NIST details certification process

Draft Special Publication 800-37

The National Institute of Standards and Technology's Computer Security Division this week released the first piece of a governmentwide project aimed at enhancing the overall security of federal information technology systems.

NIST released a draft publication that establishes a detailed standard security certification and accreditation (C&A) process for agencies.

"Special Publication 800-37: Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems" provides agencies with three levels they can use to evaluate any federal system for high, medium and low levels of confidentiality, integrity, and availability.

Under the Office of Management and Budget's Circular A-130 and the Computer Security Act of 1987, federal managers must make sure all IT systems have an "adequate" level of security. Most experts agree that putting systems through a C&A process is the best way to do that.

NIST has been working with multiple organizations to adapt and enhance the Defense Information Technology Security Certification and Accreditation Process for all agencies. By using a standard C&A process and evaluating their systems against the same criteria, agencies can have greater assurance that their systems provide the same level of data and transaction security.

Many agencies are looking at C&A as one of the most important security initiatives for this fiscal year, officials said Oct. 24 at a breakfast sponsored by the Bethesda, Md., chapter of AFCEA International.

The Energy and Agriculture departments plan to speed up the implementation of their C&A programs, according to their head security officials, and the Department of Veterans Affairs is starting a new program to certify its more than 900 IT systems, said Bruce Brody, VA's associate deputy assistant secretary for cybersecurity.

This draft is the first of three publications to be issued under the first phase of the larger System Certification and Accreditation Project.

The other publications, expected to be released in the spring of 2003, will provide a standard set of minimum security controls at low, medium and high levels for systems and standard verification techniques and procedures to test those controls.

NIST is accepting comment on the draft until Jan. 31, 2003, at [email protected] A tutorial is also available on the agency's Computer Security Resource Center Web site. And in the spring of 2003, the Computer Security Division plans to hold a workshop to examine all three publications.

The second phase of the project will focus on developing the capability within the public and private sectors to provide the assessments that will be based on those new standards. This will include accrediting organizations to conduct security certifications by the fall of 2004.

While NIST developed the publication for federal managers, officials are also encouraging state, local and tribal government agencies, as well as private sector organizations, to use the guide.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected