IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled


 

Federal Agency Security Practices (FASP)



DISCLAIMER

NIST has designed this web site primarily as an educational resource for Federal security professionals. NIST makes no claim that use of the security practices will assure a successful outcome. Each Federal security professional should apply his or her own professional judgment when using a security practice.

Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.


FASP Areas

Date

There are some FASP in the listing below that do not reference an agency affiliation. These examples are provided in a generic format. The original BSP submissions are identified below by an asterisk (*) behind their title. The original BSP submissions marked by * are in .html format. The new FASP links are in MS Word format (without *). If any files are NOT in Word format, the file format will be specified next to link.

 
 
AUDIT TRAILS -
maintains a record of system activity by system or application processes and by user activity.
Sample Generic Policy and High Level Procedures for Audit Trails
08/02/00
AUTHORIZE PROCESSING (C&A) -
provides a form of assurance of the security of the system.
Certification and Accreditation Documentation Performance Work Summary
07/30/02
Statement of Work: Certification and Accreditation Blanket Purchase Agreement - Dept. Education
02/12/02
Sample Generic Policy and High Level Procedures for Certification/Accreditation
10/29/01
Certification and Accreditation -- DLA *

03/12/01

C&A of Core Financial System -- USAID *

02/05/01

How to Accredit Information Systems for Operation -- DOD/NSWC *

02/01/01

CONTINGENCY PLANNING -
how to keep an organization's critical functions operating in the event of disruption, large and small.
System and Data Backups -- FCC (.pdf)
07/03/03
Contingency Planning Template - DOJ
12/01
Contingency Planning Template Instructions - DOJ
08/21/01
Sample Generic Policy and High Level Procedures for Contingency Plans
08/02/00
Continuity of Operations -- Treasury *

05/19/00

DATA INTEGRITY -
controls used to protect data from accidental or malicious alteration or destruction and to provide assurance to the user that the information meets expectations about its quality and integrity.
Viruses 101 -- FCC (.pdf)
07/03/03
How to Protect Against Viruses Using Attachment Blocking - National Endowment for the Humanities
02/05/02
Sample Generic Policy and High Level Procedures for Data Integrity/Validation
08/02/00
DOCUMENTATION - 
descriptions of the hardware, software, policies, standards, procedures, and approvals related to the system document and formalizes the system's security controls.
Memorandum of Understanding for System Interconnections
09/13/02
Sample Generic Policy and High Level Procedures for System Documentation
08/26/00
Interconnection Security Agreements -- Customs *

08/02/00

HARDWARE AND SYSTEM SOFTWARE MAINTENANCE -
controls used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record is maintained of changes.
Configuration Management Plan
11/01
Interim Policy Document on Configuration Management
11/01
Sample Generic Policy and High Level Procedures for Hardware and Application Software Security
08/02/00
IDENTIFICATION AND AUTHENTICATION -
technical measures that prevent unauthorized people (or unauthorized processes) from entering an IT system.
Password Protection -- FCC (.pdf)
07/03/03
Creating Strong Passwords - FCC (.pdf format)
07/25/02
Password Cracking Information - National Labor Relations Board
08/20/01
Password Management Standard - National Labor Relations Board
08/13/01
Sample Generic Policy and High Level Procedures for Passwords and Access Forms
08/02/00
INCIDENT RESPONSE CAPABILITY -
capability to provide help to users when a security incident occurs in a system.
Computer Incident Response Team Desk Reference - Federal Communications Commission (.pdf format)
07/30/02
Identification & Authentication on FCC Systems (.pdf format)
07/30/02
Computer Virus Incident Report Form
01/10/02
FCC Computer Incident Response Guide (.pdf format)
12/30/01
Sample Generic Policy and High Level Procedures for Incident Response
03/02/01
Developing an Agency Incident Response Process -- SSA *

02/20/01

Incident Handling -- BMDO *

05/22/00

LIFE CYCLE -
IT system life cycles contain five basic phases:  initiation, development and/or acquisition, implementation, operation, and disposal.
Sample Generic Policy and High Level Procedures for Life Cycle Security
01/02/01

Integrating Security into Systems Development Life Cycle -- SSA *

12/20/00

LOGICAL ACCESS CONTROLS -
system-based mechanisms used to designate who or what is to have access to a specific system resource and the type of transactions and functions that are permitted.
Decision Paper on Use of Screen Warning Banner
12/13/01
Sample Warning Banner - National Labor Relations Board
12/12/01
NETWORK SECURITY -
secure communication capability that allows one user or system to connect to another user or system.
E-mail Etiquette (.pdf)
07/03/03
Cookies -- FCC (.pdf)
07/03/03
E-Mail Hoaxes and Scams -- FCC (.pdf)
07/03/03
E-Mail Spam - FCC (.pdf format)
05/15/02
Network Perimeter Security Policy
10/01/01
Securing POP Mail on Windows Clients -- NASA *
06/13/01
How to Deploy Firewalls -- Carnegie Mellon *
02/16/01
Configuration of Technical Safeguards -- USAID *
01/23/01
Network Security Management Policy
01/08/01
How To Secure a Domain Name Server (DNS) -- GSA *
05/11/00
PERSONNEL SECURITY -
involves human users, designers, implementers and managers and how they interact with computers and the access and authorities they need to do their jobs.
Identity Theft -- FCC (.pdf)
07/03/03
FCC Personal Use -- FCC (.pdf)
07/03/03
Policy on Limited Personnel Use of Government Office Equipment - EPA (.pdf)
      Note: While approved by the Agency, the policy is subject to union negotiations prior to implementation.
04/08/03
Email Policy - FCC
11/14/02
Internet Use Policy - FCC
11/14/02
Limited Personnel Use of Government Equipment
11/14/02
Non-disclosure Form - FCC
09/13/02
Guidelines for Evaluating Information on Public Web Sites
10/19/01

Receipt of Proprietary Information

10/01/01

Sample Generic Policy and High Level Procedures for Personnel Security
12/18/00
Personal Use Policy -- OPM *
12/04/00
Limited Personal -- VA *
10/03/00
Investigative Requirements for Contractor Employees
10/29/97
 
PHYSICAL AND ENVIRONMENT PROTECTION-
measures taken to protect systems, buildings, and related supporting infrastructures against threats associated with their physical environment.
Securing Portable Electronic Media - FCC (.pdf format)
06/30/02
Sample Generic Policy and High Level Procedures for Facility Protection
08/02/00
PRODUCTION, INPUT/OUTPUT CONTROLS -
covers topics ranging from a user help desk to procedures for storing, handling and destroying media.
Media Sanitization Procedures - NIST 12/08/03
Disk Sanitization Procedures -- NIH *
06/01/01
Remove all Data From Workstations & Servers -- USAID *
04/25/01
Sample Generic Policy and High Level Procedures for Marking, Handling, Processing, Storage and Disposal of Data
08/02/00
POLICY and PROCEDURES -
Formerly documented security policies and procedures
Administrative Policies and Procedures Manual -- National Labor Relations Board
07/03/03
Rules of Behavior -- FCC (.pdf)
07/03/03
Internet Security Policy - CMS (.pdf)
04/10/03
General Support System and Major Application Inventory Procedures - Dept. of Ed.
11/28/02
Security Handbook - Glossary
11/15/02
Security Handbook - Management Controls
11/15/02
Security Handbook - Operational Controls
11/14/02
Security Handbook - Technical Controls
11/14/02
Telecommuting and Mobile Computer Security Policy
01/08/02
Sample of XX Agency Large Service Application (LSA) Information Technology (IT) Security Program Policy
08/02/00
Security Handbook and Standard Operating Procedures -- GSA/PBS
08/02/00
 
PROGRAM MANAGEMENT -
Overall scope of the program (i.e., PD's, policies and security program plans and guidance)
Legislative Resource - CMS (.pdf)
04/10/03
IT Security Cost Estimation Guide - Dept. of Ed.
11/28/02
A Summary Guide: Public Law, Executive Orders, and Policy Documents - Dept. of Treasury
11/13/01
Position Description for Computer System Security Officer, GS-334-13
10/01/01

Position Description for Information Security Officer, GS-334-15

10/01/01

Position Description for Computer Specialist, GS-334-14

10/01/01

Sample of an Information Technology (IT) Security Staffing Plan for a Large Service Application (LSA)
11/15/99
 
REVIEW OF SECURITY CONTROLS -
routine evaluations and response to identified vulnerabilities.
Statement of Work for IT Security Review (Rich Text Format)
06/12/02
Statement of Work - Information Technology (IT) Security Program Assessment Review (.pdf format)

10/21/01

Mission Site Vulnerability Assessment -- USAID *
06/13/01
Overseas Computer Security Review - Department of State
02/20/01
Modem Scan Process -- USAID *
01/23/01
Review of Information Technology (IT) Systems
08/02/00
 
RISK MANAGEMENT -
the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk.
Risk Assessment Methodology - CMS (.pdf)
04/10/03
Risk Assessment Template - CMS (zipped file - WinZip)
04/10/03
Threat Identification Resource - CMS (.pdf)
04/10/03
Threat ID Workbook- CMS (zipped file - WinZip)
04/10/03
System Security Levels - CMS (.pdf)
04/10/03
Acceptable Risk Safeguards - CMS (.pdf)
04/10/03
General Support Systems and Major Applications Inventory Guide
07/25/02
Sample Levels of Sensitivity
03/11/02
Statement of Work: Risk Assessments - Dept. Education
02/12/02
Sample Generic Policy and High Level Procedures for Risk Assessment
08/02/00
SECURITY AWARENESS, TRAINING AND EDUCATION -
improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge.
Social Engineering -- FCC (.pdf)
07/03/03
ISSO Course Slides (to be used with participant book and instructor guide) (Powerpoint)
04/01/03
ISSO Course Participant Book (to be used with ISSO course slides and instructor guide)
04/01/03
ISSO Course Instructor Guide (to be used with ISSO course slides and ISSO course participant book)
04/01/03
Information Security Briefing for Executives (Powerpoint)
03/24/03
Information Security Briefing for Managers (Powerpoint)
03/24/03
Risk Assessment and Security Plan Course Slides - Centers for Medicare & Medicaid Services (Powerpoint)
03/24/03
Short Security Awareness Briefing NIST (.pdf)
12/10/01
Building an IT Security Awareness Program - NIST (Powerpoint)
11/01/01
Certification of Information Security Awareness Training Form
11/01/01
Security Training at Missions -- USAID *
01/23/01
Sample Generic Policy and High Level Procedures for Security Awareness, and Training
08/02/00
Statement of Work - Computer Security Awareness and Training
04/14/00
SYSTEM SECURITY PLAN -
provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.
General Support Systems and Major Applications Inventory Guide
07/25/02
Security Plan -- USAID *

01/23/01

Sample Generic Policy and High Level Procedures for Security Plans
08/02/00


Page Last Updated: July 08, 2003.
E-mail fasp@nist.gov for questions.


Source: NIST