Skip to Navigation
Skip to Main content
OIG Home
OIG Home


Skip SHARE THIS PAGE section Skip STAY CONNECTED section

Board Report: 2014-IT-B-021 December 18, 2014

Opportunities Exist to Improve the Operational Efficiency and Effectiveness of the Board's Information Security Life Cycle

available formats

Appendix B: Federal Guidance Applicable to the Security Life Cycle Issued Since 2010

Year Federal guidance Purpose
2010 NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, February 2010 To provide guidelines for applying the RMF to federal information systems, to include conducting the activities of security categorization, security control selection and implementation, security control assessment, information system authorization, and security control monitoring.
2011 NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011 To provide guidance for an integrated, organization-wide program for managing information security risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the nation resulting from the operation and use of federal information systems.
NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011 To assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities as well as visibility into organizational assets and the effectiveness of deployed security controls.
2013 NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 To provide guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government to meet the requirements of Federal Information Processing Standards 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that processes, stores, or transmits federal information.
OMB Memorandum 14-03, Enhancing the Security of Federal Information Systems, November 2013 To provide agencies with guidance for managing information security risk on a continuous basis and builds on efforts to achieve the cybersecurity cross-agency priority goal.
OMB Memorandum 14-04, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, November 2013 To provide fiscal year 2013 FISMA metrics issued by the U.S. Department of Homeland Security, which establish minimum and target levels of performance for these priorities, as well as metrics for other key performance areas.
2014 NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. Supplemental Guidance on Ongoing Authorizations, June 2014 To amplify current NIST guidance on security authorization and ongoing authorization contained in SP 800-37, SP 800-39, SP 800-53, SP 800-53A, and SP 800-137. This guidance does not change current OMB policies or NIST guidance with regard to risk management, information security, security categorization, security control selection, implementation, assessment, continuous monitoring, or security authorization.

Source: Compiled by the OIG from the NIST and OMB websites.