NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Drivers

The United States Congress and OMB have instituted laws, regulations, and directives that govern creation and implementation of federal information security practices. These laws and regulations place responsibility and accountability for information security at all levels within federal agencies, from the agency head to system users. Furthermore, these laws and regulations provide an infrastructure for overseeing implementation of required practices, and charge NIST with developing and issuing standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA) of 2002 and in managing cost-effective programs to protect their information and information systems. These laws, regulations, standards, and guidance

  • Establish agency-level responsibilities for information security;
  • Define key information security roles and responsibilities;
  • Establish a minimum set of controls in information security programs;
  • Specify compliance reporting rules and procedures; and
  • Provide other essential requirements and guidance

In addressing these requirements, agencies should tailor their information security practices to their organization’s own missions, operations, and needs.

2007-2008 Drivers

Policy Date Title of Policy
March 2008

Sensitive Database Extracts Technical Frequently Asked Questions

2006-2007 Drivers

Policy Date Title of Policy
July 2007

FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

June 2007

(M-07-18) Ensuring New Acquisition Include Common Security Configurations

May 2007

Memorandum for Heads of Executive Departments and Agencies, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information"

 Dec. 2006 Recognition of Certification and Accreditation of Certified PKI Shared Service Providers Across Agency Boundaries
Memorandum for Federal Information System Security Managers from Mary Mitchell, Deputy Associate Administrator of Technology Strategy, GSA
 
 June 2006  OMB Reinforces Strict Adherence to Safeguard Standards
 
 June 2006   Protection of Sensitive Agency Information
Memorandum for the Heads of Departments and Agencies
From Clay Johnson, Deputy Director for Management

 
 May 2006 Safeguarding Personally Identifiable Information
M-06-15

Memorandum for the Heads of Departments and Agencies
From Clay Johnson, Deputy Director for Management

   

2004-2005 Drivers

Policy Date Title of Policy
 August 2005 OMB Memo: Implementation of HSPD 12 - Policy for a Common Identification Standard for Federal Employees and Contractors
 
 August 2005 (M-05-22) OMB Memo: Transition Planning for Internet Protocol Version 6 (IPv6)
 
 June 2005 OMB Memo: FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (.html page)
 
 December 2004 (M-05-05) Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
 
 September 2004 Personal Use Policies and "File Sharing" Technology (.html page)
 
August 2004 Homeland Security Presidential Directive/Hspd-12
Subject: Policy for a Common Identification Standard for Federal Employees and Contractors (.html page)
 
July 2004 The FEA Security and Privacy Profile Phase I Final
June 2004 In June 2004, the Office of Personnel Management (OPM) released their updated regulations for information security awareness and training . . . part of public law. (.html page)
 
June 2004 1. Memorandum for the Heads of Executive Departments and Agencies. SUBJECT: Development of Homeland Security Presidential Directive (HSPD) -7 Critical Infrastructure Protection Plans to Protect Federal Critical Infrastructures and Key Resources
 
2.HSPD-7 Subject: Critical Infrastructure Identification, Prioritization and Protection
 
3. CIP Instructions - Attachment B: Format of Internal Department/Agency CIP Plan
 

2002-2003 Drivers

Policy Date Title of Policy
December 2003 OMB Memo: E-authentication Guidance for Federal Agencies
 
December 2003 Homeland Security Presidential Directive/Hspd-7
Subject: Critical Infrastructure
Identification, Prioritization, and Protection
(.html page)
 
September 2003  OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (.html page)
 
September 2003 OMB Guidance to Assist Agencies With Certification and Accreditation Efforts
 
December 2002 Electronic Government Act of 2002
 
December 2002 Cyber Security R&D Act
 
December 2002 Federal Information Security Management Act of 2002 (Title III of E-Gov)
 
October 2002 Guidance on Homeland Security Information Issued - DOJ - Action to Safeguard Information Regarding Weapons of Mass Destruction and Other Sensitive Documents Related to Homeland Security (.html page)
September 12, 2002 Handling and Reporting Computer Security Incidents (memorandum - .html page)
July 2002

(M-02-09) Reporting Instructions for the Government Information Security Reform Act and Updated Guidance on Security Plans of Action and Milestones

2000-2001 Drivers

Policy Date Title of Policy
November 26, 2001 OMB Guidance to Federal Agencies on Data Availability and Encryption
 
October 16,
2001
Executive Order: Critical Infrastructure Protection in the Information Age (.html page)
 
August 15,
2001
MEMORANDUM to Chief Information Officers and Program Officials   FROM: Dan Chenok   SUBJECT: Guidance on the Release of Security Act Reports
 
January
2001
Department of The Treasury - Fiscal Service - Electronic Authentication Policy - Policies and practices for the use of electronic transactions and authentication techniques in Federal payments and collections.
 
January 2001

(M-01-08) Guidance on the Government Information Security Reform Act

November
2000
Federal Information Technology Security Assessment Framework
November 2000

(Appendix III to OMB Circular No. A-130) Security of Federal Automated Information Resources

September
2000
OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act. To view the OMB memorandum. (.html page)
To view the Global and National Commerce Act.(.pdf file)
 
June
2000
This site contains a copy of a June 22, 2000 memorandum from OMB Director Jacob J. Lew on the subject of privacy policies and data collection on Federal websites. (.html page)
 
May
2000
OMB issues Federal Register Notice on Procedures and Guidance for the Implementation of the Government Paperwork Elimination Act (.pdf file) [Federal Register, Vol. 65, No. 85, Tuesday, May 2, 2000].
 
March
2000
The President sent a memo to the heads of Departments and Agencies on renewing their efforts to safeguard their computer systems against denial-of-service attacks on the Internet.
 
February
2000
(M-00-07) Incorporating and Funding Security in Information Systems Investments
 
February
2000
The President's Chief of Staff sent a memo to the heads of Federal Department's and Agencies on computer security. (.html page)
 

Pre-2000 Drivers

Policy Date Title of Policy
July
1999
Privacy Policies on Federal Web Sites
 
July
1999
Security of Federal Automated Information Resources (memorandum from Jacob J. Lew, Director)
 
May
1998
Critical Infrastructure Protection
 
November
2000
OMB Circular A-130, Revised
.pdf file
web page
November 2000 Appendix III to OMB Circular No. A-130
.pdf file
web page
1987 Computer Security Act of 1987
(has been superseded by Federal
Information Security Management Act of 2002
(Title III of E-Gov))