confidentiality, integrity, or availability. Each agency should decide
if additional security controls should be added to the questionnaire and, if so, customize the
questionnaire appropriately. A list of the documents that the Framework and the
questionnaire draw upon is provided in Figure 2.
C-5
Appendix CFederal IT Security Assessment Framework
Figure 2 - Source of Control Criteria
Office of Management and Budget Circular A- 130,
"Management of Federal Information Resources",
Appenuix in, occuniy 01 reucrai Auiuuidieu
Information Resources."
Establishes a minimum set of controls to be included in Federal IT
security programs.
Computer Security Act of 1 987.
This statute set the stage for protecting systems by codifying the
requirement for Government-wide IT security planning and training.
Paperwork Reduction Act of 1995. The PRA established a comprehensive information resources
management framework including security and subsumed the
security responsibilities of the Computer Security Act of 1987.
Clinger-Cohen Act of 1996. This Act linked security to agency capital planning and budget
processes, established agency Chief Information Officers, and re-
codified the Computer Security Act of 1987.
Presidential Decision Directive 63, "Protecting
Amf*rif*fi'^ CVitipal TirfraQtritPtnrpQ "/A.IHV1 iva j V 1 u!Lai Hill floll UWLUl W^n
This directive specifies agency responsibilities for protecting the
nation's infrastructure, assessing vulnerabilities of public and private
sectors, and eliminating vulnerabilities.
Presidential Decision Directive 67, "Enduring
(""nnQtitntinnftl nnvprnmfnt firtH f^fYntiriiiifrv nfV. tU UUlkll VJUVtl IlillLlll O.UU J 11 1 1 U I ly \J 1
Government."
Relates to ensuring constitutional government, continuity of
operations (COOP) planning, and continuity of government (COG)operations
OMB Memorandum 99-05, Instructions on Complying
with President's Memorandum of Mav 14, 1998,
"Privacy and Personal Information in Federal Records."
This memorandum provides instructions to agencies on how to
comply with the President's Memorandum of May 14, 1998 on
"Privacy and Personal Information in Federal Records."
OMB Memorandum 99-18, "Privacy Policies on
Federal Web Sites."
This memorandum directs Departments and Agencies to post clear
privacy policies on World Wide Web sites, and provides guidance
for doing so.
OMB Memorandum 00-13, "Privacy Policies and Data
Collection on Federal Web Sites."
The purpose of this memorandum is a reminder that each agency is
required by law and policy to establish clear privacy policies for its
web activities and to comply with those policies.
General Accounting Office "Federal Information The FISCAM methodology provides guidance to auditors in
evaluating internal controls over the confidentiality, integrity, and
availability of data maintained in computer-based information
systems.
System Control Audit Manual" (FISCAM).
NIST Special Publication 800-14, "Generally Accepted This publication guides organizations on the types of controls,
objectives, and procedures that comprise an effective security
program.Principles and Practices for Security Information
Technology Systems."
NIST Special Publication 800-18, "Guide for
Developing Security Plans for Information Technology
Systems."
This publication details the specific controls that should be
documented in a system security plan.
Federal Information Processing Standards. This document contains legislative and executive mandates for
improving the utilization and management of computers and IT
systems in the Federal Government.
C-6
Appendix CFederal IT Security Assessment Framework
2. Documented Policy - Level 1
2.1 Description
Level 1 of the Framework includes:
• Formally documented and disseminated security policy covering agency headquarters
and major components (e.g., bureaus and operating divisions). The policy may be asset
specific.
• Policy that references most of the basic requirements and guidance issued from the
documents listed in Figure 2 - Source of Control Criteria.
An asset is at level 1 if there is a formally, up-to-date documented policy that establishes a
continuing cycle of assessing risk, implements effective security policies including training,
and uses monitoring for program effectiveness. Such a policy may include major agency
components, (e.g., bureaus and operating divisions) or specific assets.
A documented security policy is necessary to ensure adequate and cost effective
organizational and system security controls. A sound policy delineates the security
management structure and clearly assigns security responsibilities, and lays the foundation
necessary to reliably measure progress and compliance. The criteria listed below should be
applied when assessing the policy developed for the controls that are listed in the NISTquestionnaire.
2.2 Criteria
Level 1 criteria describe the components of a security policy.
Criteria for Level 1
a. Purpose and scope. An up-to-date security policy is written that covers all major facilities and
operations agency-wide or for the asset. The policy is approved by key affected parties and covers
security planning, risk management, review of security controls, rules of behavior, life-cycle
management, processing authorization, personnel, physical and environmental aspects, computer support
and operations, contingency planning, documentation, training, incident response, access controls, and
audit trails. The policy clearly identifies the purpose of the program and its scope within the organization.
b. Responsibilities. The security program comprises a security management structure with adequate
authority, and expertise. IT security manager(s) are appointed at an overall level and at appropriate
subordinate levels. Security responsibilities and expected behaviors are clearly defined for asset owners
and users, information resources management and data processing personnel, senior management, and
security administrators.
c. Compliance. General compliance and specified penalties and disciplinary actions are also identified in
the policy.
C-7
Appendix CFederal IT Security Assessment Framework
3. Documented Procedures - Level 2
3.1 Description
Level 2 of the Framework includes:
• Formal, complete, well-documented procedures for implementing policies established at
level one.
• The basic requirements and guidance issued from the documents listed in Figure 2 -
Source of Control Criteria.
An asset is at level 2 when formally documented procedures are developed that focus on
implementing specific security controls. Formal procedures promote the continuity of the
security program. Formal procedures also provide the foundation for a clear, accurate, and
complete understanding of the program implementation. An understanding of the risks and
related results should guide the strength of the control and the corresponding procedures. The
procedures document the implementation of and the rigor in which the control is applied.
Level 2 requires procedures for a continuing cycle of assessing risk and vulnerabilities,
implementing effective security policies, and monitoring effectiveness of the security
controls. Approved system security plans are in place for all assets.
Well-documented and current security procedures are necessary to ensure that adequate and
cost effective security controls are implemented. The criteria listed below should be applied
when assessing the quality of the procedures for controls outlined in the NIST questionnaire.
3.2 Criteria
Level 2 criteria describe the components of security procedures.
Criteria for Level 2
a. Control areas listed and organization's position stated. Up-to-date procedures are written that
covers all major facilities and operations within the asset. The procedures are approved by key
responsible parties and cover security policies, security plans, risk management, review of security
controls, rules of behavior, life-cycle management, processing authorization, personnel, physical and
environmental aspects, computer support and operations, contingency planning, documentation, training,
incident response, access controls, and audit trails. The procedures clearly identify management's
position and whether there are further guidelines or exceptions.
b. Applicability of procedures documented. Procedures clarify where, how, when, to, whom, and about
what a particular procedure applies.
c. Assignment of IT security responsibilities and expected behavior. Procedures clearly define
security responsibilities and expected behaviors for (1) asset owners and users, (2) information resources
management and data processing personnel, (3) management, and (4) security administrators.
d. Points of contact and supplementary information provided. Procedures contain appropriate
individuals to be contacted for further information, guidance, and compliance.
C- 8
Appendix CFederal IT Security Assessment Framework
4. Implemented Procedures and Controls - Level 3
4.1 Description
Level 3 of the Framework includes:
• Security procedures and controls that are implemented.
• Procedures that are communicated and individuals who are required to follow them.
At level 3, the IT security procedures and controls are implemented in a consistent manner
and reinforced through training. Ad hoc approaches that tend to be applied on an individual
or case-by-case basis are discouraged. Security controls for an asset could be implemented
and not have procedures documented, but the addition of formal documented procedures at
level 2 represents a significant step in the effectiveness of implementing procedures and
controls at level 3. While testing the on-going effectiveness is not emphasized in level 3,
some testing is needed when initially implementing controls to ensure they are operating as
intended. The criteria listed below should be used to determine if the specific controls listed
in the NIST questionnaire are being implemented.
4.2 Criteria
Level 3 criteria describe how an organization can ensure implementation of their security
procedures.
Criteria for Level 3
a. Owners and users are made aware of security policies and procedures. Security policies and
procedures are distributed to all affected personnel, including system/application rules and expected
behaviors. Requires users to periodically acknowledge their awareness and acceptance of responsibility
for security.
b. Policies and procedures are formally adopted and technical controls installed. Automated and
other tools routinely monitor security. Established policy governs review of system logs, penetration
testing, and internal/external audits.
c. Security is managed throughout the life cycle of the system. Security is considered in each of the
life-cycle phases: initiation, development/acquisition, implementation, operation, and disposal.
d. Procedures established for authorizing processing (certification and accreditation). Management
officials must formally authorize system operations and manage risk.
e. Documented security position descriptions. Skill needs and security responsibilities in job
descriptions are accurately identified.
f. Employees trained on security procedures. An effective training and awareness program tailored for
varying job functions is planned, implemented, maintained, and evaluated.
C-9
Appendix CFederal IT Security Assessment Framework
5. Tested and Evaluated Procedures and Controls - Level 4
5.7 Description
Level 4 of the Framework includes:
• Routinely evaluating the adequacy and effectiveness of security policies, procedures, and
controls.
• Ensuring that effective corrective actions are taken to address identified weaknesses,
including those identified as a result of potential or actual security incidents or through
security alerts issued by FedCIRC, vendors, and other trusted sources.
Routine evaluations and response to identified vulnerabilities are important elements of risk
management, which includes identifying, acknowledging, and responding, as appropriate, to
changes in risk factors (e.g., computing environment, data sensitivity) and ensuring that
security policies and procedures are appropriate and are operating as intended on an ongoing
basis.
Routine self-assessments are an important means of identifying inappropriate or ineffective
security procedures and controls, reminding employees of their security-related
responsibilities, and demonstrating management's commitment to security. Self-assessments
can be performed by agency staff or by contractors or others engaged by agency
management. Independent audits such as those arranged by the General Accounting Office
(GAO) or an agency Inspector General (IG), are an important check on agency performance,
but should not be viewed as a substitute for evaluations initiated-by agency management.
To be effective, routine evaluations must include tests and examinations of key controls.
Reviews of documentation, walk-throughs of agency facilities, and interviews with agency
personnel, while providing useful information, are not sufficient to ensure that controls,
especially computer-based controls, are operating effectively. Examples of tests that should
be conducted are network scans to identify known vulnerabilities, analyses of router and
switch settings and firewall rules, reviews of other system software settings, and tests to see
if unauthorized system access is possible (penetration testing). Tests performed should
consider the risks of authorized users exceeding authorization as well as unauthorized users
(e.g., external parties, hackers) gaining access. Similar to levels 1 through 3, to be
meaningful, evaluations must include security controls of interconnected assets, e.g., network
supporting applications being tested.
When assets are first implemented or are modified, they should be tested and certified to
ensure that controls are initially operating as intended. (This would occur at Level 3.)
Requirements for subsequent testing and recertification should be integrated into an agency's
ongoing test and evaluation program.
In addition to test results, agency evaluations should consider information gleaned from
records of potential and actual security incidents and from security alerts, such as those
issued by software vendors. Such information can identify specific vulnerabilities and
provide insights into the latest threats and resulting risks.
C- 10
Appendix CFederal IT Security Assessment Framework
The criteria listed below should be applied to each control area listed in the NISTquestionnaire to determine if the asset is being effectively evaluated.
5.2 Criteria
Level 4 criteria are listed below.
Criteria for Level 4
a. Effective program for evaluating adequacy and effectiveness of security policies, procedures, and
controls. Evaluation requirements, including requirements regarding the type and frequency of testing,
should be documented, approved, and effectively implemented. The frequency and rigor with which
individual controls are tested should depend on the risks that will be posed if the controls are not
operating effectively. At a minimum, controls should be evaluated whenever significant system changes
are made or when other risk factors, such as the sensitivity of data processed, change. Even controls for
inherently low-risk operations should be tested at a minimum of every 3 years.
b. Mechanisms for identifying vulnerabilities revealed by security incidents or security alerts.
Agencies should routinely analyze security incident records, including any records of anomalous or
suspicious activity that may reveal security vulnerabilities. In addition, they should review security alerts
issued by FedCIRC, vendors, and others.
c. Processfor reporting significant security weaknesses and ensuring effective remedial
action. Such a process should providefor routine reports to senior management on weaknesses
identified through testing or other means, development ofaction plans, allocation ofneeded
resources, andfollow-up reviews to ensure that remedial actions have been effective. Expedited
processes should be implementedfor especially significant weaknesses that may present undue
risk ifnot addressed immediately.
C- 11
Appendix CFederal IT Security Assessment Framework
6. Fully Integrated Procedures and Controls - Level 5
6.1 Description
Level 5 of the Framework includes:
• A comprehensive security program that is an integral part of an agency's organizational
culture.
• Decision-making based on cost, risk, and mission impact.
The consideration of IT security is pervasive in the culture of a level 5 asset. A proven life-
cycle methodology is implemented and enforced and an ongoing program to identify and
institutionalize best practices has been implemented. There is active support from senior
management. Decisions and actions that are part of the IT life cycle include:
Improving security program
Improving security program procedures
Improving or refining security controls
Adding security controls
Integrating security within existing and evolving IT architecture
Improving mission processes and risk management activities
Each of these decisions result from a continuous improvement and refinement program
instilled within the organization. At level 5, the understanding of mission-related risks and
the associated costs of reducing these risks are considered with a full range of
implementation options to achieve maximum mission cost-effectiveness of security
measures. Entities should apply the principle of selecting controls that offer the lowest cost
implementation while offering adequate risk mitigation, versus high cost implementation and
low risk mitigation. The criteria listed below should be used to assess whether a specific
control contained in the NIST questionnaire has been fully implemented.
6.2 Criteria
Level 5 criteria describe components of a fully integrated security
program. „_____________„^
Criteria for Level 5
a. There is an active enterprise-wide security program that achieves cost-effective security.
b. IT security is an integrated practice within the asset.
c. Security vulnerabilities are understood and managed.
d. Threats are continually re-evaluated, and controls adapted to changing security environment.
e. Additional or more cost-effective security alternatives are identified as the need arises.
f. Costs and benefits of security are measured as precisely as practicable.
g. Status metrics for the security program are established and met.
C- 12
Appendix CFederal IT Security Assessment Framework
7. Future of the Framework
This version of the Framework primarily addresses security management issues. It describes
a process for agencies to assess their compliance with long-standing basic requirements and
guidance. With the Framework in place, agencies will have an approach to begin the
assessment process. The NIST questionnaire provides the tool to determine whether agencies
are meeting these requirements and following the guidance.
The Framework is not static; it is a living document. Revisions will focus on expanding,
refining, and providing more granularity for existing criteria. In addition, the establishment of
a similar companion framework devoted to the evolution of agency electronic privacy polices
may be considered in time.
The Framework can be viewed as both an auditing tool and a management tool.
A balance between operational needs and cost effective security for acceptable risk will need
to be made to achieve an adequate level of security.
Currently, the NIST self-assessment tool is under development and will be available in 200 1
.
Appendix A provides a sample questionnaire to assist agencies until NIST officially releases
the questionnaire.
C- 13
Appendix CFederal IT Security Assessment Framework
Appendix AConceptual Sample of NIST Self-Assessment Questionnaire
Below is a conceptual sample of the Hypothetical Government Agency's (HGA) completion
of the NIST questionnaire for their Training Database. Before the questionnaire was
completed, the sensitivity of the information stored within, processed by and transmitted by
this asset was assessed. The premise behind determining the level of sensitivity is that each
asset owner is responsible for determining what level of risk is acceptable, and which specific
security controls are necessary to provide adequate security.
The sensitivity of this asset was determined to be high for confidentiality and low for
integrity and availability. The confidentiality of the system is high due to the system
containing personnel information. Employee social security numbers, course lists, and grades
are contained in the system. The integrity of the database is considered low because if the
information were modified by unauthorized, unanticipated or unintentional means,
employees, who can read their own training file, would detect the modifications. The
availability of the system is considered low because hard copies of the training forms are
available as a backup.
The questionnaire was completed for the database with the understanding that security
controls that protect the integrity or availability of the data did not have to be rigidly applied.
The questionnaire contains a field that can be checked when a risk-based decision has been
made to either reduce or enhance a security control. There may be certain situations where
management will grant a waiver either because compensating controls exist or because the
benefits of operating without the control (at least temporarily) outweigh the risk of waiting
for full control implementation. Alternatively, there may be times where management
implements more stringent controls than generally applied elsewhere. In the example
provided the specific control objectives for personnel security and for authentication were
assessed. The questionnaire is an excerpt and by no means contains all the questions that
would be asked in the area of personnel security and authentication. For brevity, only a few
questions were provided in this sample.
An analysis of the levels checked determined that the agency should target improving their
background screening implementation and testing. System administrators, programmers, and
managers should all have background checks completed prior to accessing the system. The
decision to allow access prior to screening was made and checked in the Risk Based Decision
Made box. Because this box was checked, there should be specific controls implemented to
ensure access is not abused, i.e., access is reviewed daily through audit trails, and users have
minimal system authority.
Additionally, HGA should improve implementing and testing their password procedures
because of the strong need for confidentiality. Without good password management,
passwords can be easily guessed and access to the system obtained. The questionnaire's list
of objectives is incomplete for both personnel security controls and for authentication
controls. Even though the sample is lacking many controls, the completed questionnaire
clearly depicts that HGA has policies and procedures in place but there is a strong need for
implementing, testing, and reviewing the procedures and controls. The sample indicates that
the Training Database would be at level 2.
C- 14
Appendix CFederal IT Security Assessment Framework
Category of Sensitivity Confidentiality Integrity Availability
High XMediumLow X X
Specific Control Objectives
i tL. 1
Policy
Yj.L
Procedures
Yj.5
Implemented
T A
Tested Integrated
Rick Rnsprl
Decision
Made
Personnel Security
Are all positions reviewed for sensitivity
level?
A A A
Is appropriate background screening for
assigned positions completed prior to granting
access?
A A YA
Are there conditions for allowing system
access prior 10 completion 01 screening:
X X
/\re sensitive runctions oiviaeu among
different individuals?
YA YA YA
Are mecnamsms in piace ior noiuing users
responsible for their actions?
YA YA
Are termination proceuures esiaoiisneu; YA YA
Authentication
Are passwords, tokens, or biometrics used? VA -vrA A
Do passwords contain alpha numeric,
upper/lower case, and special characters?
X X
Are passwords changed at least every ninety
days or earlier if needed?
X X
Is there guidance for handling lost and
compromised passwords?
X X
Are passwords transmitted and stored with
one-way encryption?
X X
Is there a limit to the number of invalid access
attempts that may occur for a given user?
X X
C- 15
Appendix CFederal IT Security Assessment Framework
References
Automated Information Systems Security Program Handbook (Release 2.0, May 1994),
Department of Health and Human Services, May 1994.
Ginger-Cohen Act of 1996 (formerly known as the Information Management Reform Act),
February 10, 1996.
Computer Security Act of 1987, 40 U.S. Code 759, (Public Law 100-235), January 8, 1988.
Control Objectives for Information and Related Technology (COBIT) 3rd
Edition,
Information Systems Audit and Control Foundation, July 2000.
General Accounting Office, Federal Information System Control Audit Manual (FISCAM),
GOA/AIMD-12.19.6, January 1999.
General Accounting Office, Information Security Risk Assessment Practices of Leading
Organizations, GAO/AIMD-99-139, August 1999.
Office of Management and Budget, Security of Federal Automated Information Resources,
Appendix III to OMB Circular A- 130, Management of Federal Information Resources,
February 8, 1996.
Office of Management and Budget, Memorandum 99-05, Instructions on Complying with
President's Memorandum ofMay 14, 1998, Privacy and Personal Information in Federal
Records, July 1, 1999.
Office of Management and Budget, Memorandum 99-18, Privacy Policies on Federal WebSites, June 2, 1999.
Office of Management and Budget, Memorandum 00-13, Policies and Data Collection on
Federal Web Sites, June 22, 2000.
Paperwork Reduction Act of 1995, 35 U.S. Code 44, January 4, 1995.
Presidential Decision Directive 63, Protecting America's Critical Infrastructures, May 22,
1998.
Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of
Government, October 21, 1998.
Swanson, Marianne and Barbara Guttman, NIST Special Publication 800-14, Generally
Accepted Principles and Practices for Security Information Technology Systems (GSSP),
Gaithersburg, MD, National Institute of Standards and Technology, September 20, 1995.
Swanson, Marianne and Federal Computer Security Program Managers' Forum Working
Group, NIST Special Publication 800-18, Guide for Developing Security Plans for
Information Technology Systems, Gaithersburg, MD, National Institute of Standards and
Technology, December 1998.
C- 16
Appendix CFederal IT Security Assessment Framework
Terminology
Acceptable Risk is a concern that is acceptable to responsible management, due to the cost
and magnitude of implementing controls.
Accreditation is synonymous with the term authorize processing. Accreditation is the
authorization and approval granted to a major application or general support system to
process in an operational environment. It is made on the basis of a certification by
designated technical personnel that the system meets pre-specified technical requirements for
achieving adequate system security. See also Authorize Processing, Certification, and
Designated Approving Authority.
Asset is a major application, general support system, high impact program, physical plant,
mission critical system, or a logically related group of systems.
Authorize Processing occurs when management authorizes in writing a system based on an
assessment of management, operational, and technical controls. By authorizing processing in
a system the management official accepts the risks associated with it. See also Accreditation,
Certification, and Designated Approving Authority.
Availability Protection requires backup of system and information, contingency plans,
disaster recovery plans, and redundancy. Examples of systems and information requiring
availability protection are time-share systems, mission-critical applications, time and
attendance, financial, procurement, or life-critical.
Awareness, Training, and Education includes (1) awareness programs set the stage for
training by changing organizational attitudes towards realization of the importance of
security and the adverse consequences of its failure; (2) the purpose of training is to teach
people the skills that will enable them to perform their jobs more effectively; and (3)
education is more in-depth than training and is targeted for security professionals and those
whose jobs require expertise in IT security.
Certification is synonymous with the term authorize processing. Certification is a major
consideration prior to authorizing processing, but not the only consideration. Certification is
the technical evaluation that establishes the extent to which a computer system, application,
or network design and implementation meets a pre-specified set of security requirements.
See also Accreditation and Authorize Processing.
General Support System is an interconnected information resource under the same direct
management control that shares common functionality. It normally includes hardware,
software, information, data, applications, communications, facilities, and people and provides
support for a variety of users and/or applications. Individual applications support different
mission-related functions. Users may be from the same or different organizations.
Individual Accountability requires individual users to be held accountable for their actions
after being notified of the rules of behavior in the use of the system and the penalties
associated with the violation of those rules.
C- 17
Appendix CFederal IT Security Assessment Framework
Information Owner is responsible for establishing the rules for appropriate use and
protection of the data/information. The information owner retains that responsibility even
when the data/information are shared with other organizations.
Major Application is an application that requires special attention to security due to the risk
and magnitude of the harm resulting from the loss, misuse, or unauthorized access to, or
modification of, the information in the application. A breach in a major application might
comprise many individual application programs and hardware, software, and
telecommunications components. Major applications can be either a major software
application or a combination of hardware/software where the only purpose of the system is to
support a specific mission-related function.
Material Weakness or significant weakness is used to identify control weaknesses that pose
a significant risk or a threat to the operations and/or assets of an audited entity. "Material
weakness" is a very specific term that is defined one way for financial audits and another wayfor weaknesses reported under the Federal Managers Financial Integrity Act of 1982. Such
weaknesses may be identified by auditors or by management.
Networks include communication capability that allows one user or system to connect to
another user or system and can be part of a system or a separate system. Examples of
networks include local area network or wide area networks, including public networks such
as the Internet.
Operational Controls address security methods that focus on mechanisms that primarily are
implemented and executed by people (as opposed to systems).
Policy a document that delineates the security management structure and clearly assigns
security responsibilities and lays the foundation necessary to reliably measure progress and
compliance.
Procedures are contained in a document that focuses on the security control areas and
management's position.
Risk is the possibility of harm or loss to any software, information, hardware, administrative,
physical, communications, or personnel resource within an automated information system or
activity.
Risk Management is the ongoing process of assessing the risk to automated information
resources and information, as part of a risk-based approach used to determine adequate
security for a system by analyzing the threats and vulnerabilities and selecting appropriate
cost-effective controls to achieve and maintain an acceptable level of risk.
Rules ofBehavior are the rules that have been established and implemented concerning use
of, security in, and acceptable level of risk for the system. Rules will clearly delineate
responsibilities and expected behavior of all individuals with access to the system. Rules
should cover such matters as work at home, dial-in access, connection to the Internet, use of
C- 18
Appendix CFederal IT Security Assessment Framework
copyrighted works, unofficial use of Federal government equipment, assignment and
limitation of system privileges, and individual accountability.
Sensitive Information refers to information whose loss, misuse, or unauthorized access to or
modification of could adversely affect the national interest or the conduct of Federal
programs or the privacy to which individuals are entitled.
Sensitivity an information technology environment consists of the system, data, and
applications that must be examined individually and in total. All systems and applications
require some level of protection for confidentiality, integrity, and/or availability that is
determined by an evaluation of the sensitivity of the information processed, the relationship
of the system to the organizations mission, and the economic value of the system
components.
System is a generic term used for briefness to mean either a major application or a general
support system.
System Operational Status is either (1) Operational - system is currently in operation, (2)
Under Development - system is currently under design, development, or implementation, or
(3) Undergoing a Major Modification - system is currently undergoing a major conversion or
transition.
Technical Controls consist of hardware and software controls used to provide automated
protection to the system or applications. Technical controls operate within the technical
system and applications.
Threat is an event or activity, deliberate or unintentional, with the potential for causing harm
to an IT system or activity.
Vulnerability is a flaw or weakness that may allow harm to occur to an IT system or activity.
C- 19
Appendix DReferences
Appendix D - References
Clinger-Cohen Act of 1996 (formerly known as the Information Management Reform Act),
February 10, 1996.
Computer Security Act of 1987, 40 U.S. Code 759, (Public Law 100-235), January 8, 1988.
Control Objectives for Information and Related Technology (COBIT) 3rd
Edition,
Information Systems Audit and Control Foundation, July 2000.
Defense Authorization Act (P.L. 106-398) including Title X, Subtitle G, "Government
Information Security Reform," October 28, 2000.
Department of State, Draft Best Security Practices Checklist Appendix A, January 22, 2001
.
General Accounting Office, Federal Information System Control Audit Manual (FISCAM),
GOA/AIMD-12.19.6, January 1999.
General Accounting Office, Information Security Risk Assessment Practices of Leading
Organizations, GAO/AIMD-99-139, August 1999.
ISSO 17799, A Code of Practice for Information Security Management (British Standard
7799),
National Communications System, Public Switched Network Security Assessment
Guidelines, September 2000.
Office of Management and Budget, Security of Federal Automated Information Resources,
Appendix III to OMB Circular A- 130, Management of Federal Information Resources,
February 8, 1996.
Office of Management and Budget, Memorandum 99-05, Instructions on Complying with
President's Memorandum ofMay 14, 1998, Privacy and Personal Information in Federal
Records, July 1, 1999.
Office of Management and Budget, Memorandum 99-18, Privacy Policies on Federal WebSites, June 2, 1999.
Office of Management and Budget, Memorandum 00-13, Policies and Data Collection on
Federal Web Sites, June 22, 2000.
Paperwork Reduction Act of 1995, 35 U.S. Code 44, January 4, 1995.
Presidential Decision Directive 63, Protecting America's Critical Infrastructures, May 22,
1998.
Presidential Decision Directive 67, Enduring Constitutional Government and Continuity of
Government, October 21, 1998.
D- 1
it U.S. GOVERNMENT PRINTING OFFICE: 2002 485-536
Technical Publications
Periodical
Journal of Research of the National Institute of Standards and Technology—Reports NIST research
and development in metrology and related fields of physical science, engineering, applied mathematics,
statistics, biotechnology, and information technology. Papers cover a broad range of subjects, with major
emphasis on measurement methodology and the basic technology underlying standardization. Also included
from time to time are survey articles on topics closely related to the Institute's technical and scientific
programs. Issued six times a year.
Nonperiodicals
Monographs—Major contributions to the technical literature on various subjects related to the
Institute's scientific and technical activities.
Handbooks—Recommended codes of engineering and industrial practice (including safety codes) devel-
oped in cooperation with interested industries, professional organizations, and regulatory bodies.
Special Publications—Include proceedings of conferences sponsored by NIST, NIST annual reports, and
other special publications appropriate to this grouping such as wall charts, pocket cards, and bibliographies.
National Standard Reference Data Series—Provides quantitative data on the physical and chemical
properties of materials, compiled from the world's literature and critically evaluated. Developed under a
worldwide program coordinated by NIST under the authority of the National Standard Data Act (Public
Law 90-396). NOTE: The Journal of Physical and Chemical Reference Data (JPCRD) is published
bimonthly for NIST by the American Institute of Physics (AIP). Subscription orders and renewals are
available from AIP, P.O. Box 503284, St. Louis, MO 63150-3284.
Building Science Series—Disseminates technical information developed at the Institute on building
materials, components, systems, and whole structures. The series presents research results, test methods, and
performance criteria related to the structural and environmental functions and the durability and safety
characteristics of building elements and systems.
Technical Notes—Studies or reports which are complete in themselves but restrictive in their treatment of
a subject. Analogous to monographs but not so comprehensive in scope or definitive in treatment of the
subject area. Often serve as a vehicle for final reports of work performed at NIST under the sponsorship of
other government agencies.
Voluntary Product Standards—Developed under procedures published by the Department of Commercein Part 10, Title 15, of the Code of Federal Regulations. The standards establish nationally recognized
requirements for products, and provide all concerned interests with a basis for common understanding of
the characteristics of the products. NIST administers this program in support of the efforts of private-sector
standardizing organizations.
Order the following NIST publications—FIPS and NISTIRs—from the National Technical Information
Service, Springfield, VA 22161.
Federal Information Processing Standards Publications (FIPS PUB)—Publications in this series
collectively constitute the Federal Information Processing Standards Register. The Register serves as the
official source of information in the Federal Government regarding standards issued by NIST pursuant to
the Federal Property and Administrative Services Act of 1949 as amended, Public Law 89-306 (79 Stat.
1127), and as implemented by Executive Order 11717 (38 FR 12315, dated May 11, 1973) and Part 6 of
Title 15 CFR (Code of Federal Regulations).
NIST Interagency or Internal Reports (NIST1K)—The series includes interim or final reports on work
performed by NIST for outside sponsors (both government and nongovernment). In general, initial
distribution is handled by the sponsor; public distribution is handled by sales through the National Technical
Information Service, Springfield, VA 22161, in hard copy, electronic media, or microfiche form. NISTIR's
may also report results of NIST projects of transitory or limited interest, including those that will be
published subsequently in more comprehensive form.
£ O OB ZGa »-h p S bs •
c
< 3
8
2. E2.
too00
8
3* — re
O 3 05K" w —O &. "1
< c g° 5.
ijo ©
w3n3