NIST-NSA team readies systems security guidance

NIST-NSA team readies systems security guidance

The National Information Assurance Partnership in the next month will release two draft guides to create standards for systems security certification and accreditation and for minimum security controls for IT.

NIAP is a collaboration between the National Institute of Standards and Technology and the National Security Agency.

NIAP president Ron Ross said yesterday that the guides are the first attempt to help agencies use common definitions and measures when securing systems. He said there are about 12 certification and accreditation programs across government. NIAP will release the drafts for a 45-day public-comment period. The first draft is set for an Oct. 28 release, the second for Nov. 11. NIAP plans to issue final versions next year, Ross said.

'We want to bring a standard process and procedure to understanding how to secure systems,' he said. 'We will help agencies understand what they need to start securing systems by having them answer simple questions like, 'What do you want to secure?' and 'What value do you place on your information?' '

Ross said the accreditation guide will outline the process for agencies and companies to use when doing security reviews and certifications of systems.

'This is our first attempt to let agencies go out to an organization with a degree of confidence that they understand what needs to be done to secure systems,' Ross said. 'This will be similar to the six NIST-accredited organizations that review the security of commercial products.'

The second guide will detail the minimum security controls agencies need for systems. It will identify controls for three levels: low, medium and high. Ross said the guide also will focus on three security areas: confidentiality, integrity and data availability.

Although NIST cannot mandate that agencies adhere to the guides, Ross said he hopes agencies will view them as de facto standards because NIAP created them by working with interagency groups.

Ross spoke yesterday in Washington at an enterprise architecture conference sponsored by GCN, Washington Technology and the Digital Government Institute.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected