legislation

1.E-Government Act [includes FISMA] (P.L. 107-347), December 2002. http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf (accessed 12/4/14).

1.Federal Information Security Management Act (P.L. 107-347, Title III), December 2002. http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf (accessed 12/4/14).

1.Privacy Act of 1974 (P.L. 93-579), December 1974.

http://www.justice.gov/opcl/privacy-act-1974 (accessed 12/4/14).

policies, directives, instructions

1.Committee on National Security Systems (CNSS) Instruction 4009, National Information Assurance Glossary, April 2010.

https://www.cnss.gov/CNSS/issuances/Instructions.cfm (accessed 12/4/14).

1.Committee on National Security Systems (CNSS) Instruction 1253, Security Categorization and Control Selection for National Security Systems, March 2014.

https://www.cnss.gov/CNSS/issuances/Instructions.cfm (accessed 12/4/14).

1.Office of Management and Budget, Circular A-130, Appendix I, Transmittal Memorandum #4, Federal Agency Responsibilities for Maintaining Records About Individual, November 2000.

http://www.whitehouse.gov/omb/circulars_a130_a130appendix_i (accessed 12/4/14).

1.Office of Management and Budget, Circular A-130, Appendix III, Transmittal Memorandum #4, Management of Federal Information Resources, November 2000.

http://www.whitehouse.gov/omb/circulars_a130_a130appendix_iii (accessed 12/4/14).

1.Office of Management and Budget Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones, October 2001.

http://www.whitehouse.gov/omb/memoranda_m02-01 (accessed 12/4/14).

standards

1.National Institute of Standards and Technology Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004.

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.

http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf (accessed 12/4/14).

1.ISO/IEC 15408, Common Criteria for Information Technology Security Evaluation, (as amended).

guidelines

1.National Institute of Standards and Technology Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006.

http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-final.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, September 2012.

http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, February 2010.

http://dx.doi.org/10.6028/NIST.SP.800-37r1.

1.National Institute of Standards and Technology Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011.

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-40, Revision 3, Guide to Enterprise Patch Management Technologies, July 2013.

http://dx.doi.org/10.6028/NIST.SP.800-40r3.

1.National Institute of Standards and Technology Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.

http://dx.doi.org/10.6028/NIST.SP.800-53r4.

1.National Institute of Standards and Technology Special Publication 800-59, Guideline for Identifying an Information System as a National Security System, August 2003.

http://csrc.nist.gov/publications/nistpubs/800-59/SP800-59.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008.

http://csrc.nist.gov/publications/PubsSPs.html#800-60 (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-64, Revision 2, Security Considerations in the System Development Life Cycle, October 2008.

http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, September 2008.

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf (accessed 12/4/14).

1.National Institute of Standards and Technology Special Publication 800-126, Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2, September 2011.

http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf

1.National Institute of Standards and Technology Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, September 2011.

http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf (accessed 12/4/14).