Link Search Menu Expand Document
NIST SP 800-12

Table of Contents

  • 1 Introduction
    • 1.1 Purpose
    • 1.2 Intended Audience
    • 1.3 Organization
    • 1.4 Important Terminology
    • 1.5 Legal Foundation for Federal Information Security Programs
    • 1.6 Related NIST Publications
  • 2 Elements of Information Security
    • 2.1 Information security supports the mission of the organization
    • 2.2 Information security is an integral element of sound management
    • 2.3 Information security protections are implemented so as to be commensurate with risk
    • 2.4 Information security roles and responsibilities are made explicit
    • 2.5 Information security responsibilities for system owners go beyond their own organization
    • 2.6 Information security requires a comprehensive and integrated approach
      • 2.6.1 Interdependencies of security controls
      • 2.6.2 Other interdependencies
    • 2.7 Information security is assessed and monitored regularly
    • 2.8 Information security is constrained by societal and cultural factors
  • 3 Roles and Responsibilities
    • 3.1 Risk Executive Function (Senior Management)
    • 3.2 Chief Executive Officer (CEO)
    • 3.3 Chief Information Officer (CIO)
    • 3.4 Information Owner/Steward
    • 3.5 Senior Agency Information Security Officer (SAISO)
    • 3.6 Authorizing Official (AO)
    • 3.7 Authorizing Official Designated Representative
    • 3.8 Senior Agency Official for Privacy (SAOP)
    • 3.9 Common Control Provider
    • 3.10 System Owner
    • 3.11 System Security Officer (SSO)
    • 3.12 Information Security Architect
    • 3.13 System Security Engineer (SSE)
    • 3.14 Security Control Assessor
    • 3.15 System Administrator
    • 3.16 User
    • 3.17 Supporting Roles
  • 4 Threats and Vulnerabilities: A Brief Overview
    • 4.1 Examples of Adversarial Threat Sources and Events
      • 4.1.1 Fraud and Theft
      • 4.1.2 Insider Threat
      • 4.1.3 Malicious Hacker
      • 4.1.4 Malicious Code
    • 4.2 Examples of Non-Adversarial Threat Sources and Events
      • 4.2.1 Errors and Omissions
      • 4.2.2 Loss of Physical and Infrastructure Support
      • 4.2.3 Impacts to Personal Privacy of Information Sharing
  • 5 Information Security Policy
    • 5.1 Standards, Guidelines, and Procedures
    • 5.2 Program Policy
      • 5.2.1 Basic Components of Program Policy
    • 5.3 Issue-Specific Policy
      • 5.3.1 Example Topics for Issue-Specific Policy
      • 5.3.2 Basic Components of Issue-Specific Policy
    • 5.4 System-Specific Policy
      • 5.4.1 Security Objectives
      • 5.4.2 Operational Security Rules
      • 5.4.3 System-Specific Policy Implementation
    • 5.5 Interdependencies
    • 5.6 Cost Considerations
  • 6 Information Security Risk Management
    • 6.1 Categorize
    • 6.2 Select
    • 6.3 Implement
    • 6.4 Assess
    • 6.5 Authorize
    • 6.6 Monitor
  • 7 Assurance
    • 7.1 Authorization
      • 7.1.1 Authorization and Assurance
      • 7.1.2 Authorization of Products to Operate in Similar Situation
    • 7.2 Security Engineering
      • 7.2.1 Planning and Assurance
      • 7.2.2 Design and Implementation Assurance
    • 7.3 Operational Assurance
      • 7.3.1 Security and Privacy Control Assessments
      • 7.3.2 Audit Methods and Tools
      • 7.3.3 Monitoring Methods and Tools
    • 7.4 Interdependencies
    • 7.5 Cost Considerations
  • 8 Security Considerations in System Support and Operations
    • 8.1 User Support
    • 8.2 Software Support
    • 8.3 Configuration Management
    • 8.4 Backups
    • 8.5 Media Controls
    • 8.6 Documentation
    • 8.7 Maintenance
    • 8.8 Interdependencies
    • 8.9 Cost Considerations
  • 9 Cryptography
    • 9.1 Uses of Cryptography
      • 9.1.1 Data Encryption
      • 9.1.2 Integrity
      • 9.1.3 Electronic Signatures
      • 9.1.4 User Authentication
    • 9.2 Implementation Issues
      • 9.2.1 Selecting Design and Implementation Standards
      • 9.2.2 Deciding between Software, Hardware, or Firmware Implementations
      • 9.2.3 Managing Keys
      • 9.2.4 Security of Cryptographic Modules
      • 9.2.5 Applying Cryptography to Networks
      • 9.2.6 Complying with Export Rules
    • 9.3 Interdependencies
    • 9.4 Cost Considerations
      • 9.4.1 Direct Costs
      • 9.4.2 Indirect Costs
  • 10 Control Families
    • 10.1 Access Control (AC)
    • 10.2 Awareness and Training (AT)
    • 10.3 Audit and Accountability (AU)
    • 10.4 Assessment, Authorization, and Monitoring (CA)
    • 10.5 Configuration Management (CM)
    • 10.6 Contingency Planning (CP)
    • 10.7 Identification and Authentication (IA)
    • 10.8 Individual Participation (IP)
    • 10.9 Incident Response (IR)
    • 10.10 Maintenance (MA)
    • 10.11 Media Protection (MP)
    • 10.12 Privacy Authorization (PA)
    • 10.13 Physical and Environmental Protection (PE)
    • 10.14 Planning (PL)
    • 10.15 Program Management (PM)
    • 10.16 Personnel Security (PS)
    • 10.17 Risk Assessment (RA)
    • 10.18 System and Services Acquisition (SA)
    • 10.19 System and Communications Protection (SC)
    • 10.20 System and Information Integrity (SI)

List of Appendices

List of Figures

Figure 1 - Risk Management Framework (RMF) Overview