NIST revises guidance for assigning FISMA security categories

The National Institute of Standards and Technology has updated its guidelines for mapping information in government information systems to categories that specify the types of security controls the data requires.

The Federal Information Security Management Act requires that agencies assign levels of risk to information and information systems based on the likelihood and impact of exposure, modification or loss, and link the level of risk to appropriate security controls. The two-volume Special Publication 800-60 Revision 1, 'Guide for Mapping Types of Information and Information Systems to Security Categories,' is a revision of guidelines published in 2004.

NIST also released for public comment a draft interagency report with test requirements for validating products for the Security Content Automation Protocol.

Volume 1 of SP 800-60 Rev. 1 is a reference resource with basic guidance for mapping security categories. Not all of the material will be relevant to all agencies, NIST said. Volume 2 is a set of appendices that include security categorization recommendations and the rationale for categorizing various information types.

The security categories are outlined in Federal Information Processing Standard 199, 'Standards for Security Categorization of Federal Information and Information Systems.' SP 800-60 reviews those categorizations; recommends a process for assigning them; describes a methodology for identifying different types of information and systems; suggests provisional security impact levels and attributes that might require a variance from the provisional assignment; and describes the impact of a system's use, connectivity and content on its categorization. The initial provisional impact levels must be fully reviewed and analyzed before final categorization is done.

'Users should review the guidelines provided in Volume I then refer to only that specific material from the appendices that applies to their own systems and applications,' the publication states.

Draft NIST Interagency Report (IR) 7511, 'Security Content Automation Protocol Validation Program Test Requirements,' describes the requirements that products must meet to achieve SCAP validation. Independent laboratories accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program conduct the validations.

SCAP is a NIST specification for expressing and manipulating security data in standardized ways. It can enumerate product names and vulnerabilities, including software flaws and configuration issues; identify the presence of vulnerabilities; and assign severity scores to software flaws.

'Adoption of SCAP makes it easier for organizations to automate ongoing security monitoring, vulnerability management and security policy compliance evaluation reporting,' the NIST document states. For example, SCAP can quickly find known vulnerabilities so that they can be fixed before they are exploited.

SCAP specifications are:
  • Common Vulnerabilities and Exposures, a dictionary of names for publicly known security-related software flaws.
  • Common Configuration Enumeration, a dictionary of names for software security configuration issues, such as access control settings and password policy settings.
  • Common Platform Enumeration, a naming convention for hardware, operating systems and software.
  • Extensible Configuration Checklist Description Format, an Extensible Markup Language specification for structured collections of security configuration rules used by operating systems and applications.
  • Open Vulnerability and Assessment Language, an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues and patches.
  • Common Vulnerability Scoring System, a method for classifying characteristics of software flaws and assigning severity scores.

Several organizations created and maintain the SCAP components, including Mitre Corp., the National Security Agency, and the Forum for Incident Response and Security Teams. NIST provides SCAP content such as vulnerability and product enumeration identifiers via the National Vulnerability Database. All database content and the high-level SCAP specification are freely available from NIST. Nongovernment organizations also create and make SCAP content available.

SCAP can be used to automate activities such as ongoing security monitoring, vulnerability management and security policy compliance evaluation reporting.

The NIST report was written primarily for accredited laboratories and vendors interested in receiving SCAP validation.

Comments on IR-7511 should be sent by Sept. 15 to IR7511comments@nist.gov with 'Comments IR 7511' in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group