NIST details certification process

Draft Special Publication 800-37

The National Institute of Standards and Technology's Computer Security Division this week released the first piece of a governmentwide project aimed at enhancing the overall security of federal information technology systems.

NIST released a draft publication that establishes a detailed standard security certification and accreditation (C&A) process for agencies.

"Special Publication 800-37: Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems" provides agencies with three levels they can use to evaluate any federal system for high, medium and low levels of confidentiality, integrity, and availability.

Under the Office of Management and Budget's Circular A-130 and the Computer Security Act of 1987, federal managers must make sure all IT systems have an "adequate" level of security. Most experts agree that putting systems through a C&A process is the best way to do that.

NIST has been working with multiple organizations to adapt and enhance the Defense Information Technology Security Certification and Accreditation Process for all agencies. By using a standard C&A process and evaluating their systems against the same criteria, agencies can have greater assurance that their systems provide the same level of data and transaction security.

Many agencies are looking at C&A as one of the most important security initiatives for this fiscal year, officials said Oct. 24 at a breakfast sponsored by the Bethesda, Md., chapter of AFCEA International.

The Energy and Agriculture departments plan to speed up the implementation of their C&A programs, according to their head security officials, and the Department of Veterans Affairs is starting a new program to certify its more than 900 IT systems, said Bruce Brody, VA's associate deputy assistant secretary for cybersecurity.

This draft is the first of three publications to be issued under the first phase of the larger System Certification and Accreditation Project.

The other publications, expected to be released in the spring of 2003, will provide a standard set of minimum security controls at low, medium and high levels for systems and standard verification techniques and procedures to test those controls.

NIST is accepting comment on the draft until Jan. 31, 2003, at sec-cert@nist.gov. A tutorial is also available on the agency's Computer Security Resource Center Web site. And in the spring of 2003, the Computer Security Division plans to hold a workshop to examine all three publications.

The second phase of the project will focus on developing the capability within the public and private sectors to provide the assessments that will be based on those new standards. This will include accrediting organizations to conduct security certifications by the fall of 2004.

While NIST developed the publication for federal managers, officials are also encouraging state, local and tribal government agencies, as well as private sector organizations, to use the guide.