NIST releases security guides

NIST Computer Security Resource Center

The National Institute of Standards and Technology last week released guidelines for federal agencies to address areas such as the basics of choosing security products and developing security training and awareness.

The five final special publications range from technical descriptions to high-level guidance aimed at agency executives. They have been circulating for several months in draft form and represent the latest in a series of guides meant to help agencies with issues in the Federal Information Security Management Act (FISMA) of 2002 and highlighted by the Office of Management and Budget.

Special Publication 800-42, "Guideline on Network Security Testing," is meant for information technology and security officials in an agency. It focuses on the details of setting up, maintaining and acting on standard enterprise network penetration testing programs. Constant testing is a major component of a security program, highlighted first by the Government Information Security Reform Act (GISRA) of 2000, and now FISMA.

The high-level view in Special Publication 800-64, "Security Considerations in the Information System Development Life Cycle," addresses many key concerns from OMB. For years, officials have pushed agencies to consider security from the very beginning of the development of any system or program in order to head off potential incidents and save money later. Including security in the business case for any new system is now a key evaluation factor for determining whether OMB will grant agency budget requests.

Specific training and general awareness are growing concerns within agencies, as officials realize that technology will not help if users and managers do not take security steps as well. Additional requirements are laid out in FISMA, and Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," identifies four critical steps for training and awareness — from assessing agencywide needs to post-implementation feedback and adjustment.

Special Publication 800-36, "Guide to Selecting Information Security Products," looks at product evaluation — an area of security receiving increased attention from Congress. It reviews potential issues for many types of products, including identification and authorization, firewalls, vulnerability scanners and forensics. It highlights the Common Criteria Evaluation and Validation Scheme, an international standard for evaluating security products now required for defense and national security and being considered for civilian agencies. The National Information Assurance Partnership, a joint venture between NIST and the National Security Agency, oversees the Common Criteria for the United States.

More agencies are contracting out for security services that support their products and programs. Special Publication 800-35, "Guide to Information Technology Security Services," outlines a life cycle for these buying services — from determining whether a service can help in the first place all the way to ending it. The guide details the pros and cons of possibilities instead of prescribing a specific way to go about dealing with issues.


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.