Get security help in person or online

Get security help in person or online


From tailor-made Web sites to advisory groups, federal systems administrators needn't look far for answers about computer and network security, Marianne Swanson said at a recent conference.

Swanson, senior adviser for information technology security management at the National Institute of Standards and Technology in Gaithersburg, Md., spoke at the National High-Performance Computing and Communications Council's annual conference in Newport, R.I.

Federal users can submit case studies for posting on the security best- practices site, NIST's Marianne Swanson says.

The Best Security Practices site, at, sponsored by a subcommittee of the Chief Information Officers Council, recounts 16 case studies of agencies' security efforts. Each case study estimates the resources involved and details procurement information and lessons learned.

Federal users can submit case studies to the CIO Council subcommittee, which will review them for appropriateness before posting, Swanson said. An automatically scrolling window on the home page shows the subject areas that the subcommittee is interested in learning about.

For users who prefer to learn about best practices in person, the Federal Computer Security Program Managers' Forum holds bimonthly meetings and has a 300-member e-mail list, Swanson said.

The CIO Council's security subcommittee has produced a risk management guide for managers, Swanson said. The subcommittee also has been developing an IT security assessment framework to help administrators diagnose their security problems, much as they assessed year 2000 vulnerabilities in the late 1990s.

Five levels

The self-assessment framework, which is undergoing final review for release later this year, specifies five levels of IT security program effectiveness, Swanson said. Each level has detailed questions and criteria for determining effectiveness level.

NIST's Computer Security Resource Center, at, started as a bulletin board service about a dozen years ago, Swanson said.

It contains material about the Advanced Encryption Standard, computer virus alerts and intrusion detection. It also has a section on the international Common Criteria standards for IT security.

Recently the Web site added a section on proper implementation of public-key infrastructure systems. Over the next two months, NIST will add sections on risk assessment, incident handling and firewall policies.

Swanson said the ICAT metabase, at, now lists more than 2,300 known computer and network vulnerabilities with links to patches.

The searchable index is organized according to the Common Vulnerabilities and Exposures naming standards developed two years ago by Mitre Corp. of Bedford, Mass.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected