NIST sets guides on infosec buys
The National Institute of Standards and Technology has released its final guidelines on how civilian agencies should procure information security products.
NIST Special Publication 800-23
The National Institute of Standards and Technology has released its final
guidelines on how civilian agencies should procure information security
products.
Under the new guidelines, NIST Special Publication 800-23, released
Sept. 8, NIST recommends that agencies acquire security products that have
undergone independent testing and evaluation.
"Federal agencies should give substantial consideration in IT procurement
and deployment for IT products that have been evaluated and tested by independent
accredited laboratories against appropriate security specifications and
requirements," the guide states.
The main type of testing recommended by the publication is the international
Common Criteria Evaluation and Validation Program, overseen in the United
States by the National Information Assurance Partnership under NIST and
the National Security Agency.
Using the Common Criteria Evaluation, agencies can be assured that the
security products will perform the way a vendor promises. The products are
tested by private-sector laboratories accredited by the National Information
Assurance Partnership.
NIST cautions, however, that agencies still need to ensure that a security
product fits into their overall architectures and meets their needs because
a Common Criteria-tested product may not be the best security product.
"It is important to note that purchasing an evaluated product just because
it is evaluated, and without due consideration of applicable functional
and assurance requirements, may be neither useful nor cost-effective," the
guide states.
NEXT STORY: Boston to integrate health data