Link Search Menu Expand Document
NIST SP 800-37

APPENDIX A

REFERENCES

LAWS, POLICIES, DIRECTIVES, REGULATIONS, STANDARDS, AND GUIDELINES

  1. LAWS AND EXECUTIVE ORDERS
  2. POLICIES, REGULATIONS, DIRECTIVES, AND INSTRUCTIONS
  3. STANDARDS, GUIDELINES, AND REPORTS
  4. MISCELLANEOUS PUBLICATIONS AND WEBSITES

LAWS AND EXECUTIVE ORDERS

[32 CFR 2002.4] Title 32 Code of Federal Regulations, Sec. 2002.4, Definitions. 2018 ed.
https://www.govinfo.gov/app/details/CFR-2018-title32-vol6/CFR-2018-title32-vol6-sec2002-4

[40 USC 11331] Title 40 U.S. Code, Sec. 11331, Responsibilities for Federal information systems standards. 2017 ed. https://www.govinfo.gov/app/details/USCODE-2017-title40/USCODE-2017-title40-subtitleIII-chap113-subchapIII-sec11331

[44 USC 3301] Title 44 U.S. Code, Sec. 3301, Definition of records. 2017 ed. https://www.govinfo.gov/app/details/USCODE-2017-title44/USCODE-2017-title44-chap33-sec3301

[44 USC 3502] Title 44 U.S. Code, Sec. 3502, Definitions. 2017 ed. https://www.govinfo.gov/app/details/USCODE-2017-title44/USCODE-2017-title44-chap35-subchapI-sec3502

[44 USC 3552] Title 44 U.S. Code, Sec. 3552, Definitions. 2017 ed. https://www.govinfo.gov/app/details/USCODE-2017-title44/USCODE-2017-title44-chap35-subchapII-sec3552

[44 USC 3554] Title 44 U.S. Code, Sec. 3554, Federal agency responsibilities. 2017 ed. https://www.govinfo.gov/app/details/USCODE-2017-title44/USCODE-2017-title44-chap35-subchapII-sec3554

[44 USC 3601] Title 44 U.S. Code, Sec. 3601, Definitions. 2017 ed. https://www.govinfo.gov/app/details/USCODE-2017-title44/USCODE-2017-title44-chap36-sec3601

[PRIVACT] Privacy Act (P.L. 93-579), December 1974. https://www.govinfo.gov/app/details/STATUTE-88/STATUTE-88-Pg1896

[FOIA96] Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996. https://www.govinfo.gov/app/details/PLAW-104publ231

[FISMA] Federal Information Security Modernization Act (P.L. 113-283), December 2014. https://www.govinfo.gov/app/details/PLAW-113publ283

[EO 13800] Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017. https://www.govinfo.gov/app/details/FR-2017-05-16/2017-10004

POLICIES, REGULATIONS, DIRECTIVES, AND INSTRUCTIONS

[OMB A-123] Office of Management and Budget Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control, July 2016. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf

[OMB A-130] Office of Management and Budget Circular A-130, Managing Information as a Strategic Resource, July 2016. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf

[OMB M-13-13] Office of Management and Budget Memorandum M-13-13, Open Data Policy-Managing Information as an Asset, May 2013. https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2013/m-13-13.pdf

[OMB M-17-25] Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, May 2017. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/M-17-25.pdf

[OMB M-19-03] Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program, December 2018. https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf

[CNSSI 1253] Committee on National Security Systems Instruction 1253, Security Categorization and Control Selection for National Security Systems, March 2014. https://www.cnss.gov/CNSS/issuances/Instructions.cfm

[CNSSI 4009] Committee on National Security Systems Instruction 4009, Committee on National Security Systems (CNSS) Glossary, April 2015. https://www.cnss.gov/CNSS/issuances/Instructions.cfm

[CNSSD 505] Committee on National Security Systems Directive 505, Supply Chain Risk Management, August 2017. https://www.cnss.gov/CNSS/issuances/Directives.cfm

[OCIO HVA] Office of the Federal Chief Information Officer, The Agency HVA Process. https://policy.cio.gov/hva/process

[DODI 5200.44] Department of Defense Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), July 2017. http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/520044p.pdf

STANDARDS, GUIDELINES, AND REPORTS

[IEEE 610.12] Institute of Electrical and Electronics Engineers (IEEE) Std. 610.12-1990, IEEE Standard Glossary of Software Engineering Terminology, December 1990. https://ieeexplore.ieee.org/iel1/2238/4148/00159342.pdf

[ISO 15026-1] International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15026-1:2013, Systems and software engineering—Systems and software assurance—Part 1: Concepts and vocabulary, May 2015. https://www.iso.org/standard/62526.html

[ISO 15288] International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15288:2015, Systems and software engineering— Systems life cycle processes, May 2015. https://www.iso.org/standard/63711.html

[ISO 15408-1] International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology— Security techniques— Evaluation criteria for IT security—Part 1: Introduction and general model. https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf

[ISO 15408-2] International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology— Security techniques— Evaluation criteria for IT security—Part 2: Security functional requirements. https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R5.pdf

[ISO 15408-3] International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology— Security techniques— Evaluation criteria for IT security—Part 3: Security assurance requirements. https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R5.pdf

[ISO 27001] International Organization for Standardization/International Electrotechnical Commission 27001:2013, Information Technology— Security techniques— Information security management systems— Requirements. https://www.iso.org/standard/54534.html

[ISO 29148] International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2011, Systems and software engineering— Life cycle processes—Requirements engineering, December 2011. https://www.iso.org/standard/45171.html

[FIPS 199] National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004. https://doi.org/10.6028/NIST.FIPS.199

[FIPS 200] National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. https://doi.org/10.6028/NIST.FIPS.200

[SP 800-18] National Institute of Standards and Technology Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006. https://doi.org/10.6028/NIST.SP.800-18r1

[SP 800-30] National Institute of Standards and Technology Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, September 2012. https://doi.org/10.6028/NIST.SP.800-30r1

[SP 800-39] National Institute of Standards and Technology Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011. https://doi.org/10.6028/NIST.SP.800-39

[SP 800-47] National Institute of Standards and Technology Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002. https://doi.org/10.6028/NIST.SP.800-47

[SP 800-53] National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. https://doi.org/10.6028/NIST.SP.800-53r4

[SP 800-53A] National Institute of Standards and Technology Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, July 2008. https://doi.org/10.6028/NIST.SP.800-53Ar4

[SP 800-55] National Institute of Standards and Technology Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security, December 2014. https://doi.org/10.6028/NIST.SP.800-55r1

[SP 800-59] National Institute of Standards and Technology Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, August 2003. https://doi.org/10.6028/NIST.SP.800-59

[SP 800-60 v1] National Institute of Standards and Technology Special Publication 800-60, Volume 1, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008. https://doi.org/10.6028/NIST.SP.800-60v1r1

[SP 800-60 v2] National Institute of Standards and Technology Special Publication 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices, August 2008. https://doi.org/10.6028/NIST.SP.800-60v2r1

[SP 800-61] National Institute of Standards and Technology Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide, August 2012. https://doi.org/10.6028/NIST.SP.800-61r2

[SP 800-64] National Institute of Standards and Technology Special Publication 800-64, Revision 2, Security Considerations in the System Development Life Cycle, October 2008. https://doi.org/10.6028/NIST.SP.800-64r2

[SP 800-82] National Institute of Standards and Technology Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security, May 2015. https://doi.org/10.6028/NIST.SP.800-82r2

[SP 800-88] National Institute of Standards and Technology Special Publication 800-88, Guidelines for Media Sanitization, December 2014. https://doi.org/10.6028/NIST.SP.800-88r1

[SP 800-128] National Institute of Standards and Technology Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems, August 2011.

[SP 800-137] National Institute of Standards and Technology Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011. https://doi.org/10.6028/NIST.SP.800-137

[SP 800-160 v1] National Institute of Standards and Technology Special Publication 800-160, Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016. https://doi.org/10.6028/NIST.SP.800-160v1

[SP 800-161] National Institute of Standards and Technology Special Publication 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015. https://doi.org/10.6028/NIST.SP.800-161

[SP 800-181] National Institute of Standards and Technology Special Publication 800-181, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, August 2017. https://doi.org/10.6028/NIST.SP.800-181

[IR 8011 v1] National Institute of Standards and Technology Interagency Report 8011, Volume 1, Automation Support for Security Control Assessments: Overview, June 2017. https://doi.org/10.6028/NIST.IR.8011-1

[IR 8062] National Institute of Standards and Technology Internal Report 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems, January 2017. https://doi.org/10.6028/NIST.IR.8062

[IR 8179] National Institute of Standards and Technology Internal Report 8179, Criticality Analysis Process Model: Prioritizing Systems and Components, April 2018. https://doi.org/10.6028/NIST.IR.8179

MISCELLANEOUS PUBLICATIONS AND WEBSITES

[DSB 2013] Department of Defense, Defense Science Board, Task Force Report: Resilient Military Systems and the Advanced Cyber Threat, January 2013. https://www.acq.osd.mil/dsb/reports/2010s/ResilientMilitarySystemsCyberThreat. pdf

[NARA CUI] National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. https://www.archives.gov/cui

[NARA RECM] National Archives and Records Administration, NARA Records Management Guidance and Regulations. https://www.archives.gov/records-mgmt/policy/guidance-regulations.html

[NIST CSF] National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), Version 1.1, April 2018. https://www.nist.gov/cyberframework

[OMB FEA] Office of Management and Budget, Federal Enterprise Architecture (FEA). https://obamawhitehouse.archives.gov/omb/e-gov/fea