NIST Special Publication 800-55 Revision 1

Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson

Gaithersburg, MD 20899-8930

2008 7

Carlos M. Gutierrez, Secretary

James M. Turner, Deputy Director

ii COPYRIGHT 2009 NRI

NIST: National Institute of Standards and TechnologyNIST

ITL:Information Technology Laboratory

NIST Special Publication 800

iii COPYRIGHT 2009 NRI

NIST: National Institute of Standards and TechnologyNIST

2002FISMA: Federal Information Security

Management Act107-347

NIST

OMB Circular: Office of Management and Budget CircularOMB Circular

A-1308b(3)Securing Agency Information Systems

A-130IV

A-130III

:SP800-55

NRI

NIST

iv COPYRIGHT 2009 NRI

Joan Hash (NIST)Arnold

Johnson (NIST) Elizabeth Lennon (NIST) Karen Scarfone (NIST) Kelley Dempsey (NIST),

Karen Quigg (MITRE)

v COPYRIGHT 2009 NRI

............................................................................................................................................VIII

1. .................................................................................................................................. 1

1.1 ....................................................................................................... 1 1.2 ................................................................................................................ 2 1.3 ................................................................................................................ 2 1.4 ............................................................................................................... 3 1.5 NIST ................................................................................................. 4 1.6 ................................................................................................................... 5

2. .............................................................................................................................. 6

2.1 Agency Head..................................................................................................... 6 2.2 CIO.................................................................................................... 6 2.3 ........................................................................................... 7 2.4 ........................................................................... 7 2.5 ............................................................................................ 8 2.6 .................................................................................................... 8

3. ................................................................................................. 9

3.1 ................................................................................................................................... 9 3.2 ......................................................................................... 10 3.3 ........................................................................................................... 11

3.3.1 ...................................................................................................... 13 3.3.2 ...................................................................................... 13 3.3.3 ...................................................................................................... 14

3.4 ................................................................................................. 15 3.4.1 .............................................................................................. 15 3.4.2 .................................................................................................... 15 3.4.3 ................................................................................... 15 3.4.4 ................................................................................... 16

3.5 ................................................................. 16 3.5.1 ........................................................................................... 17 3.5.2 (SDLC) .................................................................. 17 3.5.3 ......................................................... 19

4. (DRIVER) ................................................................................. 20

4.1 ......................................................................................................... 20 4.1.1 GPRA (Government Performance Results Act: )..................... 20 4.1.2 FISMA.................................................................................................................. 21

vi COPYRIGHT 2009 NRI

4.2 ................................................................ 22 4.3 ........................................... 22

5. ........................................................................................................ 24

5.1 ................................................................................................. 25 5.2 ......................................................................................................... 26 5.3 ........................................................ 27 5.4 ......................................................................... 27 5.5 ................................................................................................. 28

5.5.1 ................................................................................ 28 5.5.2 ....................................................................... 29 5.5.3 ................................................................................. 29

5.6 ........................................................................................ 30 5.7 .................................................................... 33

6. ............................................................................................... 35

6.1 .......................................................................................................... 35 6.2 ................................................................................................... 36 6.3 ......................................................................................................... 37 6.4 .................................. 38 6.5 ............................................................................................................. 39

A: ........................................................................................................... A-1

B: ............................................................................................................................... B-1

C: ....................................................................................................................... C-1

D: ...................................................................... D-1

vii COPYRIGHT 2009 NRI

1-1 .............................................................................. 3 3-1 ...................................................... 12 5-1 ......................................................................... 25 5-2 ............................................................................... 30 6-1 ........................................................... 35

1 ......................................................................................... 17 2 .......................................................................... 32

viii COPYRIGHT 2009 NRI

measures

(Clinger-Cohen Act)(GRPA : Government Performance and Results Act)(GPEA : Government Paperwork Elimination Act)(FISMA : Federal Information Security Management Act)

information security measurement program

()

3

1 Copyright 2009 NRI

1.

(Clinger-Cohen Act)(GRPA : Government Performance and Results Act)(GPEA : Government Paperwork Elimination Act)(FISMA : Federal Information Security Management Act FISMA )

information security measurement

(performance measures)

1.1

(OMB: Office of Management and Budget OMB )

NIST SP800-55 Revision1 NIST

(FISMA )

2 Copyright 2009 NRI

NIST SP 800-53(Recommended Security Controls for Federal Information Systems)

1 NIST SP 800-53

NIST SP 800-53

FISMA (FEA: Federal Enterprise Architecture FEA )(PRM)

1.2

()NIST SP 800-53

1.3

NIST SP 800-55(Security Metrics Guide for Information Technology System) NIST SP 800-80() Guide to Developing Performance Metrics for Information SecurityNIST SP 800-53 NIST SP 800-55

2002 (Electronic Government Act)OMB FISMA

1

3 Copyright 2009 NRI

1.4

4 ( 1-1 )

1-1

()

4 Copyright 2009 NRI

1.5 NIST

NIST special publications

NIST SP 800-53A(Guide for Assessing the Security Controls in Federal Information Systems)

NIST SP800-30IT (Risk Management Guide for Information Technology Systems)

NIST SP800-53(Recommended Security Controls for Federal Information Systems)

NIST SP800-55 Revision 1 NIST SP 800-53A

NIST SP 800-53A

NIST SP800-53A

NIST publication NIST publication

NIST SP 800-100 (Information Security Handbook: A Guide for Managers)

5 Copyright 2009 NRI

NIST SP 800-65 IT (Integrating IT Security into the Capital Plann