10. In June 2004, NIST issued Special Publication 800-60, “Guide for
Mapping Types of Information and Information Systems to Security
60/SP800-60V1-final.pdf. NIST Special Publication 800-60 provides
the criteria used to map information and information systems to the
impact levels established in FIPS Publication 199.
11. NIST Special Publication 800-53 is intended to provide interim
guidance to federal agencies until FIPS Publication 200,“Minimum
Security Requirements for Federal Information and Information
Systems,” is published in 2006.
12. U.S. Department of Commerce, National Institute of Standards and
Te c hnology, Special Publication 800-53, “Recommended Security
Controls for Federal Information Systems”, February 2005. Available:
13. Personal communication with Steve Newburg-Rinn, Director, Civil
Government Information Assurance Solutions, SRA International,
Inc., July 21, 2005.
14. ASSERT is an automated version of NIST Special Publication 800-
26, “Security Self-Assessment Guide for Information Technology
Systems.” ASSERT incorporates the security categorizations and
minimum control requirements described in FIPS Publication 199
and NIST Special Publication 800-53, as set forth in NIST Special
Publication 800-26. See also endnote 15.
15. U.S. Department of Commerce, National Institute of Standards and
Te c hnology Special Publication 800-26, “Security Self-Assessment
Guide for Information Technology Systems,” November 2001.Avail-
16. Steve Newburg-Rinn, “Promoting & Facilitating IT Security
Compliance,” January 8, 2005. Presentation received from Steve
Newburg-Rinn, Director, Civil Government Information Assur-
ance Solutions, SRA International, Inc., July 21, 2005.
Endnotes ■ 155
38190_CH05_FINAL_.qxd 3/25/06 8:42 AM Page 155