Federal Security

CategoryCyber Security Standards

Public laws and security guidelines for government agencies define minimum requirements for federal information systems and information management processes. They also define a framework to complete tasks that can strengthen the cyber-security posture of a federal agency.

Standards Overview

Public Sector Security and Privacy Controls

Federal Information Security standards, guidelines and regulations identify and describe controls and processes required to protect federal agency or service provider operations (including mission, functions, public image and reputation), digital assets, and private information of government officials and citizens.

The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, executive orders, policies, directives, standards and business needs. They are customizable and implemented as part of an organization-wide security and risk management process.

The following publications define minimum level of security for federal information systems:

  • US FISMA — Federal Information Security Management Act of 2002
  • US FISMA — Federal Information Security Modernization Act of 2014
  • US CEA — Cybersecurity Enhancement Act of 2014
  • US CISA — Cybersecurity Information Sharing Act of 2015
  • FIPS 140-2 — Security Requirements for Cryptographic Modules
  • FIPS 198-1 — The Keyed-Hash Message Authentication Code (HMAC)
  • FIPS 199 — Standards for Security Categorization of Federal Information and Information Systems
  • FIPS 200 — Minimum Security Requirements for Federal Information and Information Systems
  • FIPS 201-2 — Personal Identity Verification (PIV) of Federal Employees and Contractors
  • FIPS 202 — SHA-3 Standard: Permutation-based Hash and Extendable-output Functions
  • FIPS 180-4 — Secure Hash Standard (SHS)
  • FIPS 186-4 — Digital Signature Standard (DSS)
  • FIPS 197 — Advanced Encryption Standard (AES)
  • NIST SP800-53 — Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP800-128 — Guide for Security-focused Configuration Management of Information Systems
  • NIST SP800-152 — A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)
  • NIST SP800-157 — Guidelines for Derived Personal Identity Verification (PIV) Credentials
  • NIST SP800-163 — Vetting the Security of Mobile Applications
  • NIST SP800-166 — Derived PIV Application and Data Model Test Guidelines
  • NIST SP800-168 — Approximate Matching: Definition and Terminology
  • NIST SP800-171 — Protecting Controlled Unclassified Information in Non-federal Systems
  • NIST SP800-175A — Using Cryptographic Standards in the Federal Government: Directives
  • NIST SP800-175B — Using Cryptographic Standards in the Federal Government: Mechanisms
  • NIST SP800-183 — Networks of Things
  • NIST SP800-184 — Guide for Cybersecurity Event Recovery
  • NIST SP800-185 — SHA-3 Derived Functions
  • NIST SP800-187 — Guide to Long-term Evolution (LTE) Security
  • NIST SP800-192 — Verification and Test Methods for Access Control Policies/Models
  • NIST SP800-193 — Platform Firmware Resiliency Guidelines
  • NIST SP800-202 — Quick Start Guide for Populating Mobile Test Devices

federal

A catalogue of security controls addresses security from both a functionality perspective (the strength of security functions) and an assurance perspective (the measures of confidence).

Addressing both security functionality and assurance ensures that information technology systems and solutions based on those systems follow cyber security engineering principles and are sufficiently trustworthy.