Specifications include, but are not limited to:Background: The State of North Carolina is adopting the National Institute of Standards & Technology (NIST) Risk Management Framework (RMF) which includes the application of NIST Special Publication 800-53 Revision 4 - Security and Privacy Controls for Federal Information Systems and Organizations as its basic framework for its information security policies and underlying standards. The NIST Special Publication 800-37 Revision Guide for Applying the Risk Management Framework to Federal Information Systems provides an organizational structure for the manual(s). The State has existing ITS-009527-MW Page 13 of 34 Rev. 11/01/2015 policies and standards based on ISO 27002 and a statewide IT strategy that need to be rewritten in alignment to the NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations structure as well. The current Statewide Information Security Policy Manual is accessible via the Internet: https://www.scio.nc.gov/library/pdf/SISM-1-2015.pdf The NIST Special Publication 800-37 Revision 1 is available on the Internet: http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf The NIST Special Publication 800-53 Revision 4 is available on the Internet: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf The NIST Framework for Improving Critical Infrastructure Cybersecurity is available on the Internet: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf Other guidance documents are: FIPS 140-2, Security Requirements for Cryptographic Modules FIPS 199, Standards for Security Categorization of Federal Information and Information Systems NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, September 2012 NIST Special Publication 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002 NIST Special Publication 800-53A, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, current edition NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011 NIST Special Publication 800-160, Systems Security Engineering Guideline, 12 May 2014 b. Objectives: Support of the State of North Carolina’s migration from current ISO standards to NIST Risk Management Framework. Updated and/or drafted series of information security/policies, standards and procedures that will replace the current manual used by State agencies. Implementation of leading practices to provide a baseline for statewide cybersecurity policies and procedures
