Draft security guidelines released

The National Institute of Standards and Technology is building a repository for IT security baseline checklists, and has published guidelines for users of and contributors to the collection.

It also has published a guide for conducting forensic investigations on personal digital assistants.

NIST has been tasked with the formidable job of developing security configuration checklists for 'each computer hardware and software system that is, or is likely to become, widely used within the federal government.'

The checklists are intended to simplify what NIST calls the 'complicated, arduous and time-consuming task' of configuring IT products to meet a specific level of security.

More than 40 checklists now are available online at http://checklists.nist.gov. Most were developed by the Defense Information Systems Agency over the past three years.

The agency released a draft of Special Publication 800-70, Security Configuration Checklists Program for IT Products to help build its collection of checklists. It provides standards for government, academia and industry for developing and submitting checklists, as well as advice to administrators on how they should be used.

The guidelines defines four environments requiring different levels of security for which checklists should be targeted:

  • Small offices and home offices, often containing unmanaged and standalone computers

  • Enterprise, usually containing managed networks

  • High security, where security takes precedence over functionality because of the risk of attack

  • Custom, with specialized systems, such as legacy systems.

Comments on the guidelines can be submitted by Sept. 30 to [email protected]

Another draft, SP 800-72, Guidelines on PDA Forensics, offers help to investigators who need to obtain evidence from PDAs. It focuses on the PocketPC operating system from Microsoft Corp., Palm OS and Linux operating systems.

The publication gives guidance to organizations on developing appropriate policies and procedures, and to forensic specialists on dealing with the technology.

Comments on the guidelines can be submitted by Sept. 3 to [email protected]

About the Author

William Jackson is a Maryland-based freelance writer.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected