NIST prepping security guides

Computer Security Resource Center

The National Institute of Standards and Technology's security team will be releasing more than 30 guides over the coming year to help agencies with many crucial technical and policy security concerns, officials said last week.

The NIST Computer Security Resource Center released four draft guides for comment during the past two months, addressing telecommuting security, information technology contingency plans, securely connecting IT systems, and using common definitions for security vulnerabilities. Under the Computer Security Act of 1987, NIST serves as the primary technical resource for civilian agencies.

But those four guides are only the beginning of what will be a very busy year for the center and its contractors. In fiscal 2002, they plan to release almost three times the usual number of guides, said Tim Grance, manager of the systems and network security group.

These guides, including those listed below, will be grouped into four areas:

* Broad guidance in high-impact areas, such as incident handling, security certification and accreditation, security metrics and determining security return on investment.

* Procurement strategy, including a user guide for understanding the Common Criteria international evaluation scheme and a guide to procuring managed security services.

* Point solutions for technical and policy areas, such as applying security patches, securing public Web servers, smart cards, public-key infrastructure directories, and e-mail security issues and solutions.

* Security of emerging technologies, particularly securing wireless networks.

All of the NIST guides will be released for comment to help fine-tune them for agency needs, and the center is always looking for assistance in determining whether it is focusing on the right areas to be of assistance to agencies, Grance said.

In addition, the center plans to release in March an automated tool to help agencies perform security self-assessments, based on a guide released last year in partnership with the federal CIO Council's Federal IT Security Assessment Framework. In January 2001, the Office of Management and Budget recommended agencies use the framework and guide as the basis for the self-assessments required under the Government Information Security Reform Act.

The center's staff members also will be reviewing existing guides and standards to ensure consistency with current legislation and policy, discover if there is any redundancy, and determine the need for additional guidance beyond what is already planned, said Joan Hash, director of the center's security, management and guidance group.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected