New computer security guides available

The National Institute of Standards and Technology has updated its security guidelines for dealing with active content, providing an overview for active content and mobile code in use today and laying out a framework for making security decisions about its use within an organization.

A draft of Special Publication 800-28 Revision 2, titled 'Guidelines on Active Content and Mobile Code,' has been released for public comment.

NIST also has released its Common Vulnerability Scoring System (CVSS), a scheme for developing common descriptors of information technology vulnerabilities. CVSS scores are used in the National Vulnerability Database.

In SP 800-28, NIST defines active content as 'broadly speaking ' electronic documents that can carry out or trigger actions automatically without an individual directly or knowingly invoking the actions.'

Incorporating active content such as Java applets, JavaScript and other scripts, and macros can add to the functionality of documents, e-mails, Web pages and files in a wide variety of formats, but NIST calls their security vulnerabilities 'insidious.' The expanding use of these technologies is becoming common in a range of products and services, on desktop computers, servers and gateway devices.

NIST offers four broad guidelines for organizations in dealing with active content:
  • Understand the concept of active content and how it affects the security of their systems
  • Develop policies for active content, including both its creation within the organization and its reception from outside
  • Be aware of the specific benefits from using active content and balance them against the associated risks and
  • Maintain consistent systemwide security when configuring and integrating products involving active content in their environments.

Comments on version 2, SP 800-28 should be e-mailed by Oct. 12 to [email protected] with 'Comments on SP 800-28' typed into the subject line.

The Common Vulnerability Scoring System is being released in its final form. The scheme includes scores for vulnerabilities of from 0 to 10 in each of three groups: a base score that represents the intrinsic threat represented by the vulnerability; a temporal group that reflects characteristics of a vulnerability that change over time; and an environmental group reflecting the characteristics of a vulnerability unique to a user's environment.

CVSS scores can be used with security categories defined in Federal Information Processing Standard 199 to obtain impact scores tailored to an agency's environment.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected