The following is a working list of laws, policies, standards and guidance directly relevant to the management of information systems for government agencies and federal contractors alike. For this list, we used the year 2000 as our cut-off. Further, we excluded all documents, that while referenced in some of the literature, have since been withdrawn and/or updated by the federal government. An assessment of these information protection and cybersecurity policies and how they may be strategically employed by both small businesses and government contractors is currently in progress.
The following tables and their active links are included as a .pdf here for your convenience.
LAWS
ID |
Type |
Agent |
Description |
Date |
51 |
Law |
Congress |
Public Law 115-91, FY 2018 NDAA, Title IX, Subtitle B, Data Management and Analytics |
2017 |
50 |
Law |
Congress |
Public Law 115-91, FY 2018 NDAA, Title XVI, Subtitle C, Cyberspace-related Matters |
2017 |
49 |
Law |
Congress |
Public Law 115-91, FY 2018 NDAA, Title X, Subtitle G, Modernizing Government Technology (MGT) Act |
2017 |
48 |
Bill |
Congress |
IoT Cybersecurity Improvement Act |
2017 |
38 |
Law |
Congress |
Public Law 114-113, Cybersecurity Act |
2015 |
32 |
Law |
Congress |
Public Law 113-283, Federal Information Security Modernization Act (FISMA) |
2014 |
27 |
Law |
Congress |
5 US Code 552, Public Information |
2011 |
19 |
Law |
Congress |
Public Law 111-352, GPRA Modernization Act |
2010 |
5 |
Law |
Congress |
Public Law 107-347, Title III, Federal Information Security Management Act (Original) |
2002 |
4 |
Law |
Congress |
Public Law 107-347, E-Government Act |
2002 |
POLICIES, STANDARDS, AND DIRECTIVES
ID |
Type |
Agent |
Description |
Date |
56 |
Policy |
CNSS |
CNSSP No. 28, Cybersecurity of Unmanned National Security Systems |
2018 |
47 |
Executive Order |
President |
Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical infrastructure |
2017 |
45 |
Executive Order |
President |
Executive Order 13718: Commission on Enhancing National Cybersecurity |
2016 |
44 |
Policy |
OMB |
M-17-25, Guidance on Federal Information Security and Privacy Management Requirements |
2016 |
42 |
Regulation |
NARA |
32 CFR Part 2002, Controlled Unclassified Information |
2016 |
40 |
Executive Order |
President |
Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing |
2015 |
39 |
Policy |
OMB |
M-16-04, Cybersecurity Strategy and Implementation Plan (CISP) for the Federal Civilian Government |
2015 |
37 |
Policy |
DHS |
BOD-15-01, Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-accessible Systems |
2015 |
36 |
Executive Order |
President |
Executive Order 13681, Improving the Security of Consumer Financial Transactions |
2014 |
33 |
Policy |
OMB |
M-15-01, Guidance on Improving Federal Information Security and Privacy Management Practices |
2014 |
31 |
Policy |
OMB |
M-14-03, Enhancing the Security of Federal Information and Information Systems |
2013 |
30 |
Policy |
President |
Presidential Policy Directive (PPD) 21 |
2013 |
29 |
Executive Order |
President |
Executive Order 13636, Improving Critical Infrastructure Cybersecurity |
2013 |
28 |
Policy |
CNSS |
CNSSP No. 22, Policy on Information Assurance Risk Management for National Security Systems |
2012 |
21 |
Policy |
OMB |
M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS) |
2010 |
20 |
Executive Order |
President |
Executive Order 13556, Controlled Unclassified Information |
2010 |
18 |
Policy |
CNSS |
Instruction 1253, Security Categorization and Control Selection for National Security Systems |
2014 |
17 |
Executive Order |
President |
Executive Order 13526, Classified National Security Information |
2009 |
13 |
Policy |
OMB |
M-06-15, Safeguarding Personally Identifiable Information |
2006 |
12 |
Policy |
OMB |
M-06-16, Protection of Sensitive Agency Information |
2006 |
11 |
Policy |
OMB |
M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments |
2006 |
10 |
Standard |
NIST |
FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems |
2006 |
9 |
Standard |
NIST |
FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems |
2004 |
8 |
Policy |
CNSS |
Instruction 4009, National Information Assurance Glossary |
2010 |
3 |
Policy |
OMB |
Circular A-130, Appendix III, Responsibilities for Protecting Federal Information Resources |
2016 |
2 |
Policy |
OMB |
Circular A-130, Section 8b (3), Securing Agency Information Systems |
2016 |
1 |
Policy |
OMB |
M-00-07, Incorporating and Funding Security in Information Systems Investments |
2000 |
GUIDANCE
ID |
Type |
Agent |
Policy Name |
Date |
55 |
Guidance |
NIST |
Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information |
2018 |
54 |
Guidance |
NIST |
Framework for Improving Critical Infrastructure Cybersecurity |
2018 |
43 |
Guidance |
NIST |
Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
2016 |
26 |
Guidance |
NIST |
Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations |
2011 |
25 |
Guidance |
NIST |
Special Publication 800-128, Guide for Security-focused Configuration Management of Information Systems |
2011 |
24 |
Guidance |
NIST |
Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View |
2011 |
23 |
Guidance |
NIST |
Special Publication 800-37, Guide for Applying Risk Management Framework to Federal Information Systems |
2018 |
22 |
Guidance |
NIST |
Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations |
2013 |
16 |
Guidance |
NIST |
Special Publication 800-60, Vol II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories |
2008 |
15 |
Guidance |
NIST |
Special Publication 800-60, Vol I: Guide for Mapping Types of Information and Information Systems to Security Categories |
2008 |
14 |
Guidance |
NIST |
Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems |
2006 |
7 |
Guidance |
NIST |
Special Publication 800-50, Building an Information Technology Security Awareness and Training Program |
2003 |
6 |
Guidance |
NIST |
Special Publication 800-59, Guideline for Identifying an Information System as a National Security System |
2003 |
REPORTS AND STRATEGIES