NIST puts the word out on security safeguards
Agency joins with NSA on format for checklists, and recommends FIPS rule
The National Institute of Standards and Technology and the National Security Agency have released a specification to standardize IT security checklists.
In a separate move, NIST also released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year.
NIST and NSA developed the Extensible Configuration Checklist Description Format as a way to provide a uniform format for security checklists, benchmarks and other configuration guidance.
In their document, NIST and NSA noted that the use of such checklists 'can markedly reduce the vulnerability exposure of an organization.' The development of a single format for government use also will let agencies easily share checklist information, NIST and NSA said. To see the document, go to www.gcn.com and enter 358 in the GCN.com/box.
On the FIPS recommendation, the agency's IT Laboratory said this third version of Special Publication 800-53 contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced in accordance with the Federal Information Security Management Act.
The agency's Computer Security Division will accept comments on the draft until Feb. 11. It expects a final version to get Commerce Department approval by the end of February.
The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low-, moderate- and high-risk systems. NIST said SP 800-53 is significant because its recommended security controls will become mandatory in December, when FIPS 200, Minimum Security Controls for Federal Information Systems, takes effect.
To see the draft, go to www.gcn.com and enter 361 in the GCN.com/box.