NIST guidebooks advise agencies to get on the same security page

Keep up. That's how the National Institute of Standards and Technology advises agencies to safeguard their systems.

A series of NIST special publications last month said agencies need to understand and follow the Common Vulnerabilities and Exposures naming scheme, develop security patch management procedures, and protect connections to remote users and other systems.

Special Publication 800-40 deals with security patches, 800-46 with telecommuting and broadband communications, 800-47 with interconnected systems and 800-51 with the CVE naming scheme. All are available at

The Computer Security Act of 1987 made NIST's IT Laboratory responsible for technical advice to agencies that handle sensitive but unclassified data. Failure to update software patches 'is the most common mistake made by IT professionals,' NIST said, and it's a daunting job in view of the number of vulnerabilities being discovered and patches being released.

The guidelines recommend forming patch and vulnerability teams to track software and hardware and monitor patch installation. Such teams would not, however, 'diminish the responsibility of all systems administrators to patch systems under their control,' NIST said.

Vulnerability reference book

Agencies also should consider acquiring only security products 'that are compatible with the CVE naming scheme,' NIST said.

The CVE dictionary of common names for vulnerabilities appears at NIST's ICAT search engine, at, can search the CVE database by vendor, product name, version number and other parameters.

Agencies should periodically scan their systems for CVE-listed vulnerabilities and use the naming scheme in their own descriptions and security reporting. 'Without a consistent terminology, it is difficult to compare the coverage' of different products, NIST said.

Users or telecommuters who connect to agency networks remotely should have their client software and firewalls vetted by agency experts. Their operating systems and Web browsers need regular security updates, too.

On a larger scale, NIST recommended lifecycle management of connections between enterprise networks, from initial plans through disconnection. It gave a sample memorandum defining the responsibilities of each organization that shares a network link.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected