NIST prepping security guides

Computer Security Resource Center

The National Institute of Standards and Technology's security team will be releasing more than 30 guides over the coming year to help agencies with many crucial technical and policy security concerns, officials said last week.

The NIST Computer Security Resource Center released four draft guides for comment during the past two months, addressing telecommuting security, information technology contingency plans, securely connecting IT systems, and using common definitions for security vulnerabilities. Under the Computer Security Act of 1987, NIST serves as the primary technical resource for civilian agencies.

But those four guides are only the beginning of what will be a very busy year for the center and its contractors. In fiscal 2002, they plan to release almost three times the usual number of guides, said Tim Grance, manager of the systems and network security group.

These guides, including those listed below, will be grouped into four areas:

* Broad guidance in high-impact areas, such as incident handling, security certification and accreditation, security metrics and determining security return on investment.

* Procurement strategy, including a user guide for understanding the Common Criteria international evaluation scheme and a guide to procuring managed security services.

* Point solutions for technical and policy areas, such as applying security patches, securing public Web servers, smart cards, public-key infrastructure directories, and e-mail security issues and solutions.

* Security of emerging technologies, particularly securing wireless networks.

All of the NIST guides will be released for comment to help fine-tune them for agency needs, and the center is always looking for assistance in determining whether it is focusing on the right areas to be of assistance to agencies, Grance said.

In addition, the center plans to release in March an automated tool to help agencies perform security self-assessments, based on a guide released last year in partnership with the federal CIO Council's Federal IT Security Assessment Framework. In January 2001, the Office of Management and Budget recommended agencies use the framework and guide as the basis for the self-assessments required under the Government Information Security Reform Act.

The center's staff members also will be reviewing existing guides and standards to ensure consistency with current legislation and policy, discover if there is any redundancy, and determine the need for additional guidance beyond what is already planned, said Joan Hash, director of the center's security, management and guidance group.


  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.