NIST Special Publication 800 26 Security SelfAssessment Guide

NIST Special Publication 800 -26, “Security Self-Assessment Guide for IT Systems” and Other NIST Resources Marianne Swanson Computer Security Division Information Technology Laboratory NIST

Topics Self-Assessment Framework & Guidance Document Other NIST documents & resources

History CIO Council IT Security Assessment Framework Government Information Security Reform Act Federal Information Management Act

Description of Guide Framework - groundwork for standardizing and measuring IT security – Five levels of effectiveness – Criteria for implementing each level Assessment Guide - builds on the Framework Questions directed at the system

Description - continued Specific control objectives and techniques that a system can be measured against Blending requirements and guidance from GAO’s FISCAM and NIST guidance documents

NIST Guidance – IT Security Management Introduction to Computer Security: The NIST Handbook (NIST SP 800 -12) Guide for Developing Security Plans for IT Systems (NIST SP 800 -18) Risk Management Guide (NIST SP 80030) Contingency Planning Guide (NIST SP 800 -34)

NIST Guidance – IT Security Management (cont. ) Certification and Accreditation Guide (coming soon) Minimum Security Controls (coming soon) Security Metrics (coming soon) http: //csrc. nist. gov

ICAT Vulnerability Index Over 5000 vulnerabilities Fine grained search engine Links to vulnerability and patch information http: //icat. nist. gov

Federal Agency Security Practices Three areas on the web site – Agency practices – FAQ – Original BSP pilot submission Hosted by the Federal Computer Security Program Managers’ Forum http: //csrc. nist. gov/fasp

Agency Practices No special format submission is required Send documents as an e-mail attachment We require title of file and name of agency submitting Contact information is optional Files can be generic with no agency identifiers – NIST will do that for the agency if wanted Need agencies to send what they have – the more the better

FAQ Questions generated by the Forum over the past three years Categorized by topic area Questions answered primarily through the Forum e-mail and additional information provided by NIST FAQ will be added to as questions occur

Contact Information Marianne Swanson 301 -975 -3293 marianne. swanson@nist. gov