Reference: Federal Guidance for Information Security and Protection

Posted on Posted in Policy and Doctrine, Uncategorized

The following is a working list of laws, policies, standards and guidance directly relevant to the management of information systems for government agencies and federal contractors alike.  For this list, we used the year 2000 as our cut-off.  Further, we excluded all documents, that while referenced in some of the literature, have since been withdrawn and/or updated by the federal government.  An assessment of these information protection and cybersecurity policies and how they may be strategically employed by both small businesses and government contractors is currently in progress.

The following tables and their active links are included as a .pdf here for your convenience.

LAWS

ID Type Agent Description Date
51 Law Congress Public Law 115-91, FY 2018 NDAA, Title IX, Subtitle B, Data Management and Analytics 2017
50 Law Congress Public Law 115-91, FY 2018 NDAA, Title XVI, Subtitle C, Cyberspace-related Matters 2017
49 Law Congress Public Law 115-91, FY 2018 NDAA, Title X, Subtitle G, Modernizing Government Technology (MGT) Act 2017
48 Bill Congress IoT Cybersecurity Improvement Act 2017
38 Law Congress Public Law 114-113, Cybersecurity Act 2015
32 Law Congress Public Law 113-283, Federal Information Security Modernization Act (FISMA) 2014
27 Law Congress 5 US Code 552, Public Information 2011
19 Law Congress Public Law 111-352, GPRA Modernization Act 2010
5 Law Congress Public Law 107-347, Title III, Federal Information Security Management Act (Original) 2002
4 Law Congress Public Law 107-347, E-Government Act 2002

 

POLICIES, STANDARDS, AND DIRECTIVES

ID Type Agent Description Date
56 Policy CNSS CNSSP No. 28, Cybersecurity of Unmanned National Security Systems 2018
47 Executive Order President Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical infrastructure 2017
45 Executive Order President Executive Order 13718: Commission on Enhancing National Cybersecurity 2016
44 Policy OMB M-17-25, Guidance on Federal Information Security and Privacy Management Requirements 2016
42 Regulation NARA 32 CFR Part 2002, Controlled Unclassified Information 2016
40 Executive Order President Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing 2015
39 Policy OMB M-16-04, Cybersecurity Strategy and Implementation Plan (CISP) for the Federal Civilian Government 2015
37 Policy DHS BOD-15-01, Critical Vulnerability Mitigation Requirement for Federal Civilian Executive Branch Departments and Agencies’ Internet-accessible Systems 2015
36 Executive Order President Executive Order 13681, Improving the Security of Consumer Financial Transactions 2014
33 Policy OMB M-15-01, Guidance on Improving Federal Information Security and Privacy Management Practices 2014
31 Policy OMB M-14-03, Enhancing the Security of Federal Information and Information Systems 2013
30 Policy President Presidential Policy Directive (PPD) 21  2013
29 Executive Order President Executive Order 13636, Improving Critical Infrastructure Cybersecurity 2013
28 Policy CNSS CNSSP No. 22, Policy on Information Assurance Risk Management for National Security Systems 2012
21 Policy OMB M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS) 2010
20 Executive Order President Executive Order 13556, Controlled Unclassified Information 2010
18 Policy CNSS Instruction 1253, Security Categorization and Control Selection for National Security Systems 2014
17 Executive Order President Executive Order 13526, Classified National Security Information 2009
13 Policy OMB M-06-15, Safeguarding Personally Identifiable Information 2006
12 Policy OMB M-06-16, Protection of Sensitive Agency Information 2006
11 Policy OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments 2006
10 Standard NIST FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems 2006
9 Standard NIST FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems 2004
8 Policy CNSS Instruction 4009, National Information Assurance Glossary 2010
3 Policy OMB Circular A-130, Appendix III, Responsibilities for Protecting Federal Information Resources 2016
2 Policy OMB Circular A-130, Section 8b (3), Securing Agency Information Systems 2016
1 Policy OMB M-00-07, Incorporating and Funding Security in Information Systems Investments 2000

 

GUIDANCE

ID Type Agent Policy Name Date
55 Guidance NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information 2018
54 Guidance NIST Framework for Improving Critical Infrastructure Cybersecurity 2018
43 Guidance NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 2016
26 Guidance NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations 2011
25 Guidance NIST Special Publication 800-128, Guide for Security-focused Configuration Management of Information Systems 2011
24 Guidance NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View 2011
23 Guidance NIST Special Publication 800-37, Guide for Applying Risk Management Framework to Federal Information Systems 2018
22 Guidance NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations 2013
16 Guidance NIST Special Publication 800-60, Vol II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories 2008
15 Guidance NIST Special Publication 800-60, Vol I: Guide for Mapping Types of Information and Information Systems to Security Categories 2008
14 Guidance NIST Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems 2006
7 Guidance NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program 2003
6 Guidance NIST Special Publication 800-59, Guideline for Identifying an Information System as a National Security System 2003

 

REPORTS AND STRATEGIES

ID Type Agent Policy Name Date
57 Report DHS; DoC Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats 2018
53 Report DHS FY 18 Inspector General FISMA Act Reporting Metrics 2018
52 Report ATC Report to the President on Federal IT Modernization 2017
46 Report NIST CENC: Report on Securing and Growing the Digital Economy 2016
41 Strategy President Cybersecurity National Action Plan (CNAP) 2016
35 Report OMB FY 15 CIO Annual FISMA Metrics 2014
34 Report OMB FISMA: Fiscal Year 2013 Evaluation Report No. 522 2014