Federal
agencies now have a systematic way to evaluate their computer
security as a result of guidelines announced today by Commerce
Under Secretary for Technology Phillip Bond. Bond said the
guidelines would help federal agencies protect their computer
systems from the threat of cyberattacks.
"Once
final, these guidelines will serve as a critical computer
security tool and will further the President's commitment
to a safe and secure cyberspace," Bond said. "This
is a very significant step toward making the federal government's
computer systems more secure. It gives agencies a comprehensive,
yet flexible way to ensure that their computers are as safe
as they should be," he said.
Computer
scientists at the National Institute of Standards and Technology
(NIST), an agency of the Commerce Department's Technology
Administration, developed the guidelines.
The new
guidelines detail a new approach to assessing the security
level of entire computer systems and utilize a hierarchy for
confidentiality, integrity and availability. The federal government
already has computer security standards for many individual
components of information technology systems.
While
NIST developed the guidelines for federal agencies, the private
sector and the military can easily adapt them for use. NIST
encourages private-sector organizations involved in critical
infrastructure activities to consider using the guidelines.
In the
spring of 2003, NIST plans to hold an exploratory workshop
to study the needs of federal agencies for and the feasibility
of developing a voluntary testing regime to assess the technical
competence of third parties to conduct the detailed computer
security reviews covered in the report.
Agencies
can use the guidelines to comply with computer security requirements
designed to ensure an adequate level of protection for each
system, including those specified by the Office of Management
and Budget (OMB) Circular A-130. Under OMB policy, responsible
federal officials are required to make a security determination
(called accreditation) to authorize placing IT systems into
operation. In order for these officials to make sound, risk-based
decisions, a security evaluation (known as certification)
of the IT system is needed.
The guidelines
create consistent, comparable evaluations of computer systems
by detailing a standard process for agencies to use. They
include a hierarchy to organize security controls for confidentiality,
data integrity and availability.
This approach
includes three levels of security:
- Level
1, an entry-level or basic level of security;
- Level
2, for computer systems with moderate levels of concern
about issues such as confidentiality (this level requires
a more detailed analysis); and
- Level
3, the top level, requiring the most rigorous evaluation.
Public
comment will be accepted by NIST for three months before revising
the guidelines for final issuance.
The draft
NIST report, Guidelines for the Security Certification
and Accreditation of Federal Information Technology Systems,
is available online through NIST's Computer Security Resource
Center (CSRC) at http://csrc.nist.gov/publications/
drafts.html. NIST's CSRC provides access to a wealth of
information, tools, programs and services in the areas of
1) security policies, standards and guidelines; 2) security
validated products; 3) training and education; and 4) collaborative
work and services.
NIST's
Information Technology
Laboratory develops computer security standards and provides
technical advice and guidelines as a result of its statutory
responsibilities under the Computer Security Act of 1987 and
the Information Technology Management Reform Act of 1996.
NIST guides address the information needs of systems administrators
and other computer professionals. The published guidance covers
topics ranging from how to protect a public Web site from
computer hackers to steps agencies can take to make electronic
mail systems more secure.
As a non-regulatory
agency of the U.S. Department of Commerce's Technology Administration,
NIST develops and promotes measurements, standards and technology
to enhance productivity, facilitate trade and improve the
quality of life.
Go
back to NIST News Page
|