NIST sets guides on infosec buys

NIST Special Publication 800-23

The National Institute of Standards and Technology has released its final

guidelines on how civilian agencies should procure information security

products.

Under the new guidelines, NIST Special Publication 800-23, released

Sept. 8, NIST recommends that agencies acquire security products that have

undergone independent testing and evaluation.

"Federal agencies should give substantial consideration in IT procurement

and deployment for IT products that have been evaluated and tested by independent

accredited laboratories against appropriate security specifications and

requirements," the guide states.

The main type of testing recommended by the publication is the international

Common Criteria Evaluation and Validation Program, overseen in the United

States by the National Information Assurance Partnership under NIST and

the National Security Agency.

Using the Common Criteria Evaluation, agencies can be assured that the

security products will perform the way a vendor promises. The products are

tested by private-sector laboratories accredited by the National Information

Assurance Partnership.

NIST cautions, however, that agencies still need to ensure that a security

product fits into their overall architectures and meets their needs because

a Common Criteria-tested product may not be the best security product.

"It is important to note that purchasing an evaluated product just because

it is evaluated, and without due consideration of applicable functional

and assurance requirements, may be neither useful nor cost-effective," the

guide states.

Featured

  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    OPM nominee plans focus on telework, IT, retirement

    Kiran Ahuja, a veteran of the Office of Personnel Management, told lawmakers that she thinks that the lack of consistent leadership in the top position at OPM has taken a toll on the ability of the agency to complete longer term IT modernization projects.

Stay Connected