NIST to set security standard

OMB Circular A-130

The National Institute of Standards and Technology is creating a process to provide a standard way for agencies to certify the security level of their systems and networks.

The new process, which is expected to be released at the end of June as a NIST special publication, will measure the confidentiality, integrity and availability of a system and whether it attained a high, medium or low rating.

The process also will provide an accurate way to compare the security of systems within an agency and with other systems across government, said Ron Ross, a supervisor within the security metrics and testing group at NIST's Computer Security Division. This is particularly important as data sharing and cross-agency systems become the norm.

For instance, the FBI and the Immigration and Naturalization Service are integrating systems and want to be sure that the appropriate security is in place on each side, Ross said. Connecting a system accredited at a high level for data integrity with a system that is accredited at a low level is not good because the data in the low-level system may be untrustworthy, he said.

Agency policies and the Office of Management and Budget's Circular A-130 require that every information system in government go through a security certification and accreditation process. However, only the defense and national security communities have a common method for performing those evaluations.

The new NIST process, which is designed for civilian agencies, will be modeled after the Defense Information Technology Security Certification and Accreditation Process. It will be based on the internationally accepted Common Criteria security standard for products, Ross said.

NIST and the National Security Agency, through the National Information Assurance Partnership, are encouraging the use of the Common Criteria standard within civilian agencies for procuring and developing secure products [see "New hopes for a security lockdown"].

Because using evaluated products does not guarantee a secure network, agencies must also perform certification and accreditation to ensure confidence in each system — and that's what the NIST process will attempt to address.

Common Criteria "does not prescribe an end-to-end solution for information security; it's merely standardizing some of the equipment," said Craig Janus, vice president of the Center for Information Systems at Mitretek Systems.

"There's a systems integration requirement between the Common Criteria and the holistic solution for an agency that needs to be met," he said, "and that is usually met by an overarching security plan."


New credentials

The National Institute of Standards and Technology will provide a standard methodology to accredit and certify agency systems and networks. The security of the systems will be rated on the level of confidentiality, integrity and availability provided.

The certification can be done in-house or by a third party familiar with the process. The result will help agencies involved in data sharing or cross-agency projects know the security level of the systems to which they are connecting.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.