Skip to main content

Cybersecurity and Information Assurance: Guidance & Requirements Sources

Committee on National Security Systems (CNSS)

CNSS is the successor to the National Security Telecommunications and Information Systems Security Committee (NSTISSC). CNSS operates under authorities set forth in National Security Directive 42: National Policy for the Security of National Security Telecommunications and Information Systems as amended by Executive Orders (E.O.) 13284 and 13231. Key policy and guidance documents published by CNSS include:

CNSSP-6: National Policy on Certification and Accreditation of National Security Telecommunications & Information Systems

NSTISSI-1000: National Information Assurance Certification & Accreditation Process (NIACAP)

CNSSD-500: Information Assurance Education, Training, and Awareness

CNSSI-4009: National Information Assurance Glossary

Control Objectives for Information and Related Technology (COBIT)

The COBIT framework is maintained and published by ISACA, a nonprofit organization. COBIT is primarily a governance framework which lists best practices and business processes which organizations should follow:

Defense Information Assurance Program

The DIAP was established by the Secretary of Defense in compliance with the specific requirements set forth in federal law (10 U.S.C. 2224). The objectives of this program are: "to provide continuously for the availability, integrity, authentication, confidentiality, nonrepudiation, and rapid restitution of information and information systems that are essential elements of the Defense Information Infrastructure" (10 U.S.C. 2224(b)).  Policy documents governing the operation of the DIAP are found in the Department of Defense Directives System 8500 series documents. Key documents in this series include:

National Information Assurance Partnership (NIAP)

The NIAP is jointly managed by NIST and the National Security Agency (NSA). Each of these organizations also publishes its own family of information assurance policy and guidance documents. Jointly, the NIAP provides management oversight and guidance for product certification activities under the Common Criteria Evaluation and Validation Scheme (CC-EVS) umbrella program. Key documents for the Common Criteria are:

Information Standards Organization (ISO) Information Security Management Standards

The ISO is a non-governmental organization that serves as an international standards setting body. ISO publishes two important information security standards:

Public Company Accounting Oversight Board (PCAOB)

The PCAOB publishes audit standards and internal control systems standards which specify security requirements for financial information systems:

Payment Card Industry (PCI) Security Standards Council

The PCI Security Standards Council sets the security requirements for merchants and others who accept or process payments made via credit or debit cards: