NIST releases security guides
- By Diane Frank
- Oct 14, 2003
NIST Computer Security Resource Center
The National Institute of Standards and Technology last week released guidelines for federal agencies to address areas such as the basics of choosing security products and developing security training and awareness.
The five final special publications range from technical descriptions to high-level guidance aimed at agency executives. They have been circulating for several months in draft form and represent the latest in a series of guides meant to help agencies with issues in the Federal Information Security Management Act (FISMA) of 2002 and highlighted by the Office of Management and Budget.
Special Publication 800-42, "Guideline on Network Security Testing," is meant for information technology and security officials in an agency. It focuses on the details of setting up, maintaining and acting on standard enterprise network penetration testing programs. Constant testing is a major component of a security program, highlighted first by the Government Information Security Reform Act (GISRA) of 2000, and now FISMA.
The high-level view in Special Publication 800-64, "Security Considerations in the Information System Development Life Cycle," addresses many key concerns from OMB. For years, officials have pushed agencies to consider security from the very beginning of the development of any system or program in order to head off potential incidents and save money later. Including security in the business case for any new system is now a key evaluation factor for determining whether OMB will grant agency budget requests.
Specific training and general awareness are growing concerns within agencies, as officials realize that technology will not help if users and managers do not take security steps as well. Additional requirements are laid out in FISMA, and Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," identifies four critical steps for training and awareness from assessing agencywide needs to post-implementation feedback and adjustment.
Special Publication 800-36, "Guide to Selecting Information Security Products," looks at product evaluation an area of security receiving increased attention from Congress. It reviews potential issues for many types of products, including identification and authorization, firewalls, vulnerability scanners and forensics. It highlights the Common Criteria Evaluation and Validation Scheme, an international standard for evaluating security products now required for defense and national security and being considered for civilian agencies. The National Information Assurance Partnership, a joint venture between NIST and the National Security Agency, oversees the Common Criteria for the United States.
More agencies are contracting out for security services that support their products and programs. Special Publication 800-35, "Guide to Information Technology Security Services," outlines a life cycle for these buying services from determining whether a service can help in the first place all the way to ending it. The guide details the pros and cons of possibilities instead of prescribing a specific way to go about dealing with issues.