NIST releases security guides

NIST Computer Security Resource Center

The National Institute of Standards and Technology last week released guidelines for federal agencies to address areas such as the basics of choosing security products and developing security training and awareness.

The five final special publications range from technical descriptions to high-level guidance aimed at agency executives. They have been circulating for several months in draft form and represent the latest in a series of guides meant to help agencies with issues in the Federal Information Security Management Act (FISMA) of 2002 and highlighted by the Office of Management and Budget.

Special Publication 800-42, "Guideline on Network Security Testing," is meant for information technology and security officials in an agency. It focuses on the details of setting up, maintaining and acting on standard enterprise network penetration testing programs. Constant testing is a major component of a security program, highlighted first by the Government Information Security Reform Act (GISRA) of 2000, and now FISMA.

The high-level view in Special Publication 800-64, "Security Considerations in the Information System Development Life Cycle," addresses many key concerns from OMB. For years, officials have pushed agencies to consider security from the very beginning of the development of any system or program in order to head off potential incidents and save money later. Including security in the business case for any new system is now a key evaluation factor for determining whether OMB will grant agency budget requests.

Specific training and general awareness are growing concerns within agencies, as officials realize that technology will not help if users and managers do not take security steps as well. Additional requirements are laid out in FISMA, and Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," identifies four critical steps for training and awareness — from assessing agencywide needs to post-implementation feedback and adjustment.

Special Publication 800-36, "Guide to Selecting Information Security Products," looks at product evaluation — an area of security receiving increased attention from Congress. It reviews potential issues for many types of products, including identification and authorization, firewalls, vulnerability scanners and forensics. It highlights the Common Criteria Evaluation and Validation Scheme, an international standard for evaluating security products now required for defense and national security and being considered for civilian agencies. The National Information Assurance Partnership, a joint venture between NIST and the National Security Agency, oversees the Common Criteria for the United States.

More agencies are contracting out for security services that support their products and programs. Special Publication 800-35, "Guide to Information Technology Security Services," outlines a life cycle for these buying services — from determining whether a service can help in the first place all the way to ending it. The guide details the pros and cons of possibilities instead of prescribing a specific way to go about dealing with issues.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.