NIST drafts security buying guides

NIST Computer Security Resource Center

The National Institute of Standards and Technology's Computer Security Division has released three new draft guides for agencies on buying security technologies and services.

The three draft guides, released Oct. 9, approach security acquisition from different directions. All of them are necessary to ensure security when implementing an information technology network or solution. The guides are available on NIST's Computer Security Resource Center site ( Comments are due back by Nov. 11.

The first, "Special Publication 800-36: Guide to Selecting IT Security Products," looks at hardware and software specifically for security needs, such as identification and authentication, intrusion detection, virus and malicious code protection, and forensics.

The draft doesn't just focus on the specifications of the products, it also recommends how managers should take into account the user community, the agency's mission, the ease of use, and the ability to get upgrades in the future as part of the acquisition decision.

The guide also outlines the responsibilities of officials throughout an organization in choosing a security product for a network. That includes not just the security manager and chief information officer, but also the program manager, the contracting officer and the agency's IT investment review board.

Comments can be sent to

The second draft, "Special Publication 800-35: Guide to IT Security Services," focuses on evaluating and procuring the many security services now available. These range from helping to develop a security policy to outsourcing the management of an agency's firewall or intrusion detection system.

This guide outlines all of the security services now available, and also the different management tools and methods for overseeing contracted services. And it takes agencies through the management process from the initial selection and evaluation to exit or transition from a service provider.

Comments can be sent to

The third draft, "Special Publication 800-4A: Security Considerations in Federal Information Technology Procurements," is a more broad-based guide, looking at all IT procurements and how to ensure that security is considered as a factor in every product, service, system and network.

The guide takes agencies through the security considerations at every point in the acquisition process, from mission planning and acquisition planning to managing and closing the contract.

Comments can be sent to


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.