NIST and NSA scurry to draft new security guide for IT
The guidelines will be the first governmentwide standards for assessing the security levels of federal systems, NIAP's Ron Ross says.
Lawrence W. Jackson
The National Institute of Standards and Technology is working on governmentwide guidelines for security certification and accreditation of federal IT systems.
This is the top priority for NIST's Computer Laboratory in fiscal 2003, said Ron S. Ross, director of the National Information Assurance Partnership.
'We're working around the clock to get the documents done,' Ross said.
NIAP will release the guidelines, known as Special Publication 800-37, for public comment late next month.
The new NIAP publication, Federal Guidelines for the Security Certification and Accreditation of IT Systems, will detail the first governmentwide standards for assessing the security level of systems.
The goal is to create consistent, comparable and repeatable system-level evaluations that will let agencies understand one another's level of security when communicating, Ross said.
NIAP is a partnership between NIST, which sets standards for government IT systems carrying nonclassified data, and the National Security Agency, which oversees national security systems.
A number of guidelines have been developed for specific government sectors, such as the Defense Department's DOD IT Security Certification and Accreditation Process and the National Information Assurance Certification and Accreditation Process for national security systems.
As with its other guidelines, NIAP plans to accredit third parties to perform evaluations under the guidelines.
'This is guidance,' Ross said. 'This is not a mandate. However, we've seen in the past where the Office of Management and Budget can come behind and say, 'This is mandatory.' That's not up to us.'Three levels of concern
Ross, speaking at the E-Gov Information Assurance Conference in Washington last week, said programs such as the Common Criteria and the Federal Information Processing Standards certify the performance of individual IT products. The proposed guidelines will address entire IT systems.
The document will include a comprehensive set of security controls for confidentiality, data integrity and availability, each of which can be rated at a low, moderate or high level of concern for the system being evaluated. A separate section will specify practices deemed effective to satisfy each level of concern. There will be three levels of security:
- Level 1, for systems with low levels of concern and requiring a basic security review
- Level 2, for systems with moderate levels of concern about confidentiality, integrity or availability, requiring a more detailed analysis
- Level 3, for systems with high levels of concern, requiring a comprehensive review.
'It is not a perfect system,' but it's easy to understand, Ross said.
To kick off the program, draft documents will be published by late next month and be available for public comment for three months. NIAP will seek up to six agencies to undergo prototype certification under the guidelines. It has requested funds in its fiscal 2003 budget to help pay for the certifications.
'When we get a stable Phase 1 document,' NIAP will develop proficiency tests and accreditation criteria for organizations to provide evaluations under the guidelines, Ross said.
Unlike Common Criteria and FIPS evaluations, which are done only by commercial laboratories, government organizations also will be considered as evaluators for this program. Ross said NIAP hopes to have the first organizations accredited by the fall of 2004.