Archived for the World to See: SP 800-26

Posted May 19th, 2008 by

CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!


It stands to reason that one of my recurring search strings in my blog stats is people looking for a copy of NIST SP 800-26.  I even have commenters looking for it.  We like commenters enough to give them what they want, don’t we?

So I thought long and hard until my thinker was sore, asked some friends, and puzzled a bit more about why people would be so interested in a document that is, like Latin, dead.

My resident curmudgeon (yes, even a BSOFH needs a role model from time to time), Vlad the Impaler, offered up the suggestion:  That state and local governments need it because they’re usually 5-10 years behind the Federal Government.  Even then, I don’t get it, and with a shrug, I’ll leave it at that.

Anyway, I’ve uploaded the most recent version here (foo.pdf caveat applies).  I got the file in an email from Vlad, so he’s the one you should really thank.  In the spirit of complete irony, this file could become the #1 download for me. =)


CAVEAT:  This document is dangerous!  See this post before you go any further.  You have been warned!

Similar Posts:

Posted in FISMA, NIST | 4 Comments »

4 Responses

  1.  Chris Says:

    Ahh, 800-26 how I don’t miss you. The project lead made me use this up until a year and a half ago (when I became project lead).

  2.  rybolov Says:

    War Story Time:
    5 years ago, I went to training for a 800-26 tool that NIST was offering called ASSET. Short story is that it was a java app using the MS Database Engine and would give you an automated way to fill out your 800-26, package it, and send it to your C&A/Compliance team who could then do agencywide statistics.

    Now the strange thing to me at the time was the amount of people who wanted some kind of nonrepudiation built into the tool, so that you could see who answered each question.

    If you read between the lines of what people were looking for, it’s very interesting–CPAs gone crazy into InfoSec interesting, but still worth spending some brain cycles thinking about.

  3.  Vlad the Impaler Says:

    Well all of you can either blame or thank me. I would also caution everyone as rybolov has done — “successful” completion of this checklist should not leave you with any kind of warm feeling.

    This was a good alternative in the days before the final publication of the first 800-53.
    We should as a community be using the most up-to-date guidance.

    If you’d really like to see golden oldies, I can also share my “favorite version of 800-53” which was an incredible primer on security controls.

  4.  hawa Says:

    Thank you thank you thank you. Isn’t that amazing that a “dangerous” document would become your top download? LOL

    I hope you had a great holiday weekend.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: