NIST prepping security guides

Computer Security Resource Center

The National Institute of Standards and Technology's security team will be releasing more than 30 guides over the coming year to help agencies with many crucial technical and policy security concerns, officials said last week.

The NIST Computer Security Resource Center released four draft guides for comment during the past two months, addressing telecommuting security, information technology contingency plans, securely connecting IT systems, and using common definitions for security vulnerabilities. Under the Computer Security Act of 1987, NIST serves as the primary technical resource for civilian agencies.

But those four guides are only the beginning of what will be a very busy year for the center and its contractors. In fiscal 2002, they plan to release almost three times the usual number of guides, said Tim Grance, manager of the systems and network security group.

These guides, including those listed below, will be grouped into four areas:

* Broad guidance in high-impact areas, such as incident handling, security certification and accreditation, security metrics and determining security return on investment.

* Procurement strategy, including a user guide for understanding the Common Criteria international evaluation scheme and a guide to procuring managed security services.

* Point solutions for technical and policy areas, such as applying security patches, securing public Web servers, smart cards, public-key infrastructure directories, and e-mail security issues and solutions.

* Security of emerging technologies, particularly securing wireless networks.

All of the NIST guides will be released for comment to help fine-tune them for agency needs, and the center is always looking for assistance in determining whether it is focusing on the right areas to be of assistance to agencies, Grance said.

In addition, the center plans to release in March an automated tool to help agencies perform security self-assessments, based on a guide released last year in partnership with the federal CIO Council's Federal IT Security Assessment Framework. In January 2001, the Office of Management and Budget recommended agencies use the framework and guide as the basis for the self-assessments required under the Government Information Security Reform Act.

The center's staff members also will be reviewing existing guides and standards to ensure consistency with current legislation and policy, discover if there is any redundancy, and determine the need for additional guidance beyond what is already planned, said Joan Hash, director of the center's security, management and guidance group.