NIST starts security certification program

NIST starts security certification program

Ron Ross, former head of the National Information Assurance Partnership, has started a new office that will develop standards for certifying that new agency systems are secure.

The Certification and Accreditation Program of the National Institute of Standards and Technology will roll out in two phases, Ross said. In Phase 1, now under way, a team will develop standards for evaluating whether a new system is secure. In the second phase, which Ross said will occur 'over the next few years,' the office will establish a network of accredited organizations to provide security certification services based on these guidelines.

Ross said these standards could be used to evaluate systems as small as an office network or as large and complex as an agencywide financial system.

The Office of Management and Budget Circular A-130 requires agencies employ an accreditation officer to certify that a new system is secure and that its misuse will not compromise the agency's mission. Factors ranging from the security of IT equipment to the reliability of the 'guards, guns and gates' that surround it must be evaluated. Until a system is designated as safe, it cannot go live, Ross said.

What NIST is developing a specific set of standards for accrediting systems. The agency itself will not accredit systems, but will initiate a qualification process that will certify companies and agencies for doing so.

Ross said he started the initiative about a year ago while overseeing NIAP. Systems security has grown tremendously in importance for agencies since Sept. 11, 2001. Eventually, the project 'took on a life of its own,' and he found himself devoting most of his time to the project, he said.

NIAP oversees the Common Criteria evaluation process, which sets government standards for evaluating whether or not a piece of equipment is secure. The Defense Department, for instance, uses Common Criteria as a qualification for equipment handling information related to national security.

The new program will be different from Common Criteria in that it will evaluate systems rather than individual products, Ross said.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected