NIST to set security standard

OMB Circular A-130

The National Institute of Standards and Technology is creating a process to provide a standard way for agencies to certify the security level of their systems and networks.

The new process, which is expected to be released at the end of June as a NIST special publication, will measure the confidentiality, integrity and availability of a system and whether it attained a high, medium or low rating.

The process also will provide an accurate way to compare the security of systems within an agency and with other systems across government, said Ron Ross, a supervisor within the security metrics and testing group at NIST's Computer Security Division. This is particularly important as data sharing and cross-agency systems become the norm.

For instance, the FBI and the Immigration and Naturalization Service are integrating systems and want to be sure that the appropriate security is in place on each side, Ross said. Connecting a system accredited at a high level for data integrity with a system that is accredited at a low level is not good because the data in the low-level system may be untrustworthy, he said.

Agency policies and the Office of Management and Budget's Circular A-130 require that every information system in government go through a security certification and accreditation process. However, only the defense and national security communities have a common method for performing those evaluations.

The new NIST process, which is designed for civilian agencies, will be modeled after the Defense Information Technology Security Certification and Accreditation Process. It will be based on the internationally accepted Common Criteria security standard for products, Ross said.

NIST and the National Security Agency, through the National Information Assurance Partnership, are encouraging the use of the Common Criteria standard within civilian agencies for procuring and developing secure products [see "New hopes for a security lockdown"].

Because using evaluated products does not guarantee a secure network, agencies must also perform certification and accreditation to ensure confidence in each system — and that's what the NIST process will attempt to address.

Common Criteria "does not prescribe an end-to-end solution for information security; it's merely standardizing some of the equipment," said Craig Janus, vice president of the Center for Information Systems at Mitretek Systems.

"There's a systems integration requirement between the Common Criteria and the holistic solution for an agency that needs to be met," he said, "and that is usually met by an overarching security plan."


New credentials

The National Institute of Standards and Technology will provide a standard methodology to accredit and certify agency systems and networks. The security of the systems will be rated on the level of confidentiality, integrity and availability provided.

The certification can be done in-house or by a third party familiar with the process. The result will help agencies involved in data sharing or cross-agency projects know the security level of the systems to which they are connecting.


  • Oversight
    President of the United States of America, Donald J. Trump, attends the 2019 Army Navy Game in Philadelphia, Pa., Dec. 14, 2019. (U.S. Army photo by Sgt. Dana Clarke)

    Trump shakes up official watchdog ranks

    The White House removed an official designated to provide oversight to the $2 trillion rescue and relief fund and nominated a raft of new appointees to handle oversight chores at multiple agencies.

  • Workforce
    coronavirus molecule (creativeneko/

    OMB urges 'maximum telework flexibilities' for DC-area feds

    A Sunday evening memo ahead of a potentially chaotic commute urges agency heads to pivot to telework as much as possible.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.