NIST releases security guides

NIST Computer Security Resource Center

The National Institute of Standards and Technology last week released guidelines for federal agencies to address areas such as the basics of choosing security products and developing security training and awareness.

The five final special publications range from technical descriptions to high-level guidance aimed at agency executives. They have been circulating for several months in draft form and represent the latest in a series of guides meant to help agencies with issues in the Federal Information Security Management Act (FISMA) of 2002 and highlighted by the Office of Management and Budget.

Special Publication 800-42, "Guideline on Network Security Testing," is meant for information technology and security officials in an agency. It focuses on the details of setting up, maintaining and acting on standard enterprise network penetration testing programs. Constant testing is a major component of a security program, highlighted first by the Government Information Security Reform Act (GISRA) of 2000, and now FISMA.

The high-level view in Special Publication 800-64, "Security Considerations in the Information System Development Life Cycle," addresses many key concerns from OMB. For years, officials have pushed agencies to consider security from the very beginning of the development of any system or program in order to head off potential incidents and save money later. Including security in the business case for any new system is now a key evaluation factor for determining whether OMB will grant agency budget requests.

Specific training and general awareness are growing concerns within agencies, as officials realize that technology will not help if users and managers do not take security steps as well. Additional requirements are laid out in FISMA, and Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," identifies four critical steps for training and awareness — from assessing agencywide needs to post-implementation feedback and adjustment.

Special Publication 800-36, "Guide to Selecting Information Security Products," looks at product evaluation — an area of security receiving increased attention from Congress. It reviews potential issues for many types of products, including identification and authorization, firewalls, vulnerability scanners and forensics. It highlights the Common Criteria Evaluation and Validation Scheme, an international standard for evaluating security products now required for defense and national security and being considered for civilian agencies. The National Information Assurance Partnership, a joint venture between NIST and the National Security Agency, oversees the Common Criteria for the United States.

More agencies are contracting out for security services that support their products and programs. Special Publication 800-35, "Guide to Information Technology Security Services," outlines a life cycle for these buying services — from determining whether a service can help in the first place all the way to ending it. The guide details the pros and cons of possibilities instead of prescribing a specific way to go about dealing with issues.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.