NIST Families with Georgia PSGs Referenced

NIST Families with Georgia PSGs Referenced

To see the NIST control statements:

DOC-20-Domain Names and SSL Certificates: FAQs: Domain Names and SSL Certificates

Domain Name and SSL Certificate supplemental document for SA-03-007 Georgia.Gov Domain Name.

GM-08-101: Technology Project Management Guideline

Guidelines for technology project management when there is greater than $1M investment

GM-09-001: Project Financial Management Guidelines

Guidelines for project financial management

GM-09-002: Information Technology Portfolio Management Guidelines

Guidelines for IT portfolio management

GM-11-001: Performance Lifecycle Management Guideline

A guide to executive branch agencies in Georgia state government for Enterprise Performance Life Cycle (EPLC) management.

GM-11-002: Social Media Guidelines

Guidelines to Use Social Media

GM-13-001: Retention of Data Backup Media and Records Management Media - Guideline

Guidelines for handling media used for data backup and for records archiving

GM-14-005: Website Guidelines

Guidelines for website use and construction in GaGov

GM-14-007: Project Integrator Statement of Responsibilities

Guidelines for Statement of Responsibilities for a Project Integrator

GM-14-011: Guideline for Obtaining GTA's Endorsement of Proposed Technology Procurement

Guidelines for seeking GTA's Endorsement of Technology

GM-15-004: Mobile Device Management Guidelines

Guidelines for mobile device management

GM-15-008: Data Sharing Guidelines

Provides guidance for using the enterprise service bus

GM-17-001: Accountability, Change Management and Process Improvement Act of 2016 (HB676)

In an effort to increase the success rate of large Information Technology initiatives, Georgia has established best practices for the planning and implementation of these investments.

GM-17-002: Project Scheduling Guidelines

The guideline necessary for State of Georgia projects to comply with Project Assurance schedule review criteria.

GM-22-001: Project Re-Baselining Guidelines

Guidance on the appropriate application of re-baselining techniques on complex IT projects within the State of Georgia.

GS-20-001: Cybersecurity Professional Certification Guideline GS-20-001

Provides a set of certifications for statewide cybersecurity positions.

GS-21-001: Technology Guideline for the Remote Worker

To provide state agencies and employees with detailed processes and procedures that will assist in working from a remote (virtual) environment.

GS-23-001: Artificial Intelligence Responsible Use Guidelines

Guidelines for the use of AI tools within agency operations

PM-03-003: Enterprise Architecture

GTA with agency collaboration will establish and maintain Enterprise Architecture

PM-04-001: Information Technology Policies and Standards

GTA’s statutory authority and approach for setting technology policies, standards and guidelines

PM-04-002: Acquisition and Use of Telecommunications Services and Equipment

Rules, Regulations and Procedures Governing the Acquisition and Use of Telecommunications Services and Equipment

PM-06-001: Information Technology Review Policy

To ensure that proposed agency information technology initiatives are consistent with the State's strategies and goals, and with enterprise IT policies and standards.

PM-07-003: Statewide Data Sharing

Provides for sharing of data among agencies

PM-13-002: Enterprise Application

Provides for Enterprise Applications

PM-14-009: Data Lifecycle Management

Management of business data through its lifecycle

PM-17-001: Large IT Project Executive Decision-Making Board

Establish the decision-making authority for large IT initiatives/projects (hereafter referred to as “IT Projects”) within the state enterprise.

PO-09-002: Management of IT Operations

ITIL is the basis for IT infrastructure management, service delivery and support

PS-08-002: Accountability of Assets

Establishes accountability for all hardware and software acquired using public funds

PS-08-003.2: Appropriate Use of Information Technology Resources

Defines appropriate use IT resources

PS-08-004: Computer Security Incident Management

Establishes the process for detecting and responding to security incidents

PS-08-005.3: Enterprise Information Security Charter

Commits the State of Georgia to protecting information systems and data from unauthorized disclosure, modification, use, or destruction

PS-08-006: Password Authentication

Establishes use of passwords as primary authentication mechanism

PS-08-007.02: Reliance on Electronic Records

Establishes the State’s intent to rely on electronic data as a form of official record and adherence to proscribed records retention requirements

PS-08-009: Access Control

Each agency is responsible for establishing access control measures that limits access (logical and/or physical) to only those individuals that are authorized to obtain it.

PS-08-010: Security Awareness Program

Establishes a need to increase user security awareness through an awareness and training program

PS-08-011: Third-Party Access

Provisions for third-party access to state facilities and information systems

PS-08-012: Data and Asset Categorization

Provides for inventory and classification of state data and information processing systems

PS-08-013: Physical and Environmental Security

Physical security is an essential element to the overall security of IT resources

PS-08-014: Personnel Security

Provides for identity verification of IT employees and contractors

PS-08-015: Change Management

Requirements for a formal change management process

PS-08-018.02: Systems and Development Lifecycle

Requirements for a formal IT lifecycle management program

PS-08-019: Outsourced Facilities Management

Establishes requirements over outsourcing data processing facilities

PS-08-020: Separation of Production and Development Environments

Requires separation of production from development and test environments

PS-08-021: Protection from Malicious Software

Requires protections against malicious software

PS-08-022: Security Log Management

Requires log management practices

PS-08-023: Remote Access

Requires protection from risks associated with remote access

PS-08-024: Use of Cryptography

Requires the use of cryptographic controls

PS-08-025: Business Continuity and Disaster Recovery

Requires plans to maintain continuity of essential state government operations and services

PS-08-026: Media Controls

Requirements protection of system media from unauthorized disclosure, modification, destruction or loss

PS-08-027: Network Security Controls

Requires network security controls

PS-08-028: Public Access Systems

Requires security controls on public facing systems

PS-08-029.02: Security Controls Review and Assessment

Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency s

PS-08-030: Network Security - Information Flow

Requires protection of information traversing networks

PS-08-031: Information Security - Risk Management

Requires a risk-based approach to information security management

PS-17-001: Information Security Controls Policy

Improves how security controls are managed within the State’s shared-service environment. The Security Control Policy addresses this business challenge by establishing clearer lines of delineation between security controls, ownership and the overall responsibility of execution.

PS-20-002: IT Supply Chain Security Controls Policy

To provide guidance to State agencies on identifying, assessing, selecting and implementing risk management processes and controls throughout the enterprise to manage IT supply chain risk.

PS-21-002: Multi-Factor Authentication Policy

The purpose of an Enterprise Multi‐Factor Authentication (MFA) Policy is to enable a means of strong authentication for all users with access to information systems resources while ensuring ease of use and adoption for the user(s).

PS-22-001: Cloud Provisioning Policy

Governance of cloud-based provisioning according to risk.

PS-23-001: Enterprise Artificial Intelligence Responsible Use

Establishes requirements for the use of AI tools within the enterprise

SA-03-004: XML - Extensible Markup Language

XML standards based upon W3C Consortium XML Open Standards

SA-03-005: Georgia.Gov Intellectual Property Display

Third party intellectual property displays on Georgia.Gov

SA-03-007: Georgia.Gov Domain Name

Naming and approval of web sites

SA-03-008: Georgia.Gov Linking (Revised 2020)

Use, placement and removal of links on Georgia.Gov

SA-03-009: Active Directory

Specifies Active Directory requirements, topology and design

SA-06-006: Design Criteria for Electronic Records Management Applications

Records management application criteria

SA-07-004: Email Calendaring

Standard calendaring format for email systems

SA-07-005: Email Naming

Standard email address for email systems

SA-07-010: Email Administration - Distribution Lists

Standards for large inter-agency and all multi-agency distribution lists

SA-07-020: Integration Middleware

Standard middleware platform for enterprise integration

SA-10-001: Placing Applications into Production

Procedural requirements for placing applications into Production

SA-10-002: Design Criteria for Data Network Protocols

Standard IP based protocols

SA-10-004: Applications with Standard Desktop Client

Standard desktop clients

SA-10-009: Deployment Certification

Requires a Deployment Certification

SA-10-010: Deployed Software Currency

Requires and defines software currency

SA-14-002: Website Branding

Design techniques to support branding of State of Georgia websites

SM-05-001: Telecommunications Technology Review

Administering Enterprise and Agency open contracts for telecommunications systems and long distance services

SM-06-001: Independent Verification and Validation

Requires to use GTA contracts for assurance services for projects with budgets of $1 million or greater

SM-08-006: Technology Project Management

Project management methodology for technology projects valued at $100,000 or more

SM-08-103: Information Technology Review Standard SM-08-103

Specifies GTA and agency responsibilities concerning State oversight of information technology (IT) investments with respect to State and agency strategic goals, and with enterprise policies and standards.

SM-09-001: Project Financial Management Standard

Requires project expenditures shall be planned and tracked

SM-09-003: Information Technology Strategic Plan

Agencies must develop and maintain an IT strategic plan

SM-10-005: System Development Lifecycle

Agencies select and authorize SDLC’s for their use

SM-10-006: Performance Lifecycle Framework

The Performance Lifecycle Framework for investments in information technology

SM-10-007: Performance Lifecycle Management

Minimum processes to manage IT investments using the Enterprise Performance Lifecycle

SM-10-008: Performance Lifecycle Stage Gate

Formal investment reviews at predetermined points in IT investment lifecycle

SM-11-007: Exemption from State Policies and Standards

Requires a Request for Exemption from a PSG

SM-13-003: Enterprise Application Creation and Management

Requirements to create and operate Enterprise Applications

SM-14-006: Project Integrator

Requires a project integrator on complex projects

SM-14-008: GTA Endorsement of Proposed Technology Procurement

Establishes requirements for GTA's authorization of technology procurement

SM-14-010: Terms and Conditions for Cloud Services

This standard offers a list of important components for an agency to consider inserting in a service agreement for cloud services. By no means does this list cover all situations that may be included in a service agreement; but those listed here are often overlooked by State agencies.

SM-15-001: Data Steward

Data Stewardship Requirement for Constituent Data

SM-15-009: Enterprise Managed Services (EMS)

the keystone enterprise standard to guide governance of managing IT provisioning (SaaS, Paas, IaaS, etc.) according to risk.

SM-19-001: Software Management Standard

Provides direction regarding the acquisition, use, distribution and redistribution of commercial, public domain, and State-authored software and Software Licenses.

SM-19-002: Digital Accessibility Standard

All digital properties managed by state entities shall be accessible according to WCAG 2.0 (Level AA) Compliance standards.

SO-03-010: Workstation Operating System

Establishes a standard desktop and laptop/notebook operating system

SO-04-001: IBM Mainframe Batch Job Processing

Batch run times, automated scheduler, and tools to modify batch job data

SO-04-003: IBM Mainframe Production Acceptance - Batch Jobs

Batch job production acceptance requirements

SO-06-004: Bluetooth

Deployment of wireless technology

SO-11-005: Instant Messaging Services

Instant Messaging Controls

SS-08-001: Appropriate Use and Monitoring

Standards for appropriate use and monitoring of IT resources

SS-08-002: Classification of Personal Information

Standards for categorizing personal information

SS-08-003: Data Security - Electronic Records

Electronic records are 1)relied upon as official records and 2) must adhere to records retention requirements and 3) must be protected from unauthorized destruction, modification or disclosure.

SS-08-004: Incident Response and Reporting

Requirements for information security incident response and reporting

SS-08-005: Information Security Infrastructure

Requirements for creating an information security program and infrastructure

SS-08-006: Information Security Management Organization

Minimum standards for an information security management organization

SS-08-007: Password Security

Establishes standards for protecting passwords

SS-08-008: Strong Password Use

Establishes standards for creating and using strong passwords

SS-08-009: Electronic Communications Accountability

Fixes accountability for content and transfer of information through electronic communications

SS-08-010: Authorization and Access Management

Requires managed access to state facilities and information resources

SS-08-011: Email Use and Protection

Standards for appropriate use and security of email

SS-08-012: Security Education and Awareness

Requires all employees and contractors to attend annual security awareness training

SS-08-013: Third-Party Security Requirements

Establishes security requirements for conducting business with contractors, outsourcing vendors and/or other third-parties

SS-08-014: Data Categorization - Impact Level

Impact Level definitions and standards of information assets

SS-08-015: Facilities Security

Incorporates facilities security into overall protection of IT assets

SS-08-016: Computer Operations Center Security

Minimum security requirements for computer operations centers

SS-08-017: Personnel Identity Verification and Screening

Standards for verifying identities of state personnel and contractors

SS-08-025: System Lifecycle Management

Requires a formal lifecycle management program for systems in development or operations

SS-08-026: Operational Change Control

Requires that changes to operational systems be controlled and monitored

SS-08-027: Systems Operations Documentation

Requires agencies to document system operational procedures

SS-08-028: System Security Plans

Requires data and system owners to create and maintain system security plans

SS-08-031: Separate Production and Development Environments

Establishes requirements for separating operational environments from test/development environments

SS-08-032: System Implementation and Acceptance

Requires agencies to establish criteria for accepting a system from development to operations

SS-08-033: Malicious Code Incident Prevention

Establishes controls to protect systems against malicious software

SS-08-034: Surplus Electronic Media Disposal

Establishes statewide standard on disposition of surplus electronic media

SS-08-035: Media Sanitization - Vendor Return

Establishes standards for sanitization and disposal of all electronic media subject to vendor return

SS-08-036: Log Management Infrastructure

Requires monitoring and analyzing systems logs to record events and detect anomalies

SS-08-037: Teleworking and Remote Access

Security requirements for telework and remote access to state information systems

SS-08-038: Secure Remote Access

Requires protection of systems from risks associated with remote access

SS-08-039: Wireless and Mobile Computing

Minimum security requirements for wireless network implementation

SS-08-040: Cryptographic Controls

Minimum requirements for the use of cryptographic controls

SS-08-041: Risk Management Framework

Adopts the NIST risk management framework

SS-08-042: Independent Security Assessments

Requires IT systems to be assessed by an independent third-party

SS-08-043: Media Protection and Handling

Establishes physical, logical, and environmental protection requirements for system media.

SS-08-044: Outsourced IT Services and Third-Party Interconnections

Requires third-party adherence to established State security requirements

SS-08-045: Contingency Planning

Requires plans to sustain or recover/restore critical operations in the event of a system disruption or disaster

SS-08-046: Disaster Recovery - System Backup

Requires backup and recovery procedures for critical software and data

SS-08-047: Network Security - Boundary Protection

Requires network boundary protection

SS-08-048: Network Access and Session Controls

Requires control and monitoring of network sessions

SS-08-049: Web and E-Commerce Security

Requires control and management of web services

SS-08-053: Information Technology Reporting

Annual reporting requirements

SS-12-001: Privacy in the Workplace

No expectation of privacy shall be assumed when accessing non-public State information resources and assets

SS-12-002: Non-State Technology and Computing Devices

Rules of appropriate use and all other governance regarding information and data security apply to non-State issued technology devices used to access non-public State information and technology resources

SS-15-002: Data Location and Access

Requires all data to be processed, stored, transmitted and disposed in the geographical United States

SS-17-001: Information Security Controls Standard

In accordance with the Information Security Control Policy, each agency operating within a shared-service environment is responsible for ensuring that applicable NIST 800-53 (rev. 4) security controls are implemented and operated effectively.

SS-17-002: IP Blocking Standard

Establishes criteria for blocking network traffic from IP addresses and IP address ranges at the boundary of the state network.

SS-19-001: Personal Identification Verification (PIV) Cards

Specifies a reliable PIV system within which a common identity credential can be used to verify a claimed identity and to gain physical and logical access to state controlled facilities and information systems.

SS-19-002: Digital Security Standard

Establish a common set of security protocols across all State digital properties (i.e. agency web pages)  to ensure the protection of sensitive information.

SS-20-001: Cybersecurity Capability Maturity Model

Establishes an enterprise Cybersecurity Cabability Maturity Model to provide a structure for State agencies to baseline current capabilities in cybersecurity while establishing a foundation for consistent evaluation.

SS-22-001: International Teleworking and Remote Access

This standard establishes minimum security requirements for teleworking and remotely accessing state information systems while traveling internationally.

SS-22-002: Prohibited Software & Services

Establishes restrictions on third-party vendors, software and services.

SS-23-002: Artificial Intelligence Responsible Use

Establishes requirements for the use of AI tools within agency operations

VDP: Vulnerability Disclosure Program (PS-21-001)

The primary focus of the Vulnerability Disclosure Program (VDP) is to securely accept, triage and rapidly remediate vulnerabilities submitted by our security research community.