Authorizing Official Program Guidance Documents

Unless otherwise noted, the most recent version of each document available 180 days prior to submission should be utilized.
  • Determine if the system is or will be a National Security System (NSS)
    • National Institute of Standards & Technology (NIST) Special Publication (SP) 800-59, “Guideline for Identifying an Information System as a National Security System”
      • “National Security System Identification Checklist” Appendix A
  • Risk Assessment
    • NIST SP 800-30, “Guide for Conducting Risk Assessments”
  • Security Categorization
    • NIST Federal Information Processing Standards (FIPS) Publication (PUB) 199 “Standards for Security Categorization of Federal Information and Information Systems”
    • NIST FIPS PUB 200 “Minimum Security Requirements for Federal Information and Information Systems”
  • Information System Security Plan
    • NIST SP 800-18, “Guide for Developing Security Plans for Federal Information Systems”
    • NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”
    • NIST SP 800-39, “Managing Information Security Risk”
    • NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations”
    • NIST SP 800-53B, “Control Baselines for Information Systems and Organizations”
    • CNSS Policy (CNSSP) No. 18, “National Policy for Classified Information Spillage”
    • Committee on National Security Systems Instruction (CNSSI) No. 1253, “Security Categorization and Control Selection for National Security Systems”
    • CNSSI No. 1253E Attachment 5, “Classified Systems Overlay”

Page Last Reviewed/Updated Monday, August 4, 2025