NIST puts the word out on security safeguards

Agency joins with NSA on format for checklists, and recommends FIPS rule

The National Institute of Standards and Technology and the National Security Agency have released a specification to standardize IT security checklists.

In a separate move, NIST also released the final public draft of recommended security controls for federal systems, a fine-tuned version of a document that will become a mandatory Federal Information Processing Standard by the end of the year.

NIST and NSA developed the Extensible Configuration Checklist Description Format as a way to provide a uniform format for security checklists, benchmarks and other configuration guidance.

In their document, NIST and NSA noted that the use of such checklists 'can markedly reduce the vulnerability exposure of an organization.' The development of a single format for government use also will let agencies easily share checklist information, NIST and NSA said. To see the document, go to and enter 358 in the

On the FIPS recommendation, the agency's IT Laboratory said this third version of Special Publication 800-53 contains modest changes based on more than 400 responses to earlier releases. It is one of seven NIST publications being produced in accordance with the Federal Information Security Management Act.

The agency's Computer Security Division will accept comments on the draft until Feb. 11. It expects a final version to get Commerce Department approval by the end of February.

The controls include management, operational and technical safeguards, and countermeasures that ensure the confidentiality, integrity and availability of government systems. They create baseline configurations for low-, moderate- and high-risk systems. NIST said SP 800-53 is significant because its recommended security controls will become mandatory in December, when FIPS 200, Minimum Security Controls for Federal Information Systems, takes effect.

To see the draft, go to and enter 361 in the

About the Authors

William Jackson is a Maryland-based freelance writer.

inside gcn

  • power grid (elxeneize/

    Electric grid protection through low-cost sensors, machine learning

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group