BioHuman: All Aspects of Risk Management Framework

Aris Nicholas
Department of Professional and Continuing Education, University of San Diego
CSOL 530: Cyber Security Risk Management
BioHuman-All Aspects of Risk Management Framework for Payroll Systems
Final Project
Prof. Nikolas Behar
August 15th, 2022
 Table of Contents
Introduction 3

Prepare of Security Controls 5

Security Categorization: Security Controls 6

Selection of Security Controls 8

Implementation of Security Controls 10

Implement the Security Controls Security Plan 11

Implementation of security Controls: Confidentiality, Integrity, and Security 12

Assessment of Security Controls 14

Risk Assessments 15

Items in plan of action & milestones (POA&M) 16

Assessment of Security Controls in Payroll 17

Authorization of Security Controls 19

Continuous Monitoring 21

Prepare for continuous monitoring 23

Change Management in the Security Program 24

References 25
 Introduction:

As we discussed the various phases of the Risk Management Framework (RMF) referenced

from NIST Special Publication (SP) 800-37, you as the stakeholders should now be aware that to

be effective in avoid risks you must utilize these phases and implement security controls within

the payroll systems at BioHuman. In addition, the goals, and objectives at BioHuman are to ensure

that information systems under BioHuman have authority to operate securely. The steps in the

RMF include organization-level and information system-level preparation; categorization of

information and information systems; control selection, tailoring, and implementation; assessment

of control effectiveness; information system and common control authorization; the continuous

monitoring of controls; and maintaining awareness of the security and privacy posture of

information systems and the organization at BioHuman. The RMF process should help ensure that

managing information system-related security risks is consistent with BioHuman’s

mission/business objectives and overall risk strategy.

As we’ve established the groundwork of the specified phases within the Risk Management

Framework, you as stakeholders in the business should also be aware that BioHuman’s information

and information systems are subject to serious threats that can have adverse impacts on its

organizational operations. With this, we are to discuss how you will utilize the RMF process to

effectively assess the risks in the systems, particularly in the payroll systems? Also, how you will

authorize a system for operation and then continuously monitor the system once it's in full

operational mode. In addition, you’ll be able to ensure that the systems are effectively secured in

the environment despite the changes to personnel, changes to hardware/software and/or changes

to the environment at Bio Human.

In our risk management planning we will reference the elements of the Risk Management

Framework (RMF) which is to also include the activities to prepare Bio Human to execute a

framework to manage appropriate risk levels. The RMF will provide you, our senior leaders and

executives with the necessary information to make efficient, cost-effective, risk management

decisions about the systems supporting the missions and business functions; and incorporates

security and privacy into the system development life cycle The RMF emphasizes risk

management by promoting development of security and privacy capabilities into information

systems throughout the systems development life cycle (SDLC). (NIST, 800-37 R2; 2018). In

addition, the strategy is that the RMF emphasizes building into the SDLC and building security

within the system. The RMF will be guided by a six-step information system life cycle.

The Risk Management Framework (RMF) provides an implementation guide through this (6) six-

step information system life cycle.

Figure 1. Risk Management Framework. csrc.nist.gov/rmf

 1. Prepare organizations to execute the framework at appropriate risk management levels.

2. Categorization of the information system

3. Selection of security controls

4. Implementation of those security controls

5. Assessing the selected security controls

6. Common Control authorizations

7. Instituting continuous monitoring controls

Prepare of Security Controls

In this RMF phase the “Prepare” step tasks are to be completed before the Categorize step

and support all subsequent RMF steps and tasks the intention of the Prepare step is to provide the

information and resources necessary to successfully manage information security and privacy risk

to the organization and its missions from the operation and use of systems. Preparation phase for

the categorization, selection, implementation, assessment, authorization and continuous

monitoring of security controls are vital in an effective RMF. The Prepare step should be

completed before the remaining steps or tasks are undertaken since its tasks support subsequent

tasks. Organizations such as BioHuman implementing the Risk Management Framework for the

first time typically carry out the steps in sequential order, starting with the Prepare step. (NIST SP-

800-37 rev2)
 Security Categorization: Security Controls

As you recall, Security Categorization is the system and the information processed, stored, and

transmitted by the system based on an analysis of the impact of loss. Security Categorization is

also the “Starting Point,” the key first step in the Risk Management Framework because of its

effect on all other steps in the framework from selection of security controls to level of effort in

assessing security control effectiveness.

In addition, the value of information security categorization is to enable the stakeholders

of BioHuman to proactively implement appropriate information security controls based on the

assessed potential impact to information confidentiality, integrity, and availability and in turn to

support your mission in a cost-effective manner. With this, an incorrect information system impact

analysis (i.e., incorrect FIPS 199 security categorization) can result in the organization either over

protecting the information system that you have in place thus wasting valuable security resources,

or under protecting the information system and placing important operations and assets at risk.

(Stine, K., Kissel R., Barker, William., Fahlsing J., and Gulick J.; 2008, August. NIST).

Security Categorization: Security Impact Levels

In addition, regarding security categorization, we’ve also discussed the importance of the

potential security impact level as listed in Table 1 listed below. The security impact level for a

system is determined by taking the maximum impact value of the system’s security category, that

is, the highest level (“high watermark”) of the three security objectives for each information type

and security category. (NIST RMF Quick Guide, 2022).

 As we’ve discussed potential impacts that may affect BioHuman’s organizational

operations that can occur when changes are made to personnel, changes to

hardware/software/firmware and at times changes to the environment.

1. Low, if the loss of confidentiality, integrity, or availability could be expected to have a

limited adverse effect on BioHuman’s organizational operations.

2. Moderate, if the loss of confidentiality, integrity, or availability could be expected to have

a serious adverse effect on BioHuman’s organizational operations.

3. High, if the loss of confidentiality, integrity, or availability could be expected to have a

catastrophic adverse effect on BioHuman’s organizational operations.

 To determine the security categorization for this data type, you’d then view the highest risk

level for each Confidentiality, Integrity, Authorization (CIA Triad) pillar and select that value. For

example, if BioHuman’s company's payroll system or any other system had been part of a

catastrophic disaster (natural disaster, fire, earthquake) and determined that there is no possible

recovery, no backup or business continuity plan in place, this would be on a high categorization.

With this, the information type at BioHuman had a CIA assessment of {Moderate, Moderate,

High} the security categorization for that data type would be High. Therefore, you as stakeholders

will need to set the categorization and impact levels in the organization to ensure which parts of

the information systems are survivable and which will require a recovery redundancy plan.

Selection of Security Controls:

As the stakeholders recognize the requirements in the organization to adequately mitigate

risk arising from the use of information and systems in the execution of mission and business

functions, the challenge for organizations such as BioHuman is to determine the appropriate set of

security and privacy controls, which – if implemented and determined to be effective – would most

cost-effectively mitigate risk while complying with the security and privacy requirements defined

by applicable federal laws, Executive Orders, directives, policies, standards, and regulations (e.g.,

FISMA, OMB Circular A-130 [OMB A130]). With this, the stakeholders at BioHuman should

also now be aware of the importance of the selection of security controls phase within the RMF,

this phase is an initial set of controls for the system and tailor the controls as needed to reduce risk

to an acceptable level based on an assessment of risk. As a reminder, Security controls are the

safeguards or countermeasures employed within an organizational system such as BioHuman, to

protect the confidentiality, integrity, and availability of the system and its information. Privacy

controls are administrative, technical, and physical safeguards employed within an organization to
protect an individual, ensure compliance with applicable privacy requirements, and manage

privacy risks. (NIST, RMF Quick Guide; 2021, March)

Also, when choosing security controls, you have also become aware that the factors to

choose will be determined in reference to the Confidentiality, Integrity and Availability of the

systems in a high-level view and recommendation based on potential real life scenarios. In this

case, real life security threats can occur when changes are made within personnel, changes to

hardware/software/firmware and changes to the environment at BioHuman. In addition, you will

then reference Table D2 in Appendix D and the RMF Step 2-Select Security Controls to reference

security controls and impact levels from NIST and FIPS.

Table 2. Pacific Northwest National Labs. 2018, November

 Implementation of Security Controls:

In the implementation phase of the Risk Management Framework (RMF), here at

BioHuman, we are to implement the controls and describe how the controls are employed within

the system and its environment of operation. In addition, having a trustworthy system such as

BioHuman’s payroll systems involves the implementation of security controls which work

together to produce security rather than as individual elements.The controls are implemented after

they are selected in the Risk Management Framework “selection” step, which initially occurs

during the development or acquisition phase of the system development life cycle. Some of the

selected controls may already be in place, such as common controls implemented by the

organization. After the controls are selected and tailored (as a product of the Select step of the

Risk Management Framework), the next step is to implement the controls in accordance with the

system security and privacy plans. It is important that the controls are implemented correctly and

operate as expected to protect the system. The Implement step focuses on the implementation of

the security and privacy controls. (RMF-FAQ-Guide- Implementation).

Also, as we discussed common controls, to implement this RMF, you must be aware of the

control structures. Security and privacy controls have a well-defined organization and structure.

Security and privacy control selection and specification process controls are organized into 20

families (see table below).

 Image 2. Table 1: From NIST SP 800-53, REV. 5

As we previously discussed, each family contains controls that are related to the specific

topic of the family. For example, implementing security in the payroll systems, “Access Control”

is significant as it is important to “lock up” employee files and payroll records at all times when

they are not in use to prevent unauthorized access. The reason for this is attackers frequently

discover and exploit legitimate but inactive user accounts to impersonate legitimate users.

Implement the Security Controls Security Plan

● Task 3.1: Implement the security controls specified in the security plan.

● Primary Responsibility: Information System Owner or Common Control Provider.

● Supporting Roles: Information Owner/Steward; Information System Security Officer; Information System

Security Engineer.

● System Development Life Cycle Phase: Development/Acquisition; Implementation.

To continue implementation of security controls in payroll systems an effective security plan

should be initiated. System Security Plan (SSP) is a foundational document for organizations that

adhere to the Risk Management Framework defined by the National Institute of Technology
(NIST), and Cybersecurity Framework (CSF). In addition, we discussed the importance of having

primary roles and responsibilities when creating a security plan should be in the Information

System Owner or Common Control Provider as examples. Additional examples of the supporting

Roles will be the Information Owner/Steward Information System Security Officer, Information

System Security Engineer.

Also, to have an effective security controls system plan, BioHuman will have to be aware of the

various controls which are important in the implementation process especially when referencing

the CIA Triad, Confidentiality, Integrity, and availability. There are technical controls which uses

technology either hardware or software eg. firewalls or security software; authentication.

Administrative controls focus on processes and procedures. An example of this is Policies;

security awareness; business continuity. Examples of administrative controls are Separation of

Duties where 2 (or more people) are required to perform critical functions in payroll systems as

this is useful for preventing fraud.

Also, in the systems security plan (SSP), after a positive identification of scan findings or approval

of security assessment and/or audit report, all findings/weaknesses shall be documented in a

POA&M, reported security team at BioHuman, and remediated/mitigated within the following

remediation timelines as an example.1. Mission Critical within 15 days; 2. High within 30 days;

3. Moderate within 90 days; 4. Low within 365 days.

Implementation of security Controls: Confidentiality, Integrity, and Security

Here are a few security controls to consider implementing especially, when changes to personnel

occur, changes to hardware/software/firmware and changes to the environment are made.

Confidentiality-Implement Security Controls

● BioHuman’s organizational requirements for privacy should be enforced

● Encryption and authentication of Data should be implemented utilizing Two Factor
Authentication (2FA) or Multi-Factor Authentication (MFA)
● Access control lists and other file permissions should be up to date.

Integrity-Implement Security Controls

● Proper security awareness training should be implemented for Payroll systems at

BioHuman. Employees are knowledgeable about compliance and regulatory
requirements to minimize human error.
● Implement Business Continuity or Disaster recovery planning. Here use backup
and recovery software.
● To ensure integrity, use version control, access control, security control, data logs
and checksums.
● Dual Control: Two or more people to perform sensitive tasks at the same time. Also

known as Two-person integrity. Eg. two people have keys.

Availability-Implement of Security Controls

● Use preventive measures such as redundancy, failover. In addition, ensure systems and
applications are up to date.
● Use network or server monitoring systems.
● Ensure a data recovery and business continuity (BC) plan is in place in case of data
loss. Having a data loss prevention (DLP) plan in place too.
 Assessment of Security Controls:

As we’ve discussed previously the importance of the Assessment Phase of the RMF for

the stakeholders of BioHuman, here we are to assess the controls to determine if the controls are

implemented correctly, operating as intended, and producing the desired outcomes with respect to

satisfying the security and privacy requirements. In addition, in this phase, assessment of the

Security Controls is the most critical step of a risk management program particularly as we

concentrate on the company’s payroll systems. Testing the payroll system thoroughly and then

performing ruthless configuration management to maintain the security are essential. If the payroll

system is tested properly, it will be fundamentally secure. If the enterprise maintains a secure

system configuration, the system basically stays at the same level of security. Often, companies

and organizations such as BioHuman do not adequately test its systems and the mechanisms to

verify accurate auditing of security assessments and other controls are lacking. There is no

substitute for assessing security controls and are effective in the risk management in any

organization. (Dubsky, Lance; 2016, ISACA).

Risk Assessments

We have also discussed Risk Assessments as it is one of the fundamental components of an

organizational risk management process as described in NIST Special Publication 800-39. If you

recall, the purpose of risk assessments is to inform decision makers and support risk responses by

identifying: (i) relevant threats to organizations or threats directed through organizations against

other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e.,

harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and

(iv) likelihood that harm will occur.

 In addition, as part of assessing the security controls, we had also discussed the initial

remediation actions that are conducted to correct compliant and non-compliant security controls

in the security families/categories that we had previously been mentioned. Also, we had discussed

specific actions taken based on the findings and recommendations and the tasks laid out in the Plan

of Actions & Milestones (POA&M) document specifically for BioHuman. See POA&M below.

Items in POA&M

A recap from our assessment in the tasks of the POA&M is to prepare the plan of action and

milestones based on the findings and recommendations of the security assessment report excluding

any remediation actions taken. The plan of action and milestones, prepared for the authorizing
official by the information system owner or the common control provider, is one of three key

documents in the security authorization package and describes the specific tasks that are planned:

(i) to correct any weaknesses or deficiencies in the security controls noted during the assessment;

and (ii) to address the residual vulnerabilities in the information system. The plan of action and

milestones identifies: (i) the tasks to be accomplished with a recommendation for completion either

before or after information system implementation; (ii) the resources

Assessment of Security Controls in Payroll

We had also previously discussed several security families and controls to choose when conducting

a full-fledged assessment particularly in payroll systems on a compliant and non-compliant basis.

To prepare for a full-fledged risk assessment, we will need to 1. Identify purpose for the

assessment.2. Identify scope of the assessment. 3. Identify assumptions and constraints to use. 4.

Identify sources of information (inputs). 5. Identify risk model and analytic approach to use. Here

we will discuss a few of the security controls in this assessment particularly in access controls

(separation of duties), identification and authentication and security awareness training.

Before we authorize a system for operation, and monitor the system, you will need to assess the

risk and ensure that system will be secured when there are changes to personnel, changes to

hardware/software/firmware and changes to the environment especially if BioHuman’s

payroll team is currently sharing an office with another organization or with contractors.

With this, there are several security control families to consider in the assessment. One that we

had discussed previously is the access control security family. This is very important especially

when changes to personnel occur.

 Image from VMWare-Tanzu Docs, 2021

To avoid payroll fraud or errors such as duplicate expense transactions, access control is important

particularly in Separation of Duties (SOD) where no employee or group should be in a position

both to perpetrate and to conceal errors or fraud in the normal course of their duties. In general,

the principal incompatible duties to be segregated are 1. Authorization or approval of related

transactions affecting those assets 2. Custody of assets 3. Recording or reporting of related

transactions.
 To establish a proper assessment in payroll systems, confidentiality is of utmost importance

and there are several questions to consider particularly in access control. Such as are

procedures established to physically secure and protect master file information? Changes

should be restricted to properly authorized additions, deletions and changes which are

supported by documentation in the employee's personnel file. Also, are only

authorized personnel allowed access to the payroll department and its records? Also, we

have assessed that BioHuman should Limit access to the payroll office to authorized

personnel only as there can be several (non-employees) such as contractors in the

environment.

Why is it significant? “Locking up employee files and payroll records at all times” when they are

not in use are critical to preventing unauthorized access. This can also minimize the risk when

employees are terminated or when they leave the company.

Reasons: Attackers frequently discover and exploit legitimate but inactive user accounts to

impersonate legitimate users. Some of the attackers can be from former employees as well.

Identification and Authentication:In addition to this, identification and authentication,

particularly in password management are important in both confidentiality and availability.

Identification and authentication involve the company's identification and authentication

procedures. Here we assessed that BioHuman’s will be required to update employee passwords on

a regular basis, for example every 60-90 days. Or implementing at least a 2FA authentication

Why Significant? They are tools to determine common default passwords. Or former employees

still have access to default passwords. Default passwords are also published on the Internet and

can be accessible on the dark web or other open-source access.

Also, as changes in hardware/software/firmware and changes in environments take place

frequently in every company, BioHuman must reference the NIST Cybersecurity Framework

regarding Payroll Profile. Here you can view the checklist of the control information and allows

further transparency into what’s happening not just on BioHuman’s network but also the whole

business. In the example listed below you reference the control information and view this as

guidelines when limiting unauthorized activity and detect suspicious behavior.

 Image by NIST, CSF 2021

Authorization:

Regarding the authorization phase of the RMF, the stakeholders of BioHuman are to

authorize the system or common controls based on a determination that the risk to organizational

operations and assets, individuals, and other organizations at BioHuman acceptable. After the

earlier aspects of categorization, selection, implementation, assessment of security controls in the

RMF, testing the payroll system thoroughly and then performing configuration management to

maintain the security controls of the payroll systems are essential to business at BioHuman. As we

discussed, this step of authorization within the RMF is also highly critical in determining whether

an authorized official (AO) is to authorize the system, deny its operation, or remediate the

deficiencies of the payroll systems. In addition, the (AO) has the ability to authorize security
decisions through an Authorization to Operate (ATO), an Interim Authorization to Test (IATT),

or a Denial of Authorization to Operate (DATO). Also, the AO is presented with an Authorization

Package that contains, at a minimum, a System Security Plan (SSP), a Security Assessment Report

(SAR) and a Plan of Action & Milestones (POA&M) regarding the security controls, in this case

referencing the payroll systems at BioHuman. (NIST 800-79-2. 2015)

In BioHuman's Payroll systems, the stakeholders would follow the RMF and in the security

authorization phase, if approved, this would allow to implement proper protection of the payroll

systems specifically from cyberthreats and cyberattacks such as malware, phishing and etc In

addition, you as the stakeholders should also be aware that if the AO feels the system risk is

unacceptable for any reason, a Denial of Authorization to Operate is issued. DATO decision is

issued if the proposed operational risk is determined to be unacceptable to the business. DATO

will prevent a new system from going into operation. For an existing system, DATO requires

operation to be halted. In the case of payroll systems, if any process of operational management

such as vulnerabilities in Personally Identifiable Information (PII) data such as birth date, DoD ID

number, employment information, name(s), position/title, rank/grade, Social Security Number

(SSN), work e-mail address, and Tax Identification Number (TIN) to produce useful, timely, and

accurate management and financial data are exposed, the Authorizing Official and those authorized

should decide that the system will be halted.

In the case that a system requires certain testing to be done in an operational environment, an

Interim Authorization to Test (IATT) can be sought. IATTs are typically given for a short period

of time to permit functional testing in a “live” environment. An IATT decision can be reached if

the system assessment requires live testing before an ATO. (Berman, Lon; 2016)
In BioHuman's payroll systems, here is to test the systems with protective measures. Here the IT

Team when conducting a proactive approach to testing system software or systems, this may

include hardening the network and system hardening particularly in technical controls such as

Firewalls, Encryption at Rest, RBAC, Public Key Certificates or User ID/Passwords to ensure that

these payroll controls are properly operational to avoid any potential cyber threats.

Continuous Monitoring

To have an effective continuous monitoring program we have discussed the several steps

of preparation; categorization of information and information systems; control selection, tailoring,

and implementation; assessment of control effectiveness; information system and common control

authorization within the RMF process. In the continuous monitoring phase of the RMF, the

stakeholders of BioHuman and all the roles involved in the systems security plan the system must

continuously monitor all the associated controls on an ongoing basis to include assessing control

effectiveness, documenting changes to the system and environment of operation, conducting risk

assessments and impact analyses, and reporting the security and privacy posture of the system. A

continuous monitoring program allows an organization to maintain the authorization of a system

over time in a highly dynamic operating environment where systems adapt to changing threats,

vulnerabilities, technologies, and mission and business processes. While the use of automated

support tools is not required, near real-time risk management can be achieved with automated

tools. (NIST RMF FAQ Guide

Continuous monitoring is the sixth step in the Risk Management Framework (RMF)

described in NIST SP 800‐37, Rev 1, Applying the Risk Management Framework to Federal
Information Systems (February 2010). See Figure 1 below. The objective of a continuous

monitoring program is to determine if the complete set of planned, required, and deployed security

controls within an information system or inherited by the system continue to be effective over time

in light of the inevitable changes that occur. Continuous monitoring is an important activity in

assessing the security impacts on an information system resulting from planned and unplanned

changes to the hardware, software, firmware, or environment of operation (including threat space).

Authorizing Officials’ risk‐ based decisions (i.e., security authorization decisions) should consider

how continuous monitoring will be implemented organization-wide as one of the components of

the security life cycle represented by the RMF. The Federal Information Security Management

Act (FISMA) of 2002, OMB policy, and the implementing standards and guidelines developed by

NIST require a continuous monitoring approach.

Image from csrc.nist.gov continuous monitoring. 2010. June

 Prepare for continuous monitoring

As many organizations such as BioHuman are aware that the world of IT always changes;

it's not just one time. This field is evolving. The organization must keep up with new technologies

that can affect its payroll systems. For example, there is new malware, the threats change

constantly, laws change. Continuous monitoring allows IT/Security/C-Levels in the organization

to keep up with those changes to adjust to the new compliance, new laws, new protection, new

encryption.

Change Management in the Security Program at BioHuman

As we implement these security controls at BioHuman, to ensure that the security controls

within the payroll system are effective and secure in the environment the security program and

system security plans at BioHuman must be able to adapt to change. As we are all aware that the

IT technologies and rules are constantly evolving especially when situations occur such as changes

to personnel, changes to the hardware/software/firmware, and/or changes to the environment as

BioHuman is staffed with both employees and with contractors. With change management, it is a

systematic approach which deals with the transition or the transformation of organizational

objectives, processes, core values or technologies. The project development process and all the

factors related to the project are not that stable and have to change every so often because of the

shifting requirements of the market. This is effective within the continuous monitoring phase and

the entire process within the Risk Management Framework.

 References:

Berman, Lon (2016, September). RMF.org. Risk Management Framework Understanding the

Authorization Decision. Retrieved From.

https://rmf.org/wp-content/uploads/2017/10/RMF-Today-2016-09.pdf

CSRC. NIST. (2022, June). NIST. Computer Security Resource Center. Risk Management Framework
(RMF) - Categorize Step. Retrieved From.

https://csrc.nist.gov/Projects/risk-management/about-rmf/categorize-step

Dubsky, Lance. 2016. ISACA.org. Assessing Security Controls: Keystone of the Risk Management

Framework. Retrieved from.

https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/assessing-security-controls-

keystone-of-the-risk-management-framework

FIPS Publication 200; NIST Special Publications 800-30, 800-53, 800-53A; CNSS Instruction 1253;

Web: SCAP.NIST.GOV.

Joint Task Force. (2018, December) NIST Special Publication 800-37 Revision 2. Risk Management

Framework for Information Systems and Organizations. Retrieved From.

https://doi.org/10.6028/NIST.SP.800-37r2

NIST Special Publications 800-30, 800-39.

NIST Special Publication 800-39.

NIST 800-60 r2
https://csrc.nist.gov/publications/detail/sp/800-60/vol-2-rev-1/final
CSRC.NIST.GOV. (2021, January). NIST-800-171. R2. Protecting Controlled Unclassified Information

in Nonfederal Systems and Organizations. Retrieved From

<https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final>

OMB Memorandum 02-01; NIST Special Publications 800-30, 800-53A.

Stine, K., Kissel R., Barker, William., Fahlsing J., and Gulick J. (2008, August). NIST Special
Publication 800-60 Volume I Revision 1. Volume I: Guide for Mapping Types of Information and
Information Systems to Security Categories.
Ferraiolo, Hildegard; Chandramouli, Ramaswamy; Ghadiali, Nabil; Mohler, Jason; Shorter, Scott (2015,

July) NIST Special Publication 800-79-2 Guidelines for the Authorization of Personal Identity Verification

Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). Retrieved From

http://dx.doi.org/10.6028/NIST.SP.800-79-2