NIST guide gets into security routine

"Guideline on Network Security Testing"

The National Institute of Standards and Technology released a draft guide Feb. 4 with recommendations for network administrators on when and how to test for security vulnerabilities within the life cycle of a system or network.

The NIST Computer Security Division's draft "Guideline on Network Security Testing" provides basic information about security testing that can enable administrators to prioritize requirements in accordance with the limited budgets agencies have available for this function.

This is particularly helpful as agencies continue to work toward the security management requirements in the Government Information Security Reform Act. Agencies turned in their first GISRA assessments in October 2001, and the Office of Management and Budget plans to release its review of the assessments this week.

The NIST draft guide includes links to and descriptions of common testing tools, a chart comparing the strengths and weaknesses of the different testing techniques outlined in the guide and a summary table.

It is intended for more technical officials because it focuses on security testing of firewalls, routers and switches, intrusion detection systems, Web and e-mail servers, and other servers. But many of the explanations of the testing techniques are aimed at program officials as well.

"The primary aim of the document is to help administrators and managers get started with a program for testing on a routine basis," according to the Computer Security Division's site. "The methodology recommends focusing first on those systems that are accessible externally, e.g., firewalls, Web servers, etc., and then moving on to other systems as resources permit."

Comments are due by March 6 to John Wack at john.wack@nist.gov, and the division is particularly interested in comments on whether the recommended testing schedules are realistic within agencies' network environments.

NIST also this week announced the final publication of two guides: Special Publication 800-33, "Underlying Technical Models for Information Technology Security"; and Special Publication 800-30, "Risk Management Guide for Information Technology Systems."

The first is intended to provide a description of lessons learned, good practices and technical considerations that should go into the design and development of security capabilities. The second provides an overview of the risk management process — including how it fits into the system development life cycle and the roles for personnel involved in the process — and describes a risk assessment methodology for agencies to follow.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.