• Next Generation Risk Management for the Federal Government (Dr. Ron Ross, NIST, April 2010)
• National Institutes of Standards and Technology (NIST) Special Publications
• ASD-NII Information Assurance
(DOD)
• DoD Information Assurance Certification and Accreditation Process (DIACAP)
• Consensus Audit Guidelines (CAG) (The Gilligan Group and SANS)
• The Federal Enterprise Architecture Security and Privacy Profile, Version 2.0
• Information Technology Infrastructure Library (ITIL)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®)
• Control Objectives for Information and related Technology (COBIT®)
• Common Sense Guide to Prevention and Detection of Insider Threats
(CERT)
• Sensitive Database Extracts Technical Frequently Asked Questions
(NIST / OMB)
• Security Content Automation Protocol (SCAP)
(NIST) and family of standards:
• Extensible Configuration Checklist Description Format (XCCDF) (NIST)
• Open Vulnerability and Assessment Language (OVAL) (NIST/Mitre)
• Common Weakness Enumeration (CWE) (NIST/Mitre)
• Common Vulnerabilities and Exposures (CVE) (NIST/Mitre)
• Common Configuration Enumeration (CCE) (NIST/Mitre)
• Common Attack Pattern Enumeration and Classification (CAPEC) (NIST/Mitre)
• Common Platform Enumeration (CPE) (NIST/Mitre)
• Common Event Expression (CEE) (NIST/Mitre)
• Common Result Format (CRF) (NIST/Mitre)
• Common Vulnerability Scoring System (CVSS) (FIRST)
• Open Security Testing Methodology Manual (OSTMM)
• Information Assurance Technology Analysis Center (IATAC)
• FIRST Best Practice Guide Library (BPGL)
• Microsoft Security Guidance and Microsoft TechNet Security Guidance
• Common Attack Pattern Enumeration and Classification (CAPEC)
• Mapping of Security Guidance across Applicable Laws, Regulations and Policies (SANS)
• Software Assurance: A Curriculum Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software (DHS)
• Process Reference Model For Assurance Mapping To CMMI-DEV (DHS)
• Professional Practices for Business Continuity Planning (BCP)
• Generally Accepted Practices for Business Continuity Planning (BCP)
• Payment Card Industry Data Security Standard (PCI-DSS)
• Guidance for Managing Third-Party Risk (FDIC)
• Trust Services of Systrust and WebTrust (AICPA)
• Building an Information Technology Security Awareness and Training Program (NIST SP 800-50)
• Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (NIST SP 800-84)
• Information Assurance (IA) Education, Training, and Awareness (CNSSD-500)
• Information Assurance Workforce Improvement Program (DoD 8570.1-M)
• IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development
• Guidance on Protecting Personally Identifiable Information (PII) (DOD)

Hardening Guides and Security Configuration Baselines

• National Checklist Program (NIST security configuration checklists)
• Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG)
• DISA Security Readiness Reviews Checklists and Scripts
• National Security Agency (NSA) Security Configuration Guides
• Center for Internet Security
• CERT/CC Security Improvement Modules
• Pete Finnigan - Oracle and Oracle security information
• S.C.O.R.E. - Security Consensus Operational Readiness Evaluation
• Sun Security Blueprints Program and Sun Blueprints Online Magazine
• Microsoft Security Guides
• Improving Web Application Security (Microsoft)
• ISF Standard of Good Practice
• Global (ISC)2 Resource Guide