FASP Areas

Some security practices in the listing below may not reference an organization's affiliation. These practices are provided in a generic format. Document icons specify the type of file format (Ex. MS Word, pdf, Text file, etc.). The right column contains the document title. The left column contains the date when the file was posted to this page.

NOTE: After clicking link to document, the document will open in a blank browser window and this page will be in the background.

Audit Trails

Maintains a record of system activity by system or application processes and by user activity.

Document	Posted

Authorize Processing (C&A)

Provides a form of assurance of the security of the system.

Document	Posted
Information Security Certification & Accreditation (C&A) Program Procedures - (CMS)	07/01/09
Plan of Action & Milestones (POA&M) Guidelines - (CMS)	07/01/09
Bridge Accreditation Process - (Centers for Disease Control and Prevention (CDC))	06/26/09
Plan of Action and Milestones (POA&M) Template - (CDC)	06/26/09
IA Cost Model Template - (US Coast Guard)	05/15/09
C&A Stakeholder Quarterly Training	04/16/08
C&A Document Tracker	04/16/08
C&A Comments Matrix	04/16/08
C&A Boundary/Scope Memorandum	04/16/08
Baseline System Information - (CDC)	10/18/06
Information Technology Security Test and Evaluation Guide - (Department of Health and Human Services)	05/04/06
NIST 800-37 Risk Management & Certification and Accreditation Tasks - (TSA)	09/14/04

Contingency Planning

How to keep an organization's critical functions operating in the event of disruption, large and small.

Document	Posted
Contingency Plan Procedure - (CMS)	07/01/09
Contingency Plan Template - (CMS)	07/01/09
Contingency Plan Tabletop Test Template - (CMS)	07/01/09
Contingency Plan Template	04/16/08
System and Data Backups - (FCC)	12/29/04
Contingency Planning Template - (DOJ)	7/03/03

Continuous Monitoring

Activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting.

Document	Posted
Continuous Monitoring Training	04/16/08

Data Integrity

Controls used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity.

Document	Posted
Viruses 101 - (FCC)	07/03/03

Hardware and System Software Maintenance

Controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes.

Document	Posted

Identification and Authentication

Technical measures that prevent unauthorized people (or unauthorized processes) from entering an IT system.

Document	Posted
Password Protection - (FCC)	07/03/03
Creating Strong Passwords - (FCC)	07/03/03

Incident Response Capability

Capability to provide help to users when a security incident occurs in a system.

Document	Posted
Incident Handling and Breach Notification Analysis/Notification Procedure - (CMS)	07/01/09
Incident Reporting Template - (CMS)	07/01/09
Business Continuity Plan Format Guide - (Centers for Disease Control and Prevention (CDC))	06/26/09
Business Continuity Plan Functional Test After-Action Report - (CDC)	06/26/09
Business Continuity Plan Tabletop Test After-Action Report - (CDC)	06/26/09
Procedures and Techniques for Prevention of and Recovery From Fast Spreading Malware - (EEOC)	11/18/04
VA Central Incident Response Capability (VA-CIRC) - (Department of VA)	06/15/04

Life Cycle

IT system life cycles contain five basic phases: initiation, development and/or acquisition, implementation, operation, and disposal.

Document	Posted
The Project Manager's View of Security Processes Over the System Development Life Cycle - (Dept. of VA)	11/18/04

Logical Access Controls

System-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.

Document	Posted

Network Security

Secure communication capability that allows one user or system to connect to another user or system.

Document	Posted
Categorization and Firewall Worksheet - (Centers for Disease Control and Prevention (CDC))	06/26/09
Social Networking Website Security Mitigation - (CDC)	06/17/09
Social Media Site Review Plan - (CDC)	06/17/09
Combined Hardware/Software Solutions to Malware and SPAM Control - (US Equal Employment Opportunity Commission)	11/15/05
Cyber Security Infrastructure Project (ECSIP) - (Department of VA)	6/15/04
Lessons Learned - Phishing Attacks - (Department of Treasury)	06/14/04
E-mail Etiquette	07/03/03
Cookies - (FCC)	07/03/03
E-Mail Hoaxes and Scams - (FCC)	07/03/03
E-Mail Spam - (FCC)	07/03/03

Personnel Security

Involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their jobs.

Document	Posted
National Security Clearance Requirement for CIOs and ITSOs - (Department of Commerce)	10/22/10
Information System Security Critical Elements for Performance Plans (PART 1 of 4 files, see below for part 2-4) - (Department of Commerce)	10/22/10
Information System Security Critical Elements for Performance Plans (PART 2 of 4 files) - (Department of Commerce)	10/22/10
Information System Security Critical Elements for Performance Plans (PART 3 of 4 files) - (Department of Commerce)	10/22/10
Information System Security Critical Elements for Performance Plans (Part 4 of 4 files, see above for part 1-3) - (Department of Commerce)	10/22/10
National Security Information Critical Element for Performance Plans - (Department of Commerce)	10/22/10
Rules of Behavior for Social Networking Usage - (Centers for Disease Control and Prevention (CDC))	06/17/09
Security Clearance and User ID Request - (Department of Education)	6/15/04
Identity Theft - (FCC)	07/03/03
FCC Personal Use - (FCC)	07/03/03
Policy on Limited Personnel Use of Government Office Equipment - (EPA)	04/08/03

Physical and Environmental Protection

Measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.

Document	Posted
Site Survey of Data Center - (CFTC)	06/15/04
Securing Portable Electronic Media - (FCC)	07/03/03

Policy and Procedures

Formally documented security policies and procedures.

Document	Posted
Policy for the Acceptable Use of Desktop/Laptop and Other IT Resources - (CMS)	07/01/09
Rules of Behavior for Connection to Networks - (CMS)	07/01/09
Information Security Terms, Definitions and Acronyms - (CMS)	06/30/09
CDC Wireless Security Policy - Centers for Disease Control and Prevention (CDC)	TBA
Use of CDC Information Technology Resources - Centers for Disease Control and Prevention - (CDC)	06/26/09
Information Technology Security Policy Handbook Version 3.1 - (DOI)	09/25/08
Handbook for General Support Systems and Major Applications Inventory Procedures - (Department of Education)	04/07/06
U.S. Customs AIS Security Policy Manual CIS HB 1400-05 - (U.S. Customs)	11/13/03
Administrative Policies and Procedures Manual - (National Labor Relations Board)	07/03/03
Rules of Behavior - (FCC)	07/03/03

Production, Input/Output Controls

Covers topics ranging from a user help desk to procedures for storing, handling and destroying media.

Document	Posted
USB Flash Drive Security - (Office of Government Ethics)	05/04/06
Media Sanitization Procedures - (NIST)	12/08/03

Program Management

Overall scope of the program (i.e., PD's, policies and security program plans and guidance).

Document	Posted
Policy for Information Security - (CMS)	06/30/09
Policy for the Information Security Program - (CMS)	06/30/09
FISMA Security Assessment Report for FY 07	12/10/07
System Inventory Template	05/25/06
Information Security Program, Plan of Action and Milestones Guide - (Department of Health and Human Services)	05/04/06
Information Security Program - Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide, September 14, 2005	01/17/06
Information Security & FISMA - (National Labor Relations Board)	09/10/04
FISMA Reporting Project - (Department of VA)	06/15/04

Review of Security Controls

Routine evaluations and response to identified vulnerabilities.

Document	Posted
Security Assessment Summary Template	04/16/08
Security Test & Evaluation Template	04/16/08
PII Security Controls Assessment Plan Template - (Department of Commerce)	07/28/06
Spreadsheet of SP 800-53 Controls - (Commodity Futures Trading Commission)	06/21/06

Risk Management

The process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.

Document	Posted
Risk Mitigation Worksheet - (Centers for Disease Control and Prevention (CDC))	06/26/09
Risk Calculation Worksheet - (CDC)	06/26/09
Risk Assessment Report - (CDC)	06/26/09

Security Awareness, Training and Education

Improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge.

Document	Posted
Policy on Information System Security Training for Significant Roles - (Department of Commerce)	10/22/10
January Newsletter - (Minerals Management Service, DOI)	03/12/09
December Newsletter - (Minerals Management Service, DOI)	03/12/09
Stop - Think - Click: 7 Practices for Safer Computing - (FTC)	02/24/06
Cyber Security Practitioner Professionalization (CSPP) - (Department of VA)	06/15/04
Social Engineering - (FCC)	07/03/03
ISSO Course Slides (to be used with participant book and instructor guide)	04/01/03
ISSO Course Participant Book (to be used with ISSO course slides and instructor guide)	04/01/03
ISSO Course Instructor Guide (to be used with ISSO course slides and ISSO course participant book)	04/01/03
Information Security Briefing for Executives	03/24/03
Information Security Briefing for Managers	03/24/03
Risk Assessment and Security Plan Course Slides - (Centers for Medicare & Medicaid Services)	03/24/03

System Security Plan

Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.

Document	Posted
SSP Workbook for High Impact Level Systems - (CMS)	06/30/09
SSP Workbook for Moderate Impact Level Systems - (CMS)	06/30/09
SSP Workbook for Low Impact Level Systems - (CMS)	06/30/09
SSP Workbook for e-Authentication Level 1 - (CMS)	06/30/09
SSP Workbook for e-Authentication Level 2 - (CMS)	06/30/09
SSP Workbook for e-Authentication Level 3 - (CMS)	06/30/09
SSP Workbook for e-Authentication Level 4 - (CMS)	06/30/09
SSP Workbook Instructions - (CMS)	06/30/09
System Security Plan Procedure - (CMS)	06/30/09
Interconnection Security Agreement (ISA) Template = (CMS)	06/30/09
Memorandum of Understand (MOU) Template = (CMS)	06/30/09
System Security Plan Template = (CMS)	06/30/09
System Security Plan Template - (Centers for Disease Control and Prevention (CDC))	06/26/09
Enterprise Master System Security Plan - (CDC)	06/26/09
Security Plan Template for Moderate Impact Systems	04/16/08

* These submissions were first collected by the Federal CIO Council for their Best Security Practices initiative. That material was later passed to NIST's Computer Security Division.

NIST, Computer Security Division, Computer Security Resource Center