Contents
Executive Summary.....................1
1) Introduction...............................1
1.1 Purpose...............................2
1.2 Historical Background.......3
1.2.1 The General Need
for Best Practices.............3
1.2.2 Three Collections of
Best Security Practices...4
1.2.3 Three Recent BSP
Initiatives: Critical
Infrastructure Protection,
CIO Council, Model ISS
Program.............................4
1.2.4 Convergence of
Federal BSP Initiatives....6
1.3 Organization of
Document................................6
2) Business Care........................9
2.1 The Need for BSPs in
Federal Agencies/
Departments...........................9
2.1.1 The Current
Situation: E-Gov,
Security, and CIP..............9
2.1.2 Best Security
Practices and the Security
Process Framework.....11
2.1.3 How the FBSPP Will
Improve the Current
Federal Security
Situation..........................13
2.2 The Status Quo vs.
BSP Sharing......................16
3) Program Description............19
3.1 Products............................19
3.1.1 Best Security
Practices.........................20
3.1.2 BSP Development
Guide...............................23
3.1.3 The Security
Process Framework.....23
3.1.4 BSP Collection
Plan..................................24
3.1.5 BSP Evaluation
Guide...............................26
3.1.6 BSP Web Site..........29
3.1.7 Configuration
Management Plan and
Procedures.....................31
3.2 The BSP Life Cycle and
Program Tasks....................31
3.2.1 Identifying
Candidate BSPs............33
3.2.2 Packaging BSPs.....34
3.2.3 Evaluating BSPs....35
3.2.4 Approving BSPs......36
3.2.5 Delivering BSPs......36
3.2.6 Improving BSPs......37
3.2.7 Other Functions......38
3.3 Proposed BSP Manage-
ment Organization...............38
3.3.1 The Organizational
Structure of the FBSPP
Office................................38
3.3.2 Recommended
Host Agency for the
FBSPP Office..................41
3.4 Concept of Operations....42
4) Schedule, Resources, & Costs...........................................45
4.1 Schedule and Staffing
Profile.....................................45
4.1.1 Phase
Descriptions...................46
4.1.1.2 Validation
Phase..............................47
4.1.1.3 Operational
Phase..............................48
4.1.2 Level-of-Effort (LOE)
Estimates........................49
4.1.2.1 Product Schedule
and Effort.........................49
4.1.3 Staffing Profiles.......52
4.2 Technology........................53
4.3 Costs..................................54
4.3.1 Costing
Assumptions..................54
4.3.2 Pilot and Validation
Phase Costs..................55
4.3.3 Operational Phase
Costs...............................55
4.3.4 Estimated Cost
Summary.........................56
5) RIsk and Mitigations.............57
6) Next Steps..............................59
Appendices.................................61
Keywords
BSPs, Federal Best Security Practices, FBSPP,