NIST guidebooks advise agencies to get on the same security page

Keep up. That's how the National Institute of Standards and Technology advises agencies to safeguard their systems.

A series of NIST special publications last month said agencies need to understand and follow the Common Vulnerabilities and Exposures naming scheme, develop security patch management procedures, and protect connections to remote users and other systems.

Special Publication 800-40 deals with security patches, 800-46 with telecommuting and broadband communications, 800-47 with interconnected systems and 800-51 with the CVE naming scheme. All are available at

The Computer Security Act of 1987 made NIST's IT Laboratory responsible for technical advice to agencies that handle sensitive but unclassified data. Failure to update software patches 'is the most common mistake made by IT professionals,' NIST said, and it's a daunting job in view of the number of vulnerabilities being discovered and patches being released.

The guidelines recommend forming patch and vulnerability teams to track software and hardware and monitor patch installation. Such teams would not, however, 'diminish the responsibility of all systems administrators to patch systems under their control,' NIST said.

Vulnerability reference book

Agencies also should consider acquiring only security products 'that are compatible with the CVE naming scheme,' NIST said.

The CVE dictionary of common names for vulnerabilities appears at NIST's ICAT search engine, at, can search the CVE database by vendor, product name, version number and other parameters.

Agencies should periodically scan their systems for CVE-listed vulnerabilities and use the naming scheme in their own descriptions and security reporting. 'Without a consistent terminology, it is difficult to compare the coverage' of different products, NIST said.

Users or telecommuters who connect to agency networks remotely should have their client software and firewalls vetted by agency experts. Their operating systems and Web browsers need regular security updates, too.

On a larger scale, NIST recommended lifecycle management of connections between enterprise networks, from initial plans through disconnection. It gave a sample memorandum defining the responsibilities of each organization that shares a network link.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.