NIST drafts security buying guides
- By Diane Frank
- Oct 11, 2002
NIST Computer Security Resource Center
The National Institute of Standards and Technology's Computer Security Division
has released three new draft guides for agencies on buying security technologies
and services.
The three draft guides, released Oct. 9, approach security acquisition
from different directions. All of them are necessary to ensure security
when implementing an information technology network or solution. The guides
are available on NIST's Computer Security Resource Center site (http://csrc.nist.gov). Comments are due back by Nov. 11.
The first, "Special Publication 800-36: Guide to Selecting IT Security
Products," looks at hardware and software specifically for security needs,
such as identification and authentication, intrusion detection, virus and
malicious code protection, and forensics.
The draft doesn't just focus on the specifications of the products,
it also recommends how managers should take into account the user community,
the agency's mission, the ease of use, and the ability to get upgrades in
the future as part of the acquisition decision.
The guide also outlines the responsibilities of officials throughout
an organization in choosing a security product for a network. That includes
not just the security manager and chief information officer, but also the
program manager, the contracting officer and the agency's IT investment
review board.
Comments can be sent to sp800-36@nist.gov.
The second draft, "Special Publication 800-35: Guide to IT Security
Services," focuses on evaluating and procuring the many security services
now available. These range from helping to develop a security policy to
outsourcing the management of an agency's firewall or intrusion detection
system.
This guide outlines all of the security services now available, and
also the different management tools and methods for overseeing contracted
services. And it takes agencies through the management process from the
initial selection and evaluation to exit or transition from a service provider.
Comments can be sent to sp800-35@nist.gov.
The third draft, "Special Publication 800-4A: Security Considerations
in Federal Information Technology Procurements," is a more broad-based guide,
looking at all IT procurements and how to ensure that security is considered
as a factor in every product, service, system and network.
The guide takes agencies through the security considerations at every
point in the acquisition process, from mission planning and acquisition
planning to managing and closing the contract.
Comments can be sent to sp800-4@nist.gov.