If you can't read please download the document
Upload
trinhthu
View
232
Download
4
Embed Size (px)
Citation preview
NIST Special Publication 800-55 Revision 1
Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson
Gaithersburg, MD 20899-8930
2008 7
Carlos M. Gutierrez, Secretary
James M. Turner, Deputy Director
ii COPYRIGHT 2009 NRI
NIST: National Institute of Standards and TechnologyNIST
ITL:Information Technology Laboratory
NIST Special Publication 800
iii COPYRIGHT 2009 NRI
NIST: National Institute of Standards and TechnologyNIST
2002FISMA: Federal Information Security
Management Act107-347
NIST
OMB Circular: Office of Management and Budget CircularOMB Circular
A-1308b(3)Securing Agency Information Systems
A-130IV
A-130III
:SP800-55
NRI
NIST
iv COPYRIGHT 2009 NRI
Joan Hash (NIST)Arnold
Johnson (NIST) Elizabeth Lennon (NIST) Karen Scarfone (NIST) Kelley Dempsey (NIST),
Karen Quigg (MITRE)
v COPYRIGHT 2009 NRI
............................................................................................................................................VIII
1. .................................................................................................................................. 1
1.1 ....................................................................................................... 1 1.2 ................................................................................................................ 2 1.3 ................................................................................................................ 2 1.4 ............................................................................................................... 3 1.5 NIST ................................................................................................. 4 1.6 ................................................................................................................... 5
2. .............................................................................................................................. 6
2.1 Agency Head..................................................................................................... 6 2.2 CIO.................................................................................................... 6 2.3 ........................................................................................... 7 2.4 ........................................................................... 7 2.5 ............................................................................................ 8 2.6 .................................................................................................... 8
3. ................................................................................................. 9
3.1 ................................................................................................................................... 9 3.2 ......................................................................................... 10 3.3 ........................................................................................................... 11
3.3.1 ...................................................................................................... 13 3.3.2 ...................................................................................... 13 3.3.3 ...................................................................................................... 14
3.4 ................................................................................................. 15 3.4.1 .............................................................................................. 15 3.4.2 .................................................................................................... 15 3.4.3 ................................................................................... 15 3.4.4 ................................................................................... 16
3.5 ................................................................. 16 3.5.1 ........................................................................................... 17 3.5.2 (SDLC) .................................................................. 17 3.5.3 ......................................................... 19
4. (DRIVER) ................................................................................. 20
4.1 ......................................................................................................... 20 4.1.1 GPRA (Government Performance Results Act: )..................... 20 4.1.2 FISMA.................................................................................................................. 21
vi COPYRIGHT 2009 NRI
4.2 ................................................................ 22 4.3 ........................................... 22
5. ........................................................................................................ 24
5.1 ................................................................................................. 25 5.2 ......................................................................................................... 26 5.3 ........................................................ 27 5.4 ......................................................................... 27 5.5 ................................................................................................. 28
5.5.1 ................................................................................ 28 5.5.2 ....................................................................... 29 5.5.3 ................................................................................. 29
5.6 ........................................................................................ 30 5.7 .................................................................... 33
6. ............................................................................................... 35
6.1 .......................................................................................................... 35 6.2 ................................................................................................... 36 6.3 ......................................................................................................... 37 6.4 .................................. 38 6.5 ............................................................................................................. 39
A: ........................................................................................................... A-1
B: ............................................................................................................................... B-1
C: ....................................................................................................................... C-1
D: ...................................................................... D-1
vii COPYRIGHT 2009 NRI
1-1 .............................................................................. 3 3-1 ...................................................... 12 5-1 ......................................................................... 25 5-2 ............................................................................... 30 6-1 ........................................................... 35
1 ......................................................................................... 17 2 .......................................................................... 32
viii COPYRIGHT 2009 NRI
measures
(Clinger-Cohen Act)(GRPA : Government Performance and Results Act)(GPEA : Government Paperwork Elimination Act)(FISMA : Federal Information Security Management Act)
information security measurement program
()
3
1 Copyright 2009 NRI
1.
(Clinger-Cohen Act)(GRPA : Government Performance and Results Act)(GPEA : Government Paperwork Elimination Act)(FISMA : Federal Information Security Management Act FISMA )
information security measurement
(performance measures)
1.1
(OMB: Office of Management and Budget OMB )
NIST SP800-55 Revision1 NIST
(FISMA )
2 Copyright 2009 NRI
NIST SP 800-53(Recommended Security Controls for Federal Information Systems)
1 NIST SP 800-53
NIST SP 800-53
FISMA (FEA: Federal Enterprise Architecture FEA )(PRM)
1.2
()NIST SP 800-53
1.3
NIST SP 800-55(Security Metrics Guide for Information Technology System) NIST SP 800-80() Guide to Developing Performance Metrics for Information SecurityNIST SP 800-53 NIST SP 800-55
2002 (Electronic Government Act)OMB FISMA
1
3 Copyright 2009 NRI
1.4
4 ( 1-1 )
1-1
()
4 Copyright 2009 NRI
1.5 NIST
NIST special publications
NIST SP 800-53A(Guide for Assessing the Security Controls in Federal Information Systems)
NIST SP800-30IT (Risk Management Guide for Information Technology Systems)
NIST SP800-53(Recommended Security Controls for Federal Information Systems)
NIST SP800-55 Revision 1 NIST SP 800-53A
NIST SP 800-53A
NIST SP800-53A
NIST publication NIST publication
NIST SP 800-100 (Information Security Handbook: A Guide for Managers)
5 Copyright 2009 NRI
NIST SP 800-65 IT (Integrating IT Security into the Capital Plann