Board Report: 2014-IT-B-021 December 18, 2014
| Year | Federal guidance | Purpose |
|---|---|---|
| 2010 | NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, February 2010 | To provide guidelines for applying the RMF to federal information systems, to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring. |
| 2011 | NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011 | To provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation resulting from the operation and use of federal information systems. |
| NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011 | To assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities as well as visibility into organizational assets and the effectiveness of deployed security controls. | |
| 2013 | NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 | To provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of Federal Information Processing Standards 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that processes, stores, or transmits federal information. |
| OMB Memorandum 14-03, Enhancing the Security of Federal Information Systems, November 2013 | To provide agencies with guidance for managing information security risk on a continuous basis and builds on efforts to achieve the cybersecurity cross-agency priority goal. | |
| OMB Memorandum 14-04, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, November 2013 | To provide fiscal year 2013 FISMA metrics issued by the U.S. Department of Homeland Security, which establish minimum and target levels of performance for these priorities, as well as metrics for other key performance areas. | |
| 2014 | NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Supplemental Guidance on Ongoing Authorizations, June 2014 | To amplify current NIST guidance on security authorization and ongoing authorization contained in SP 800-37, SP 800-39, SP 800-53, SP 800-53A, and SP 800-137. This guidance does not change current OMB policies or NIST guidance with regard to risk management, information security, security categorization, security control selection, implementation, assessment, continuous monitoring, or security authorization. |
Source: Compiled by the OIG from the NIST and OMB websites.
