NIST details certification process

Draft Special Publication 800-37

The National Institute of Standards and Technology's Computer Security Division this week released the first piece of a governmentwide project aimed at enhancing the overall security of federal information technology systems.

NIST released a draft publication that establishes a detailed standard security certification and accreditation (C&A) process for agencies.

"Special Publication 800-37: Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems" provides agencies with three levels they can use to evaluate any federal system for high, medium and low levels of confidentiality, integrity, and availability.

Under the Office of Management and Budget's Circular A-130 and the Computer Security Act of 1987, federal managers must make sure all IT systems have an "adequate" level of security. Most experts agree that putting systems through a C&A process is the best way to do that.

NIST has been working with multiple organizations to adapt and enhance the Defense Information Technology Security Certification and Accreditation Process for all agencies. By using a standard C&A process and evaluating their systems against the same criteria, agencies can have greater assurance that their systems provide the same level of data and transaction security.

Many agencies are looking at C&A as one of the most important security initiatives for this fiscal year, officials said Oct. 24 at a breakfast sponsored by the Bethesda, Md., chapter of AFCEA International.

The Energy and Agriculture departments plan to speed up the implementation of their C&A programs, according to their head security officials, and the Department of Veterans Affairs is starting a new program to certify its more than 900 IT systems, said Bruce Brody, VA's associate deputy assistant secretary for cybersecurity.

This draft is the first of three publications to be issued under the first phase of the larger System Certification and Accreditation Project.

The other publications, expected to be released in the spring of 2003, will provide a standard set of minimum security controls at low, medium and high levels for systems and standard verification techniques and procedures to test those controls.

NIST is accepting comment on the draft until Jan. 31, 2003, at A tutorial is also available on the agency's Computer Security Resource Center Web site. And in the spring of 2003, the Computer Security Division plans to hold a workshop to examine all three publications.

The second phase of the project will focus on developing the capability within the public and private sectors to provide the assessments that will be based on those new standards. This will include accrediting organizations to conduct security certifications by the fall of 2004.

While NIST developed the publication for federal managers, officials are also encouraging state, local and tribal government agencies, as well as private sector organizations, to use the guide.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.