The Cyber Security
Research and Development Act of 2002 tasks the National
Institute of Standards and Technology (NIST) to "develop, and revise
as necessary, a checklist setting forth settings and option
selections that minimize the security risks associated with each
computer hardware or software system that is, or is likely to become
widely used within the Federal Government." Such checklists, when
combined with well-developed guidance, leveraged with high-quality
security expertise, vendor product knowledge, operational
experience, and accompanied with tools, can markedly reduce the
vulnerability exposure of an organization.
To meet
this challenging requirement to produce checklists for the spectrum
of IT products widely used in the government, NIST with sponsorship
from the Department of Homeland Security (DHS), has produced NIST
Special Publication 800-70: Security Configuration Checklists
Program for IT Products to facilitate the development and
dissemination of security configuration checklists so that
organizations and individual users can secure their IT products to
improved baseline levels of security.
A
security checklist in its most basic form may be a document
containing various instructions for securing an IT product.
Checklists are also commonly referred to as lockdown guides,
hardening guides, security technical implementation guides (STIGS),
or benchmark. A checklist could also contain scripts, templates, and
pointers to patches, or updates or firmware upgrades that can be
applied to the product. Many IT products (operating systems and
applications) contain vulnerabilities out of the box, and additional
vulnerabilities for IT products are discovered on an almost daily
basis. Checklists can help users to significantly reduce the
vulnerabilities and potential attacks on otherwise unsecured
products. Currently, NIST has produced checklists for Microsoft Windows™ 2000 and XP
Professional.
NIST's
program will work in conjunction with other agencies and private
industry to develop and disseminate security configuration
checklists for IT products. Examples of key IT product technology
areas include: operating systems, database systems, web servers,
e-mail servers, firewalls, routers, intrusion detection systems,
virtual private Networks, biometric devices, smart cards,
telecommunication switching devices and web browsers. NIST is
currently working with other checklist-producing organizations
including the Defense
Information Systems Agency (DISA), the National
Security Agency (NSA) and the Center
for Internet Security (CIS), as well as IT product vendors and
vendors configuration and management products.
The
goals of the NIST program are to facilitate the development and
sharing of security configuration checklists by providing a
framework for developers to submit checklists to NIST, to assist
developers in making checklists that conform to common baseline
levels of security, to assist developers and users by providing
guidelines for making checklists better documented and more usable,
to provide a managed process for the review, update, and maintenance
of checklists and to provide an easy-to-use repository of
checklists.
NIST
maintains a beta checklist repository containing checklists and
descriptions. Users will be able to browse the descriptions to
locate a particular checklist using a variety of different fields,
including the product category, vendor name, and submitting
organization.
NIST
recognizes that checklists are significantly more useful when they
follow common security baselines. The NIST program identifies
several broad and specialized operational
environments, any one of which should be common to most
audiences. By identifying and describing these environments,
developers can better target their checklists to the general
security baselines associated with the environments. Users can
better select the checklists that are most appropriate for their
operating environments. The operational environments are:
- Standalone
or Small
Office/Home Office (SOHO) describes small, informal computer
installations that are used for home or business purposes.
Standalone encompasses a variety of small-scale environments and
devices, ranging from laptops, mobile devices, or home computers,
to telecommuting systems, to small businesses and small branch
offices of a company.
- Managed or Enterprise are typically large
organizational systems with defined, organized suites of hardware
and software configurations, usually consisting of
centrally-managed workstations and servers protected from the
Internet by firewalls and other network security devices.
- Custom environments contain systems in which the
functionality and degree of security do not fit the other
environments. Two typical Custom environments are Specialized
Security-Limited Functionality and Legacy:
- Specialized Security-Limited Functionality. A
Specialized Security-Limited Functionality environment contains
systems and networks at high risk of attack or data exposure,
with security taking precedence over functionality. It assumes
systems have limited or specialized (not general purpose
workstations or systems) functionality in a highly threatened
environment such as an outward facing firewall or public web
server or whose data content or mission purpose is of such value
that aggressive trade-offs in favor of security outweigh the
potential negative consequences to other useful system
attributes such as legacy applications or interoperability with
other systems. Checklists for this environment are not
recommended for home users or for large scale general purpose
systems. A Specialized Security-Limited Functionality
environment could be a subset of another environment.
- Legacy. A Legacy environment contains older
systems or applications that may use older, less-secure
communication mechanisms. Other machines operating in a Legacy
environment may need less restrictive security settings so that
they can communicate with legacy systems and applications. A
Legacy environment could be a subset of a Standalone or Managed
environment.
The
NIST Checklist Program provides a process and guidance for
developing and using checklists in a consistent fashion. For
checklist users, steps include gathering local requirements,
researching and retrieving checklists that match the user's
operational environment and security requirements, modifying and
documenting the checklist as necessary to take into account local
policies and needs, testing the checklist, and providing any
feedback to NIST and the checklist developers. The final step
involves preparation for applying the checklist, such as making
configuration or data backups, and then applying the checklist in
production.
For checklist developers, steps include the initial
development of the checklist, checklist testing, documenting the
checklist according to the guidelines of the program, and submitting
a checklist package to NIST. NIST will screen the checklist
submission in accordance with the program requirements prior to a
public review of the checklist. After the public review period and
any subsequent issue resolution, it will be listed on the NIST
checklist repository with a detailed description. NIST will
periodically ask checklist developers to review their checklists and
provide updates as necessary. NIST will retire or archive checklists
as they become outdated or incorrect.
The NIST program is in cooperation with checklist development
activities at DISA, NSA, and CIS, and is constantly establishing
participation agreements with vendors and other checklist-producing
organizations. NIST gratefully acknowledges sponsorship for its
checklist program from the Department
of Homeland Security.
Top of
Page
|