[ISN] Security guide aims to lock up agencies

From: InfoSec News (isnat_private)
Date: Thu Oct 31 2002 - 02:20:55 PST

  • Next message: InfoSec News: "[ISN] Al-Qaeda hackers break into websites"

    By Robert Lemos 
    Staff Writer
    October 30, 2002, 3:12 PM PT
    The U.S. government unveiled a set of guidelines designed to help
    protect civilian government agencies from Internet and insider
    The National Institute of Standards and Technology (NIST) published
    this week the first draft of the guidelines, developed to help the
    agencies standardize on how they measure the security of their
    When finished, the guidelines will allow agencies to express the
    degree of security that their systems can provide--an rating that
    could prove important when data is shared amongst other federal
    The guidelines are all about how to measure the risk of online or
    employee breaches to an application, software or computer network,
    said Ron Ross, director of the National Information Assurance
    Partnership at NIST and co-author of the guidelines.
    "The senior official in an agency has to authorize the system for
    operation by taking into account the threats and vulnerabilities," he
    said. "There is always a residual risk that is left over, and they
    have to gauge whether that risk is tolerable."
    The document tells information-system administrators how to rate their
    networks and applications in terms of how well they protect
    confidentiality, maintain integrity and remain running and available
    Started in March 2002, the project aims to develop standard guidelines
    for certifying and accrediting federal information systems, according
    to the report. It also seeks to define the minimum security that is
    acceptable in federal systems and promotes the development of public
    and private sector assessment labs and the certification of
    The guideline document is the first in a set of three that will spell
    out how agencies should secure themselves against Internet and insider
    threats to their computer systems. The second document, due out in
    spring 2003, will outline the minimum security that every agency must
    have in place. A third document, due out at the same time, will tell
    auditors how to verify that systems have been secured properly.
    The Office of Management and Budget has repeated found the the United
    States' government agencies have not made the grade in security.  
    NIST's Ross and his co-author Marianne Swanson agreed with that
    assessment in the guidelines.
    "A significant percentage of federal (information) systems in critical
    infrastructure areas have not completed needed security
    certifications, thus placing sensitive government information and
    programs at risk and potentially impacting national and economic
    security," the authors stated in the report.
    In September, the Bush administration released the first public draft
    of its "National Strategy to Secure Cyberspace" plan. Among the
    problems highlighted in the strategy document are the security
    failings of government agencies. The NIST document, released on
    Monday, found that many of these are caused by a lack of standards in
    measuring risk.
    "Currently, there are numerous competing security certification
    procedures within the federal government that are excessively complex,
    outdated and costly to implement--resulting in assessments that are
    often inconsistent, flawed and not repeatable with an degree of
    confidence," state the authors in the NIST guidelines.
    NIST was one of several U.S. government agencies that teamed with the
    Center for Internet Security in July to support a set of benchmarks
    aimed at guaranteeing a minimum security standard for computers. Ross
    called the tools, the first of which encompasses 500 tests for Windows
    2000, a complementary initiative to the guidelines that NIST is
    The current draft of the guidelines, called the "Guidelines for
    Security Certification and Accreditation of IT Systems," will be open
    to public comment until January 31, 2003.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 31 2002 - 08:43:10 PST