NIST seeks comments on scheme to score IT security configurations

The National Institute of Standards and Technology is developing a system of standardized measurements to evaluate the impact of security configurations on operating systems and applications.

'Each security configuration decision can have positive and negative effects of varying degrees to the security of a host,' NIST's draft document states. 'Without a standardized way to quantify these effects, organizations cannot easily make sound decisions as to how each security issue should be addressed, nor can they quantitatively determine the overall security strength or weakness for a host.'

The draft of 'Interagency Report 7502: The Common Configuration Scoring System' has been released for public comment.

The report proposes a set of measures for security configuration issues and a formula to combine those measures into scores for each issue, collectively called the Common Configuration Scoring System (CCSS). It is derived from the Common Vulnerability Scoring System (CVSS) for measuring the relative severity of vulnerabilities caused by software flaws. CCSS adjusts the basic components of CVSS to focus on security configuration issues rather than software flaws.

Initially, CCSS addresses only configuration issues that are constant over time and environments. It deals with how readily a weakness could be exploited and how exploitation could affect hosts. Those characteristics are base metrics, and they are the inputs into the equation that calculates a base score.

NIST plans to expand CCSS to include environmental metrics, which represent characteristics unique to a particular environment.

Comments on the draft of CCSS should be e-mailed by July 3 to [email protected] with "Comments IR 7502" in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected