Standards, Policies, and Guidance

Public Law

Federal Information Security Modernization Act (FISMA) of 2014, Public Law No. 113-283.

Policies

OMB M-15-13, “Policy to Require Secure Connections Across Federal Websites and Web Services”, June 8, 2015

OMB Circular A-130, “Managing Information as a Strategic Resource”, July 2016

OMB M-05-24, “Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors”, August 5, 2005

OMB M-19-17, Enabling Mission Delivery through Improved Identity, Credential, and Access Management, May 21, 2019

E.O. 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”, May 11, 2017

E.O. 13636 and PPD-21 - “DHS Factsheet: Improving Critical Infrastructure Cybersecurity and Critical Infrastructure Security and Resilience”), March 2013

Regulations

Federal Acquisition Regulation (FAR)

Standards

FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, NIST, February 2004

FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, NIST, March 9, 2006

FIPS 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors, NIST, January 2022

NIST SP 800-53, Revision 5, Recommended Security Controls for Federal Information Systems and Organizations, September 2020

NIST SP 800-60, Volume 1, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008

NIST SP 800-60, Volume II, Revision 1, Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008

NIST SP 800-73-4, Interfaces for Personal Identity Verification, Parts 1 and 2, May 2015 (Updated February 8, 2016)

NIST SP 800-116, Revision 1, Guidelines for the Use of PIV Credentials in Facility Access, June 2018

NIST SP 800-171, Revision 2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, February 2020

Guidance and Best Practices

Compliance Guide: The HTTPS-Only Standard

Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide, Interagency Security Council (ISC), December 2015

Enabling Strong Authentication with PIV Cards: Public Key Infrastructure (PKI) in Enterprise Physical Access Control Systems (E-PACS) Recommended Procurement Language for RFPs, v1.1.0, GSA, February 24, 2015

Facility Access Control: An Interagency Security Committee Best Practice, 2020 Edition

PACS Customer Ordering Guide (v2.0), GSA Schedule 84 - Security, Fire, & Law Enforcement, June 2018

Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS), Interagency Security Committee (ISC), Version 3.0, March 26, 2014

Personal Identity Verification Interoperability for Issuers, Version 2.0.1, July 27, 2017

The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard, ISC, 2nd Edition, November 2016

Security Control Overlay of Special Publication 800-53 Revision 5: Security Controls for electronic Physical Access Control Systems (ePACS), Version 1.0, December 2020

Federal Public Key Infrastructure (FPKI) Security Controls Overlay of Special Publication 800-53 Security Controls for PKI Systems, Version 3.0, February 26, 2021

Other Relevant Publications

“Federal Building Security: Actions Needed to Help Achieve Vision for Secure, Interoperable Physical Access Control”, Government Accountability Office (GAO), December 20, 2018