NIST Site Search
Search NIST.GOV
Custom Search
[Official NIST.GOV TIME]
Product Research

Advertise on this site
NIST SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
on Saturday 21 January 2006 print the content item {PDF=create pdf file of the content item^plugin:content.41}
in NIST.gov Publications > Special Publications - SP 800 series

Federal Information Security Management Act (FISMA), requires each federal agency to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency. Security Certification and Accreditation is a big part of the FISMA process.

Download NIST Special Publication 800-37.

Please use the NIST.org Forum to ask questions or discuss this document. Members can use the comment link below for short comments about this publication.

(The below SP 800-37 description is from NIST.gov, edited)

Description of NIST Special Publication 800-37:

NIST Special Publication 800-37 provides guidelines for the security certification and accreditation of Information Technology (IT) systems supporting the executive branch agencies of the federal government. The guidelines have been developed to help achieve more secure information systems within the federal government by:

  • Enabling more consistent, comparable, and repeatable assessments of security controls in federal information systems;
  • Promoting a better understanding of agency-related mission risks resulting from the operation of information systems; and
  • Creating more complete, reliable, and trustworthy information for authorizing officials—to facilitate more informed security accreditation decisions.


Security certification and accreditation are important activities that support a risk management process and are an integral part of an agency’s information security program. Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control and challenges managers and technical staffs at all levels to implement the most effective security controls possible in an information system, given mission requirements, technical constraints, operational constraints, and cost/schedule constraints. By accrediting an information system, an agency official accepts responsibility for the security of the system and is fully accountable for any adverse impacts to the agency if a breach of security occurs. Thus, responsibility and accountability are core principles that characterize security accreditation.

Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls.

The SP 800-37 document was created by the National Institute of Standards and Technology and is public domain (not subject to copyright).




NIST Special Publication # 800-37


Translate to: {GOOGLETRANS}
Google Ads




Headlines

»CVE-2014-4677
The installPackage function in the installerHelper subcomponent in Libmacgpg in GPG Suite before 201 ...
»CVE-2014-9916
Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inj ...
»CVE-2015-4056 (intelligent_operations)
The System Library in VCE Vision Intelligent Operations before 2.6.5 does not properly implement cry ...
»CVE-2015-4057
The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations before 2.6.5 sends a cleartext ...
»CVE-2016-10109
Use-after-free vulnerability in pcsc-lite before 1.8.20 allows a remote attackers to cause denial of ...
»CVE-2016-10227 (nwa3560-n_firmware, usg50_firmware)
Zyxel USG50 Security Appliance and NWA3560-N Access Point allow remote attackers to cause a denial o ...
»CVE-2016-1245
It was discovered that the zebra daemon in Quagga before 1.0.20161017 suffered from a stack-based bu ...
»CVE-2016-2226
Integer overflow in the string_appends function in cplus-dem.c in libiberty allows remote attackers ...
»CVE-2016-3013 (websphere_mq)
IBM WebSphere MQ 8.0 could allow an authenticated user to crash the MQ channel due to improper data ...
»CVE-2016-3052 (websphere_mq)
IBM WebSphere MQ 8.0, under nonstandard configurations, sends password data in cleartext over the ne ...
»CVE-2016-4041
Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV req ...
»CVE-2016-4042
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive cont ...
»CVE-2016-4043
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restri ...
»CVE-2016-4487
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segm ...
»CVE-2016-4488
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segm ...


Date published: 2017-02-25T06:00:01Z
Details

»Apple Releases Security Update
Original release date: February 21, 2017 Apple has released a security update to address a vu ...
»OpenSSL Releases Security Update
Original release date: February 16, 2017 OpenSSL version 1.1.0e has been released to address ...
»Cisco Releases Security Update
Original release date: February 15, 2017 Cisco has released a security update to address a vu ...
»FBI Releases Article on Romance Scams
Original release date: February 14, 2017 The Federal Bureau of Investigation (FBI) has releas ...
»Adobe Releases Security Updates
Original release date: February 14, 2017 Adobe has released security updates to address vulne ...
»Apple Releases Security Update
Original release date: February 14, 2017 Apple has released a security updates to address a v ...
»Enhanced Analysis of GRIZZLY STEPPE
Original release date: February 10, 2017 The Department of Homeland Security (DHS) has releas ...
»ISC Releases Security Updates for BIND
Original release date: February 08, 2017 | Last revised: February 09, 2017 The Internet Syste ...
»Cisco Clock Signal Component Failure Advisory
Original release date: February 06, 2017 Cisco has released a hardware advisory for a clock s ...
»CERT/CC Reports a Microsoft SMB Vulnerability
Original release date: February 03, 2017 CERT Coordination Center (CERT/CC) has released info ...


Date published: not known
Details

»The SHA-1 hashing algorithm has been 'shattered'
Researchers from Google and CWI Amsterdam have created the first kn ...
»Throwback Thursday: Once a researcher...
VB was saddened to learn this week of the passing of one of the pio ...
»VB2017: What is happening in the threat landscape and what are we doing against it? Submit a proposal in the VB2017 CFP!
Have you analysed a new online threat? Do you know a new way to def ...
»VB2016 paper: APT reports and OPSEC evolution, or: these are not the APT reports you are looking for
APT reports are great for gaining an understanding of how advanced ...
»Security for your ears: recommended infosec podcasts
Industry veteran Mikko Hyppönen recently urged would-be security re ...
»VB2016 video: Getting duped: piggybacking on webcam streams for surreptitious recordings
In a presentation at VB2016, Patrick Wardle, Director of Research a ...
»We shouldn't forget those most vulnerable in our digital world
Virus Bulletin Editor Martijn Grooten calls for the security commun ...
»Throwback Thursday: A troubled world
In early 1991, the world was a troubled place and conflict and viol ...
»VB2016 video: Nymaim: the Untold Story
Until very recently, the Nymaim banking trojan was a serious proble ...


Date published: not known
Details
Main Menu
· Home
Current Security News
 
US-CERT Current Activity

» Apple Releases Security Update
[21 Feb 2017 01:35pm]

» OpenSSL Releases Security Update
[16 Feb 2017 07:23pm]

» Cisco Releases Security Update
[15 Feb 2017 12:20pm]

» FBI Releases Article on Romance Scams
[14 Feb 2017 09:01pm]

» Adobe Releases Security Updates
[14 Feb 2017 08:57am]

» Apple Releases Security Update
[14 Feb 2017 06:25am]

» Enhanced Analysis of GRIZZLY STEPPE
[10 Feb 2017 07:24pm]

» ISC Releases Security Updates for BIND
[08 Feb 2017 05:29pm]

» Cisco Clock Signal Component Failure Advisory
[06 Feb 2017 04:40pm]

» CERT/CC Reports a Microsoft SMB Vulnerability
[03 Feb 2017 01:48am]

***
US-CERT Alerts

» TA16-336A: Avalanche (crimeware-as-a-service infrastructure)
[30 Nov 2016 10:00pm]

» TA16-288A: Heightened DDoS Threat Posed by Mirai and Other Botnets
[14 Oct 2016 05:59pm]

» TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
[06 Sep 2016 04:29pm]

» TA16-187A: Symantec and Norton Security Products Contain Critical Vulnerabilities
[05 Jul 2016 08:50am]

» TA16-144A: WPAD Name Collision Vulnerability
[23 May 2016 05:38am]

» TA16-132A: Exploitation of SAP Business Applications
[11 May 2016 05:31am]

» TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
[14 Apr 2016 01:48pm]

» TA16-091A: Ransomware and Recent Variants
[31 Mar 2016 04:00pm]

» TA15-337A: Dorkbot
[03 Dec 2015 04:40pm]

» TA15-314A: Compromised Web Servers and Web Shells - Threat Awareness and Guidance
[10 Nov 2015 06:12pm]

***
Computerworld Security

» Google discloses unpatched IE flaw after Patch Tuesday delay
[24 Feb 2017 11:44am]

» FCC puts the brakes on ISP privacy rules it passed in October
[24 Feb 2017 11:43am]

» Cloudflare bug exposed passwords, other sensitive website data
[24 Feb 2017 09:47am]

» The SHA1 hash function is now completely unsafe
[23 Feb 2017 03:35pm]

» Ransomware 'customer support' chat reveals criminals' ruthlessness
[23 Feb 2017 03:14pm]

» 8 steps to regaining control over shadow IT
[23 Feb 2017 01:17pm]

» Breaking and protecting devops tool chains
[23 Feb 2017 11:33am]

» Bruce Schneier and the call for "public service technologists"
[23 Feb 2017 11:32am]

» Police arrest man suspected of building million-router German botnet
[23 Feb 2017 10:06am]

» Eleven-year-old root Linux kernel flaw found and patched
[23 Feb 2017 08:49am]

» Amid cyberattacks, ISPs try to clean up the internet
[23 Feb 2017 07:26am]

» A hard drive's LED light can be used to covertly leak data
[23 Feb 2017 04:40am]

» What to expect from the Trump administration on cybersecurity
[22 Feb 2017 12:39pm]

» New macOS ransomware spotted in the wild
[22 Feb 2017 12:09pm]

» What’s up with Windows patching, Microsoft?
[22 Feb 2017 09:36am]

***
Microsoft Security Advisories

» 4010983 - Vulnerability in ASP.NET Core MVC 1.1.0 Could Allow Denial of Service - Version: 1.0
[27 Jan 2017 11:00am]

» 3214296 - Vulnerabilities in Identity Model Extensions Token Signing Verification Could Allow Elevation of Privilege - Version: 1.0
[10 Jan 2017 11:00am]

» 3181759 - Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of Privilege - Version: 1.0
[13 Sep 2016 11:00am]

» 3174644 - Updated Support for Diffie-Hellman Key Exchange - Version: 1.0
[13 Sep 2016 11:00am]

» 3179528 - Update for Kernel Mode Blacklist - Version: 1.0
[09 Aug 2016 11:00am]

» 2880823 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 2.0
[18 May 2016 11:00am]

» 3155527 - Update to Cipher Suites for FalseStart - Version: 1.0
[10 May 2016 11:00am]

» 3152550 - Update to Improve Wireless Mouse Input Filtering - Version: 1.1
[22 Apr 2016 11:00am]

» 3137909 - Vulnerabilities in ASP.NET Templates Could Allow Tampering - Version: 1.1
[10 Feb 2016 11:00am]

» 2871997 - Update to Improve Credentials Protection and Management - Version: 5.0
[09 Feb 2016 11:00am]

» 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program - Version: 1.0
[12 Jan 2016 11:00am]

» 3109853 - Update to Improve TLS Session Resumption Interoperability - Version: 1.0
[12 Jan 2016 11:00am]

» 3118753 - Updates for ActiveX Kill Bits 3118753 - Version: 1.0
[12 Jan 2016 11:00am]

» 2755801 - Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge - Version: 53.0
[05 Jan 2016 11:00am]

» 3057154 - Update to Harden Use of DES Encryption - Version: 1.1
[08 Dec 2015 11:00am]

***
WIRED

» Killing Kim Jong Nam With VX Nerve Agent Crossed a ‘Red Line’
[24 Feb 2017 05:39pm]

» Massive Bug May Have Leaked User Data From Millions of Sites. So … Change Your Passwords
[24 Feb 2017 10:53am]

» Famed Hacker Kevin Mitnick Shows You How to Go Invisible Online
[24 Feb 2017 10:00am]

» A Super-Common Crypto Tool Turns Out to Be Super-Insecure
[23 Feb 2017 06:00am]

» Now Anyone Can Deploy Google’s Troll-Fighting AI
[23 Feb 2017 05:00am]

» Malware Lets a Drone Steal Data by Watching a Computer’s Blinking LED
[22 Feb 2017 05:00am]

» An Arms Dealer Says Life Under Trump Is a ‘Win-Win’
[20 Feb 2017 05:00am]

» Smart City Tech Would Make Military Bases Safer
[19 Feb 2017 07:30am]

» The Former Secretary of Defense Outlines the Future of Warfare
[19 Feb 2017 05:00am]

» Security News This Week: Yahoo Got Hacked Again. No, Seriously
[18 Feb 2017 08:00am]

***
Network World Security

» I come to bury SHA1, not to praise it
[24 Feb 2017 12:58pm]

» Google discloses unpatched IE vulnerability after Patch Tuesday delay
[24 Feb 2017 11:44am]

» FCC puts the brakes on ISP privacy rules it just passed in October
[24 Feb 2017 11:43am]

» Cisco unveils Hierarchy of Needs for the digital enterprise
[24 Feb 2017 11:29am]

» 5 open source security tools too good to ignore
[21 Feb 2017 07:12am]

» Review: Samsung SmartCam PT network camera
[15 Feb 2017 07:00am]

» Review: Arlo Pro cameras offer true flexibility for home security
[09 Feb 2017 07:01am]

» Face-off: Oracle vs. CA for identity management
[26 Jan 2017 10:30am]

» 6 steps to secure a home security camera
[23 Jan 2017 04:00am]

» REVIEW: Home security cameras fall short on security
[23 Jan 2017 04:00am]

» Review: Microsoft Windows Defender comes up short
[03 Jan 2017 10:48am]

» Inside 3 top threat hunting tools
[19 Dec 2016 04:00am]

» Review: Threat hunting turns the tables on attackers
[19 Dec 2016 04:00am]

» Google discloses unpatched IE vulnerability after Patch Tuesday delay
[24 Feb 2017 11:44am]

» FCC puts the brakes on ISP privacy rules it just passed in October
[24 Feb 2017 11:43am]

***


More IT Security
News Feeds
More Sponsors

Advertise on this site
RSS Feeds
Our news can be syndicated by using these rss feeds.
rss1.0
rss2.0
rdf

NIST.org is in no way connected to the U.S. government site NIST.gov

This site is © John Herron, CISSP. All Rights Reserved.

Please visit daily to stay up to date on all your IT Security compliance issues.

http://www.nist.org -
Hosted by BlueHost. We've never had a better hosting company.
{THEMEDISCLAIMER}