Federal
Agency Security Practices (FASP)
DISCLAIMER
NIST has designed this web site primarily as an
educational resource for Federal security professionals. NIST
makes no claim that use of the security practices will assure
a successful outcome. Each Federal security professional should
apply his or her own professional judgment when using a security
practice.
Any mention
of commercial products or reference to commercial organizations
is for information only; it does not imply recommendation or endorsement
by NIST nor does it imply that the products mentioned are necessarily
the best available for the purpose.
|
| FASP
Areas |
Date |
| There
are some FASP in the listing below that do not reference an agency
affiliation. These examples are provided in a generic format.
The original BSP submissions are identified below by an asterisk
(*) behind their title. The original BSP submissions marked
by * are in .html format. The new FASP links are in MS Word format
(without *). If any files are NOT in Word format, the file format
will be specified next to link. |
|
| |
|
AUDIT
TRAILS -
maintains
a record of system activity by system or application processes and
by user activity. |
|
| Sample
Generic Policy and High Level Procedures for Audit Trails |
08/02/00 |
|
|
AUTHORIZE
PROCESSING (C&A) -
provides
a form of assurance of the security of the system. |
|
| Certification
and Accreditation Documentation Performance Work Summary |
07/30/02 |
| Statement
of Work: Certification and Accreditation Blanket Purchase Agreement
- Dept. Education |
02/12/02 |
| Sample
Generic Policy and High Level Procedures for Certification/Accreditation |
10/29/01 |
| Certification
and Accreditation -- DLA * |
03/12/01 |
| C&A
of Core Financial System -- USAID * |
02/05/01 |
| How
to Accredit Information Systems for Operation -- DOD/NSWC * |
02/01/01 |
|
|
CONTINGENCY
PLANNING -
how to keep an organization's critical functions
operating in the event of disruption, large and small. |
|
| System and Data Backups -- FCC (.pdf) |
07/03/03 |
| Contingency
Planning Template - DOJ |
12/01 |
| Contingency
Planning Template Instructions - DOJ |
08/21/01 |
| Sample
Generic Policy and High Level Procedures for Contingency Plans |
08/02/00 |
| Continuity
of Operations -- Treasury * |
05/19/00 |
|
|
DATA
INTEGRITY -
controls used to protect data from accidental
or malicious alteration or destruction and to provide assurance
to the user that the information meets expectations about its quality
and integrity. |
|
| Viruses 101 -- FCC (.pdf) |
07/03/03 |
| How
to Protect Against Viruses Using Attachment Blocking - National
Endowment for the Humanities |
02/05/02 |
| Sample
Generic Policy and High Level Procedures for Data Integrity/Validation |
08/02/00 |
|
|
DOCUMENTATION
-
descriptions of the hardware, software, policies,
standards, procedures, and approvals related to the system document
and formalizes the system's security controls. |
|
| Memorandum
of Understanding for System Interconnections |
09/13/02 |
| Sample
Generic Policy and High Level Procedures for System Documentation |
08/26/00 |
| Interconnection
Security Agreements -- Customs * |
08/02/00 |
|
|
HARDWARE
AND SYSTEM SOFTWARE MAINTENANCE -
controls used to monitor the installation
of, and updates to, hardware and software to ensure that the system
functions as expected and that a historical record is maintained
of changes. |
|
| Configuration
Management Plan |
11/01 |
| Interim
Policy Document on Configuration Management |
11/01 |
| Sample
Generic Policy and High Level Procedures for Hardware and Application
Software Security |
08/02/00 |
|
|
IDENTIFICATION
AND AUTHENTICATION -
technical measures that prevent unauthorized
people (or unauthorized processes) from entering an IT system. |
|
| Password Protection -- FCC (.pdf) |
07/03/03 |
| Creating
Strong Passwords - FCC (.pdf format) |
07/25/02 |
| Password
Cracking Information - National Labor Relations Board |
08/20/01 |
| Password
Management Standard - National Labor Relations Board |
08/13/01 |
| Sample
Generic Policy and High Level Procedures for Passwords and Access
Forms |
08/02/00 |
|
|
INCIDENT
RESPONSE CAPABILITY -
capability to provide help to users when a
security incident occurs in a system. |
|
| Computer
Incident Response Team Desk Reference - Federal Communications Commission
(.pdf format) |
07/30/02 |
| Identification
& Authentication on FCC Systems (.pdf format) |
07/30/02 |
| Computer
Virus Incident Report Form |
01/10/02 |
| FCC
Computer Incident Response Guide (.pdf format) |
12/30/01 |
| Sample
Generic Policy and High Level Procedures for Incident Response |
03/02/01 |
| Developing
an Agency Incident Response Process -- SSA * |
02/20/01 |
| Incident
Handling -- BMDO * |
05/22/00 |
|
|
LIFE
CYCLE -
IT system life cycles contain five basic phases:
initiation, development and/or acquisition, implementation, operation,
and disposal. |
|
| Sample
Generic Policy and High Level Procedures for Life Cycle Security |
01/02/01 |
| Integrating
Security into Systems Development Life Cycle -- SSA * |
12/20/00 |
|
|
LOGICAL
ACCESS CONTROLS -
system-based mechanisms used to designate
who or what is to have access to a specific system resource and
the type of transactions and functions that are permitted. |
|
| Decision
Paper on Use of Screen Warning Banner |
12/13/01 |
| Sample
Warning Banner - National Labor Relations Board |
12/12/01 |
|
|
NETWORK
SECURITY -
secure communication capability that allows
one user or system to connect to another user or system. |
|
| E-mail Etiquette (.pdf) |
07/03/03 |
| Cookies -- FCC (.pdf) |
07/03/03 |
| E-Mail Hoaxes and Scams -- FCC (.pdf) |
07/03/03 |
| E-Mail
Spam - FCC (.pdf format) |
05/15/02 |
| Network
Perimeter Security Policy |
10/01/01 |
| Securing
POP Mail on Windows Clients -- NASA * |
06/13/01 |
| How
to Deploy Firewalls -- Carnegie Mellon * |
02/16/01 |
| Configuration
of Technical Safeguards -- USAID * |
01/23/01 |
| Network
Security Management Policy |
01/08/01 |
| How
To Secure a Domain Name Server (DNS) -- GSA *
|
05/11/00 |
|
|
PERSONNEL
SECURITY -
involves human users, designers, implementers
and managers and how they interact with computers and the access
and authorities they need to do their jobs. |
|
| Identity Theft -- FCC (.pdf) |
07/03/03 |
| FCC Personal Use -- FCC (.pdf) |
07/03/03 |
Policy
on Limited Personnel Use of Government Office Equipment - EPA
(.pdf)
Note: While approved by the
Agency, the policy is subject to union negotiations prior to implementation. |
04/08/03 |
| Email
Policy - FCC |
11/14/02 |
| Internet
Use Policy - FCC |
11/14/02 |
| Limited
Personnel Use of Government Equipment |
11/14/02 |
| Non-disclosure
Form - FCC |
09/13/02 |
| Guidelines
for Evaluating Information on Public Web Sites |
10/19/01 |
| Receipt
of Proprietary Information |
10/01/01 |
| Sample
Generic Policy and High Level Procedures for Personnel Security |
12/18/00 |
| Personal
Use Policy -- OPM * |
12/04/00 |
| Limited
Personal -- VA * |
10/03/00 |
| Investigative
Requirements for Contractor Employees |
10/29/97 |
| |
|
PHYSICAL
AND ENVIRONMENT PROTECTION-
measures taken to protect systems, buildings,
and related supporting infrastructures against threats associated
with their physical environment. |
|
| Securing
Portable Electronic Media - FCC (.pdf format) |
06/30/02 |
| Sample
Generic Policy and High Level Procedures for Facility Protection |
08/02/00 |
|
|
PRODUCTION,
INPUT/OUTPUT CONTROLS -
covers topics ranging from a user help desk
to procedures for storing, handling and destroying media. |
|
| Media Sanitization Procedures - NIST |
12/08/03 |
| Disk
Sanitization Procedures -- NIH * |
06/01/01 |
| Remove
all Data From Workstations & Servers -- USAID * |
04/25/01 |
| Sample
Generic Policy and High Level Procedures for Marking, Handling,
Processing, Storage and Disposal of Data |
08/02/00 |
|
|
POLICY
and PROCEDURES -
Formerly documented security policies and
procedures |
|
| Administrative Policies and Procedures
Manual -- National Labor Relations Board |
07/03/03 |
| Rules of Behavior -- FCC (.pdf) |
07/03/03 |
| Internet
Security Policy - CMS (.pdf) |
04/10/03 |
| General
Support System and Major Application Inventory Procedures - Dept.
of Ed. |
11/28/02 |
| Security
Handbook - Glossary |
11/15/02 |
| Security
Handbook - Management Controls |
11/15/02 |
| Security
Handbook - Operational Controls |
11/14/02 |
| Security
Handbook - Technical Controls |
11/14/02 |
| Telecommuting
and Mobile Computer Security Policy |
01/08/02 |
| Sample
of XX Agency Large Service Application (LSA) Information Technology
(IT) Security Program Policy |
08/02/00 |
| Security
Handbook and Standard Operating Procedures -- GSA/PBS |
08/02/00 |
| |
|
PROGRAM
MANAGEMENT -
Overall scope of the program (i.e., PD's,
policies and security program plans and guidance) |
|
| Legislative
Resource - CMS (.pdf) |
04/10/03 |
| IT
Security Cost Estimation Guide - Dept. of Ed. |
11/28/02 |
| A
Summary Guide: Public Law, Executive Orders, and Policy Documents
- Dept. of Treasury |
11/13/01 |
| Position
Description for Computer System Security Officer, GS-334-13 |
10/01/01
|
| Position
Description for Information Security Officer, GS-334-15 |
10/01/01 |
| Position
Description for Computer Specialist, GS-334-14 |
10/01/01 |
| Sample
of an Information Technology (IT) Security Staffing Plan for a Large
Service Application (LSA) |
11/15/99 |
| |
|
REVIEW
OF SECURITY CONTROLS -
routine evaluations and response to identified
vulnerabilities. |
|
| Statement
of Work for IT Security Review (Rich Text Format) |
06/12/02 |
| Statement
of Work - Information Technology (IT) Security Program Assessment
Review (.pdf
format) |
10/21/01 |
| Mission
Site Vulnerability Assessment -- USAID * |
06/13/01 |
| Overseas
Computer Security Review - Department of State |
02/20/01 |
| Modem
Scan Process -- USAID * |
01/23/01 |
| Review
of Information Technology (IT) Systems |
08/02/00 |
| |
|
RISK
MANAGEMENT -
the process of assessing risk, taking steps
to reduce risk to an acceptable level, and maintaining that level
of risk. |
|
| Risk
Assessment Methodology - CMS (.pdf) |
04/10/03 |
| Risk
Assessment Template - CMS (zipped file - WinZip) |
04/10/03 |
| Threat
Identification Resource - CMS (.pdf) |
04/10/03 |
| Threat
ID Workbook- CMS (zipped file - WinZip) |
04/10/03 |
| System
Security Levels - CMS (.pdf) |
04/10/03 |
| Acceptable
Risk Safeguards - CMS (.pdf) |
04/10/03 |
| General
Support Systems and Major Applications Inventory Guide |
07/25/02 |
| Sample
Levels of Sensitivity |
03/11/02 |
| Statement
of Work: Risk Assessments - Dept. Education |
02/12/02 |
| Sample
Generic Policy and High Level Procedures for Risk Assessment |
08/02/00 |
|
|
SECURITY
AWARENESS, TRAINING AND EDUCATION -
improves awareness of the need to protection
system resources as well as develops skills and knowledge so computer
users can perform their jobs more securely and build in-depth knowledge. |
|
| Social Engineering -- FCC (.pdf) |
07/03/03 |
| ISSO
Course Slides (to be used with participant book and instructor guide)
(Powerpoint) |
04/01/03 |
ISSO
Course Participant Book (to be used with ISSO course slides and
instructor guide)
|
04/01/03 |
| ISSO
Course Instructor Guide (to be used with ISSO course slides and
ISSO course participant book) |
04/01/03 |
| Information
Security Briefing for Executives (Powerpoint) |
03/24/03 |
| Information
Security Briefing for Managers (Powerpoint) |
03/24/03 |
| Risk
Assessment and Security Plan Course Slides - Centers for Medicare
& Medicaid Services (Powerpoint) |
03/24/03 |
| Short
Security Awareness Briefing NIST (.pdf) |
12/10/01 |
| Building
an IT Security Awareness Program - NIST (Powerpoint)
|
11/01/01 |
| Certification
of Information Security Awareness Training Form |
11/01/01 |
| Security
Training at Missions -- USAID * |
01/23/01 |
| Sample
Generic Policy and High Level Procedures for Security Awareness,
and Training |
08/02/00 |
| Statement
of Work - Computer Security Awareness and Training |
04/14/00 |
|
|
SYSTEM
SECURITY PLAN -
provide an overview of the security requirements
of the system and describe the controls in place or planned for
meeting those requirements. |
|
| General
Support Systems and Major Applications Inventory Guide |
07/25/02 |
| Security
Plan -- USAID * |
01/23/01 |
| Sample
Generic Policy and High Level Procedures for Security Plans |
08/02/00 |
|
|
