1 august 2007 update matt barrett national institute of ...€¦ · national institute of standards...
TRANSCRIPT
![Page 1: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/1.jpg)
FDCC
1 August 2007 Update
Matt BarrettNational Institute of Standards and Technology
![Page 2: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/2.jpg)
Current State of Compliance and Configuration ManagementBasis for SCAPSCAP PrimerUse of SCAP during FDCC TestingAccomplishing FDCC with SCAPRelationship Between FDCC and SCAP Product ComplianceApplicability for SCAP Beyond FDCCConclusion
Agenda
![Page 3: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/3.jpg)
Current Compliance and Configuration ManagementSOX
???
HIPAA
???
Windows XP
SP1
SP2
Enterprise
Mobile
Stand Alone
SSLF
High
Moderate
Low
OS orApplication
Version/Role
Major PatchLevel
Environment Impact Ratingor MAC/CONF
Agency TailoringMgmt, Operational, Technical
Risk Controls
Millions ofsettings tomanage
ISO
17799/27001
???
DoD
DoD IA Controls
DISA STIGS& Checklists
COMSEC ‘97
NSA Req
NSA Guides
Vendor
Guide
FISMA
SP 800-53
SP 800-68
3rd Party
Guide
Finite Set of Possible Known IT Risk Controls & Application Configuration Options
DCID
DCID6/3
AgencyGuides
![Page 4: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/4.jpg)
Corresponding OMB Memo to CIOs:• Requires, “Implementing andautomating enforcement of theseconfigurations;”•“NIST has established a program todevelop and maintain common securityconfigurations for many operatingsystems and applications, and the“Security Content Automation[Protocol]” can help your agency usecommon security configurations.Additionally, NIST’s revisions to SpecialPublication 800-70, “SecurityConfiguration Checklist Program for ITProducts,” will provide your agencyadditional guidance for implementingcommon security configurations. Foradditional information about NIST’sprograms, please contact StephenQuinn, at [email protected].”
OMB Memo M-07-11Implementation of Commonly Accepted Security Configurations forWindows Operating Systems
![Page 5: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/5.jpg)
CVECommonVulnerabilityEnumeration
Standard nomenclature anddictionary of security related softwareflaws
CCECommonConfigurationEnumeration
Standard nomenclature anddictionary of softwaremisconfigurations
CPE Common PlatformEnumeration
Standard nomenclature anddictionary for product naming
XCCDF
eXtensibleChecklistConfigurationDescription Format
Standard XML for specifyingchecklists and for reporting results ofchecklist evaluation
OVALOpen VulnerabilityAssessmentLanguage
Standard XML for test procedures
CVSSCommonVulnerabilityScoring System
Standard for measuring the impact ofvulnerabilities
Cisco, Qualys,Symantec, Carnegie
Mellon University
Security Content Automation ProtocolStandardizing How We Communicate
![Page 6: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/6.jpg)
AssetManagement
Vulnerability Management
ConfigurationManagement
CVE
CPE CCESCAP
OVALCVSS
Compliance Management
XCCDF
Misconfiguration
Integrating IT and IT Security Through SCAP
![Page 7: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/7.jpg)
50 million hits per year20 new vulnerabilities per dayMis-configuration cross references to:
NIST SP 800-53 Security Controls(All 17 Families and 163 controls)DoD IA ControlsDISA VMS Vulnerability IDsGold Disk VIDsDISA VMS PDI IDsNSA ReferencesDCIDISO 17799
Reconciles software flaws from:US CERT Technical AlertsUS CERT Vulnerability Alerts(CERTCC)MITRE OVAL Software FlawChecksMITRE CVE Dictionary
Produces XML feed for NVD content
In response to NIST being named inthe Cyber Security R&D Act of 2002Encourages vendor development andmaintenance of security guidanceCurrently hosts 112 separate guidancedocuments for over 125 IT productsParticipating organizations: DISA,NSA, NIST, Hewlett-Packard, CIS,ITAA, Oracle, Sun, Apple, Microsoft,Citadel, LJK, Secure Elements,ThreatGuard, MITRE Corporation, G2,Verisign, Verizon Federal, Kyocera,Hewlett-Packard, ConfigureSoft,McAfee, etc.Translating this backlog of checklistsinto the Security Content AutomatingProtocol (SCAP)
Existing Federal ServicesStandardizing What We Communicate
![Page 8: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/8.jpg)
Report XCCDFPlatform CPE Misconfiguration CCE
Software Flaw CVE
Checklist XCCDFPlatform CPE Misconfiguration CCE
Software Flaw CVE
General Impact CVSS
General Impact CVSS
Specific Impact CVSSResults
Specific Impact CVSSResults
Test Procedures OVAL
How SCAP Works
Patches OVAL
COTS/GOTSTools
![Page 9: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/9.jpg)
FDCC Testing
1. Implement FDCC settings onvirtual machine images
2. Use SCAP to verify FDCC settingswere implemented correctly
Windows XPWindows VistaWindows XP FirewallWindows Vista FirewallInternet Explorer 7.0
3. Reconcile any “failed” SCAP tests
4. Record any exceptions
![Page 10: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/10.jpg)
Generate FDCC compliance and deviationreports
Monitor previous implementations for FDCCcompliance
Assess new implementations for FDCCcompliance
Test to ensure products do not change theFDCC settings
FunctionProductTeams
OperationsTeams
Accomplishing FDCC with SCAP
Quote from OMB Memo Establishment of Windows XP and VISTA Virtual Machine andProcedures for Adopting the Federal Desktop Core Configurations“Information technology providers must use S-CAP validated tools, as theybecome available, to certify their products do not alter these configurations,and agencies must use these tools when monitoring use of theseconfigurations. “
![Page 11: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/11.jpg)
“The provider of information technology shallcertify applications are fully functional andoperate correctly as intended on systems usingthe Federal Desktop Core Configuration (FDCC).This includes Internet Explorer 7 configured tooperate on Windows XP and Vista (in ProtectedMode on Vista).“
“Applications designed for normal end users shallrun in the standard user context without elevatedsystem administration privileges.”
“The National Institute of Standards and Technology(NIST) and the Department of Homeland Securitycontinue to work with Microsoft to establish a virtualmachine to provide agencies and informationtechnology providers’ access to Windows XP andVISTA images. The images will be pre-configuredwith the recommended security settings for testand evaluation purposes to help certifyapplications operate correctly. “
OMB Memo M-07-18Ensuring New Acquisitions Include Common Security Configurations
![Page 12: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/12.jpg)
OMB 31 July 2007 Memo to CIOsEstablishment of Windows XP and VISTA Virtual Machine and Proceduresfor Adopting the Federal Desktop Core Configurations
“As we noted in the June 1, 2007 follow-up policymemorandum M-07-18, “Ensuring New Acquisitions IncludeCommon Security Configurations,” a virtual machinewould be established “to provide agencies andinformation technology providers’ access to WindowsXP and VISTA images.” The National Institute ofStandards and Technology (NIST), Microsoft, theDepartment of Defense, and the Department of HomelandSecurity have now established a website hosting the virtualmachine images, which can be found at:http://csrc.nist.gov/fdcc.”
“Your agency can now acquire information technologyproducts that are self-asserted by information technologyproviders as compliant with the Windows XP & VISTAFDCC, and use NIST’s Security Content AutomationProtocol (S-CAP) to help evaluate providers’ self-assertions. Information technology providers must useS-CAP validated tools, as they become available, tocertify their products do not alter these configurations,and agencies must use these tools when monitoringuse of these configurations.”
![Page 13: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/13.jpg)
The Relationship Between FDCC andSCAP Product Compliance
Federal AgencyProduct Vendor
Self Asserts
FDCC Compliance
SCAPCompliantProducts
SCAP Product
Self Asserts
SCAP Compliance
NVLAP
Test Effort
SCAPCompliantProduct+ = Compliant with M-07-18?
Implement Product?+FDCC Virtual
Machine ImageStakeholders Value
![Page 14: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/14.jpg)
Determine security control effectiveness (i.e.,controls implemented correctly, operating as
intended, meeting security requirements)
SP 800-53A
AssessSecurity Controls
Continuously track changes to the informationsystem that may affect security controls and
reassess control effectiveness
SP 800-37 / SP 800-53A
MonitorSecurity Controls
Document in the security plan, the securityrequirements for the information system and
the security controls planned or in place
SP 800-18
DocumentSecurity Controls
SP 800-37
AuthorizeInformation System
Determine risk to agency operations, agencyassets, or individuals and, if acceptable,authorize information system operation
SP 800-53 / SP 800-30
SupplementSecurity Controls
Use risk assessment results to supplement thetailored security control baseline as needed toensure adequate security and due diligence
FIPS 200 / SP 800-53
SelectSecurity Controls
Select baseline (minimum) security controls toprotect the information system; apply tailoring
guidance as appropriate
Implement security controls; applysecurity configuration settings
ImplementSecurity Controls
SP 800-70
Define criticality /sensitivity ofinformation system according to
potential impact of loss
FIPS 199 / SP 800-60
CategorizeInformation System
Starting Point
Federal Risk Management Framework
![Page 15: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/15.jpg)
<Group id="IA-5" hidden="true"> <title>Authenticator Management</title> <reference>ISO/IEC 17799: 11.5.2, 11.5.3</reference> <reference>GAO FISCAM: AC-3.2</reference> <reference>DOD 8500.2: IAKM-1, IATS-1</reference> <reference>DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)</reference></Group>
<Rule id="minimum-password-length" selected="false"weight="10.0">
<reference>CCE-100</reference> <reference>DISA STIG Section 5.4.1.3</reference> <reference>DISA Gold Disk ID 7082</reference> <reference>PDI IAIA-12B</reference> <reference>800-68 Section 6.1 - Table A-
1.4</reference> <reference>NSA Chapter 4 - Table 1 Row 4</reference> <requires idref="IA-5"/> [pointer to OVAL test procedure]</Rule>
Rational for securityconfiguration
Traceability to Mandates
Traceability to Guidelines
Compliance Traceability within SCAP
![Page 16: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/16.jpg)
Enables interoperability for products and servicesof various manufacture
Standardizes how computers communicatevulnerability information – the protocol
Feature Benefit
Standardizes what vulnerability informationcomputers communicate – the content
Enables repeatability across products andservices of various manufactureReduces content-based variance in operationaldecisions and actions
Based on open standards Harnesses the collective brain power of themasses for creation and evolutionCreated and evolved with the broadestperspective
Utilizes configuration and assetmanagement standards
Mobilizes asset inventory and configurationinformation for use in vulnerability and compliancemanagement
Applicable to Federal Risk ManagementFramework – Assess, Monitor, Implement
Reduces time, effort, and expense of riskmanagement process
Traceable to security mandates andguidelines
Automates portions of compliance demonstrationand reporting
Keyed on NIST SP 800-53 security controls Automates portions of FISMA compliancedemonstration and reporting
SCAP Value
![Page 17: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/17.jpg)
DHS Providing fundingNVD partner, Supplying threat and patch info
NSA Providing resourcesApplying the technology
DISAProviding resources, Integrating into Host BasedSystem Security (HBSS) and Enterprise SecuritySolutions
OSD Incorporating into Computer Network Defense(CND) Data Strategy
DOJ Incorporating into FISMA Cyber SecurityAssessment and Management (CSAM) tool
ArmyIntegrating Asset & Vulnerability TrackingResource (AVTR) with DoD and SCAP content,Contributing patch dictionary
DOS Incorporating into security posture by mappingSCAP to certification and accreditation process
Stakeholders and Contributors
![Page 18: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/18.jpg)
3rd Annual Security Automation Conference and Expo19-20 SeptemberSpeakers
The Honorable Karen S. Evans (OMB)Robert F. Lentz DAS DIIA (OSD)Cita Furlani, Director ITL (NIST)Tim Grance, Program Manager (NIST)Dennis Heretick, CISO (DoJ)Richard Hale, CIAO (DISA)Sherrill Nicely, Deputy Associate Director (DNI)Alan Paller, Director of Research (SANS)Tony Sager, Chief (NSA)Ron Ross, Program Manager (NIST)
ExpoTechnology DemonstrationsBeta Testing and Use Case Presentation
Upcoming Events
![Page 19: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/19.jpg)
http://csrc.nist.gov/fdccNIST FDCC Web Site
• FDCC Settings
• Virtual Machine Images
• FDCC SCAP Checklists
• Group Policy Objects
• SCAP Checklists
• SCAP Capable Products
http://checklists.nist.govNational Checklist Program
National Vulnerability Database http://nvd.nist.gov
More Information
![Page 20: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/20.jpg)
100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930
ISAP NIST Project Lead NVD Project LeadSteve Quinn Peter Mell(301) 975-6967 (301) 975-5572
[email protected] [email protected]
Senior Information Security Researchers and Technical SupportKaren Scarfone Murugiah Souppaya (301) 975-8136 (301) 975-4758 [email protected] [email protected] Barrett Information and Feedback(301) 975-3390 Web: http://nvd.nist.gov/[email protected] Comments: [email protected]
Contact Information
![Page 21: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/21.jpg)
National Institute of Standards & TechnologyInformation Technology Laboratory
Computer Security Division
Questions
![Page 22: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/22.jpg)
Supplemental – Connecting Compliancewith Platform Assessment
![Page 23: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/23.jpg)
Application to Automated ComplianceThe Connected Path
Result800-53 Security Control
800-68 Security Guidance
ISAP Produced SecurityGuidance in XML Format
COTS Tool Ingest
API Call
![Page 24: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/24.jpg)
Result
AC-7 Unsuccessful Login Attempts
AC-7: Account Lockout DurationAC-7: Account Lockout Threshold
- <registry_test id="wrt-9999"comment=“Account Lockout Duration Set to5" check="at least 5">- <object> <hive>HKEY_LOCAL_MACHINE</hive> <key>Software\Microsoft\Windows</key> <name>AccountLockoutDuration</name> </object>- <data operation="AND"> <value operator=“greater than">5*</value>
lpHKey = “HKEY_LOCAL_MACHINE”Path = “Software\Microsoft\Windows\”Value = “5”sKey = “AccountLockoutDuration”Op = “>“
800-53 Security ControlDoD IA Control
800-68 Security GuidanceDISA STIG/Checklist
NSA Guide
ISAP Produced SecurityGuidance in XML Format
COTS Tool Ingest
API Call
RegQueryValue (lpHKey, path, value, sKey,Value, Op);If (Op == ‘>” )if ((sKey < Value )return (1); elsereturn (0);
Application to Automated ComplianceThe Connected Path
![Page 25: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/25.jpg)
Supplemental – SCAPPlatform Assessment Tutorial
![Page 26: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/26.jpg)
XML Made Simple
XCCDF - eXtensible CarCare Description Format
OVAL – Open VehicleAssessment Language
<Car> <Description> <Year> 1997 </Year> <Make> Ford </Make> <Model> Contour </Model> <Maintenance> <Check1> Gas Cap = On <> <Check2>Oil Level = Full <> </Maintenance> </Description></Car>
<Checks> <Check1> <Location> Side of Car <> <Procedure> Turn <> </Check1> <Check2> <Location> Hood <> </Procedure> … <> </Check2></Checks>
Error Report
Problem: Air Pressure Loss
Diagnosis Accuracy:All Sensors Reporting
Expected Cost: $25.00
Diagnosis:Replace Gas Cap
![Page 27: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/27.jpg)
XML Made SimpleXCCDF - eXtensibleChecklist ConfigurationDescription Format
OVAL – Open VulnerabilityAssessment Language
<Document ID> NIST SP 800-68 <Date> 04/22/06 </Date> <Version> 1 </Version> <Revision> 2 </Revision> <Platform> Windows XP <> <Check1> Password >= 8 <> <Check2> Win XP Vuln <> </Maintenance> </Description></Car>
<Checks> <Check1> <Registry Check> … <> <Value> 8 </Value> </Check1> <Check2> <File Version> … <> <Value> 1.0.12.4 </Value> </Check2></Checks>
CVECCECPE
![Page 28: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/28.jpg)
Supplemental – FAQ for NISTFISMA Documents
![Page 29: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/29.jpg)
Fundamental FISMA QuestionsWhat are the NIST Technical Security
Controls?
What are the Specific NIST recommendedsettings for individual technical controls?
Am I compliant to NIST Recs & Can I usemy COTS Product?
How do I implement the recommendedsetting for technical controls? Can I use my
COTS Product?
Will I be audited against the same criteria Iused to secure my systems?
![Page 30: 1 August 2007 Update Matt Barrett National Institute of ...€¦ · National Institute of Standards and Technology. Current State of Compliance and Configuration Management Basis](https://reader034.vdocument.in/reader034/viewer/2022042118/5e9631b42de1e9515f018ab6/html5/thumbnails/30.jpg)
What are the NIST Technical SecurityControls?
What are the Specific NIST recommendedsettings for individual technical controls?
Am I compliant to NIST Recs & Can I usemy COTS Product?
How do I implement the recommendedsetting for technical controls? Can I use my
COTS Product?
Will I be audited against the same criteria Iused to secure my systems?
SP 800-18
Security ControlDocumentation
FIPS 200 / SP 800-53
Security ControlSelection
SP 800-53A / SP 800-26/ SP 800-37
Security ControlAssessment
SP 800-53 / FIPS 200 / SP 800-30
Security ControlRefinement
SP 800-37
SystemAuthorization
SP 800-37
Security ControlMonitoring
Security ControlImplementation
SP 800-70
Fundamental FISMA Documents