NIST, NSA create security language


Related Links

One of the best ways to strengthen IT security is to make sure all of the systems in an infrastructure conform to a set of security specifications. But that is often difficult and time-consuming.

To simplify the process, officials at the National Institute of Standards and Technology and the National Security Agency have developed a common specification language, dubbed Extensible Configuration Checklist Description Format, that can be used to write security checklists and related documents.

People in different environments might configure systems differently, said John Wack, a computer scientist in NIST's Computer Security Division, and the tools that help with security conformance are usually specific to a particular manufacturer's products.

"One area in which [the new language] could be particularly useful is in those situations where large configuration packages are needed, where you have a large network of disparate systems such as Windows PCs, Unix products and so on," Wack said.

Most security guidance documents are written as text in word processing documents or Web pages, said Neal Ziring, technical director of NSA's System and Network Attack Center.

The new language "is designed to be machine-readable and to serve for document generation, tailoring of checklists to local conditions and automated scoring of checklist compliance," he said.

In addition to fostering more uniform use of security guidelines, the language should also promote faster sharing of information among security professionals, vendors and system auditors, Ziring said. It should also improve automation of security testing and monitoring.

Now, developers need to configure their products to work with the format in a high-level manner so users can take advantage of the common approach promoted by the new language, Wack said.

About the Author

Brian Robinson is a freelance writer based in Portland, Ore.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.