NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

FASP Areas

Some security practices in the listing below may not reference an organization's affiliation. These practices are provided in a generic format. Document icons specify the type of file format (Ex. MS Word, pdf, Text file, etc.). The right column contains the document title. The left column contains the date when the file was posted to this page.

NOTE: After clicking link to document, the document will open in a blank browser window and this page will be in the background.

Audit Trails

Maintains a record of system activity by system or application processes and by user activity.

Document Posted
   

Back to Top

Authorize Processing (C&A)

Provides a form of assurance of the security of the system.

Document Posted
Information Security Certification & Accreditation (C&A) Program Procedures - (CMS) 07/01/09
Plan of Action & Milestones (POA&M) Guidelines - (CMS) 07/01/09
Bridge Accreditation Process - (Centers for Disease Control and Prevention (CDC)) 06/26/09
Plan of Action and Milestones (POA&M) Template - (CDC) 06/26/09
IA Cost Model Template - (US Coast Guard) 05/15/09
C&A Stakeholder Quarterly Training 04/16/08
C&A Document Tracker 04/16/08
C&A Comments Matrix 04/16/08
C&A Boundary/Scope Memorandum 04/16/08
Baseline System Information - (CDC) 10/18/06
Information Technology Security Test and Evaluation Guide - (Department of Health and Human Services) 05/04/06
NIST 800-37 Risk Management & Certification and Accreditation Tasks - (TSA) 09/14/04

Back to Top

Contingency Planning

How to keep an organization's critical functions operating in the event of disruption, large and small.

Document Posted
Contingency Plan Procedure - (CMS) 07/01/09
Contingency Plan Template - (CMS) 07/01/09
Contingency Plan Tabletop Test Template - (CMS) 07/01/09
Contingency Plan Template 04/16/08
System and Data Backups - (FCC) 12/29/04
Contingency Planning Template - (DOJ) 7/03/03

Back to Top

Continuous Monitoring

Activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting.

Document Posted
Continuous Monitoring Training 04/16/08

Back to Top

Data Integrity

Controls used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity.

Document Posted
Viruses 101 - (FCC) 07/03/03

Back to Top

Hardware and System Software Maintenance

Controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes.

Document Posted
   

Back to Top

Identification and Authentication

Technical measures that prevent unauthorized people (or unauthorized processes) from entering an IT system.

Document Posted
Password Protection - (FCC) 07/03/03
Creating Strong Passwords - (FCC) 07/03/03

Back to Top

Incident Response Capability

Capability to provide help to users when a security incident occurs in a system.

Document Posted
Incident Handling and Breach Notification Analysis/Notification Procedure - (CMS) 07/01/09
Incident Reporting Template - (CMS) 07/01/09
Business Continuity Plan Format Guide - (Centers for Disease Control and Prevention (CDC)) 06/26/09
Business Continuity Plan Functional Test After-Action Report - (CDC) 06/26/09
Business Continuity Plan Tabletop Test After-Action Report - (CDC) 06/26/09
Procedures and Techniques for Prevention of and Recovery From Fast Spreading Malware - (EEOC) 11/18/04
VA Central Incident Response Capability (VA-CIRC) - (Department of VA) 06/15/04

Back to Top

Life Cycle

IT system life cycles contain five basic phases: initiation, development and/or acquisition, implementation, operation, and disposal.

Document Posted
The Project Manager's View of Security Processes Over the System Development Life Cycle - (Dept. of VA) 11/18/04

Back to Top

Logical Access Controls

System-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.

Document Posted
   

Back to Top

Network Security

Secure communication capability that allows one user or system to connect to another user or system.

Document Posted
Categorization and Firewall Worksheet - (Centers for Disease Control and Prevention (CDC)) 06/26/09
Social Networking Website Security Mitigation - (CDC) 06/17/09
Social Media Site Review Plan - (CDC) 06/17/09
Combined Hardware/Software Solutions to Malware and SPAM Control - (US Equal Employment Opportunity Commission) 11/15/05
Cyber Security Infrastructure Project (ECSIP) - (Department of VA) 6/15/04
Lessons Learned - Phishing Attacks - (Department of Treasury) 06/14/04
E-mail Etiquette 07/03/03
Cookies - (FCC) 07/03/03
E-Mail Hoaxes and Scams - (FCC) 07/03/03
E-Mail Spam - (FCC) 07/03/03

Back to Top

Personnel Security

Involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their jobs.

Document Posted
National Security Clearance Requirement for CIOs and ITSOs - (Department of Commerce) 10/22/10
Information System Security Critical Elements for Performance Plans (PART 1 of 4 files, see below for part 2-4) - (Department of Commerce) 10/22/10
Information System Security Critical Elements for Performance Plans (PART 2 of 4 files) - (Department of Commerce) 10/22/10
Information System Security Critical Elements for Performance Plans (PART 3 of 4 files) - (Department of Commerce) 10/22/10
Information System Security Critical Elements for Performance Plans (Part 4 of 4 files, see above for part 1-3) - (Department of Commerce) 10/22/10
National Security Information Critical Element for Performance Plans - (Department of Commerce) 10/22/10
Rules of Behavior for Social Networking Usage - (Centers for Disease Control and Prevention (CDC)) 06/17/09
Security Clearance and User ID Request - (Department of Education) 6/15/04
Identity Theft - (FCC) 07/03/03
FCC Personal Use - (FCC) 07/03/03
Policy on Limited Personnel Use of Government Office Equipment - (EPA) 04/08/03

Back to Top

Physical and Environmental Protection

Measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.

Document Posted
Site Survey of Data Center - (CFTC) 06/15/04
Securing Portable Electronic Media - (FCC) 07/03/03

Back to Top

Policy and Procedures

Formally documented security policies and procedures.

Document Posted
Policy for the Acceptable Use of Desktop/Laptop and Other IT Resources - (CMS) 07/01/09
Rules of Behavior for Connection to Networks - (CMS) 07/01/09
Information Security Terms, Definitions and Acronyms - (CMS) 06/30/09
CDC Wireless Security Policy - Centers for Disease Control and Prevention (CDC) TBA
Use of CDC Information Technology Resources - Centers for Disease Control and Prevention - (CDC) 06/26/09
Information Technology Security Policy Handbook Version 3.1 - (DOI) 09/25/08
Handbook for General Support Systems and Major Applications Inventory Procedures - (Department of Education) 04/07/06
U.S. Customs AIS Security Policy Manual CIS HB 1400-05 - (U.S. Customs) 11/13/03
Administrative Policies and Procedures Manual - (National Labor Relations Board) 07/03/03
Rules of Behavior - (FCC) 07/03/03

Back to Top

Production, Input/Output Controls

Covers topics ranging from a user help desk to procedures for storing, handling and destroying media.

Document Posted
USB Flash Drive Security - (Office of Government Ethics) 05/04/06
Media Sanitization Procedures - (NIST) 12/08/03

Back to Top

Program Management

Overall scope of the program (i.e., PD's, policies and security program plans and guidance).

Document Posted
Policy for Information Security - (CMS) 06/30/09
Policy for the Information Security Program - (CMS) 06/30/09
FISMA Security Assessment Report for FY 07 12/10/07
System Inventory Template 05/25/06
Information Security Program, Plan of Action and Milestones Guide - (Department of Health and Human Services) 05/04/06
Information Security Program - Health Insurance Portability and Accountability Act (HIPAA) Compliance Guide, September 14, 2005 01/17/06
Information Security & FISMA - (National Labor Relations Board) 09/10/04
FISMA Reporting Project - (Department of VA) 06/15/04

Back to Top

Review of Security Controls

Routine evaluations and response to identified vulnerabilities.

Document Posted
Security Assessment Summary Template 04/16/08
Security Test & Evaluation Template 04/16/08
PII Security Controls Assessment Plan Template - (Department of Commerce) 07/28/06
Spreadsheet of SP 800-53 Controls - (Commodity Futures Trading Commission) 06/21/06

Back to Top

Risk Management

The process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.

Document Posted
Risk Mitigation Worksheet - (Centers for Disease Control and Prevention (CDC)) 06/26/09
Risk Calculation Worksheet - (CDC) 06/26/09
Risk Assessment Report - (CDC) 06/26/09

Back to Top

Security Awareness, Training and Education

Improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge.

Document Posted
Policy on Information System Security Training for Significant Roles - (Department of Commerce) 10/22/10
January Newsletter - (Minerals Management Service, DOI) 03/12/09
December Newsletter - (Minerals Management Service, DOI) 03/12/09
Stop - Think - Click: 7 Practices for Safer Computing - (FTC) 02/24/06
Cyber Security Practitioner Professionalization (CSPP) - (Department of VA) 06/15/04
Social Engineering - (FCC) 07/03/03
ISSO Course Slides (to be used with participant book and instructor guide) 04/01/03
ISSO Course Participant Book (to be used with ISSO course slides and instructor guide) 04/01/03
ISSO Course Instructor Guide (to be used with ISSO course slides and ISSO course participant book) 04/01/03
Information Security Briefing for Executives 03/24/03
Information Security Briefing for Managers 03/24/03
Risk Assessment and Security Plan Course Slides - (Centers for Medicare & Medicaid Services) 03/24/03

Back to Top

System Security Plan

Provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.

Document Posted
SSP Workbook for High Impact Level Systems - (CMS) 06/30/09
SSP Workbook for Moderate Impact Level Systems - (CMS) 06/30/09
SSP Workbook for Low Impact Level Systems - (CMS) 06/30/09
SSP Workbook for e-Authentication Level 1 - (CMS) 06/30/09
SSP Workbook for e-Authentication Level 2 - (CMS) 06/30/09
SSP Workbook for e-Authentication Level 3 - (CMS) 06/30/09
SSP Workbook for e-Authentication Level 4 - (CMS) 06/30/09
SSP Workbook Instructions - (CMS) 06/30/09
System Security Plan Procedure - (CMS) 06/30/09
Interconnection Security Agreement (ISA) Template = (CMS) 06/30/09
Memorandum of Understand (MOU) Template = (CMS) 06/30/09
System Security Plan Template = (CMS) 06/30/09
System Security Plan Template - (Centers for Disease Control and Prevention (CDC)) 06/26/09
Enterprise Master System Security Plan - (CDC) 06/26/09
Security Plan Template for Moderate Impact Systems 04/16/08

* These submissions were first collected by the Federal CIO Council for their Best Security Practices initiative. That material was later passed to NIST's Computer Security Division.