http://news.com.com/2100-1001-963966.html?tag=fd_top By Robert Lemos Staff Writer October 30, 2002, 3:12 PM PT The U.S. government unveiled a set of guidelines designed to help protect civilian government agencies from Internet and insider attacks. The National Institute of Standards and Technology (NIST) published this week the first draft of the guidelines, developed to help the agencies standardize on how they measure the security of their systems. When finished, the guidelines will allow agencies to express the degree of security that their systems can provide--an rating that could prove important when data is shared amongst other federal agencies. The guidelines are all about how to measure the risk of online or employee breaches to an application, software or computer network, said Ron Ross, director of the National Information Assurance Partnership at NIST and co-author of the guidelines. "The senior official in an agency has to authorize the system for operation by taking into account the threats and vulnerabilities," he said. "There is always a residual risk that is left over, and they have to gauge whether that risk is tolerable." The document tells information-system administrators how to rate their networks and applications in terms of how well they protect confidentiality, maintain integrity and remain running and available Started in March 2002, the project aims to develop standard guidelines for certifying and accrediting federal information systems, according to the report. It also seeks to define the minimum security that is acceptable in federal systems and promotes the development of public and private sector assessment labs and the certification of individuals. The guideline document is the first in a set of three that will spell out how agencies should secure themselves against Internet and insider threats to their computer systems. The second document, due out in spring 2003, will outline the minimum security that every agency must have in place. A third document, due out at the same time, will tell auditors how to verify that systems have been secured properly. The Office of Management and Budget has repeated found the the United States' government agencies have not made the grade in security. NIST's Ross and his co-author Marianne Swanson agreed with that assessment in the guidelines. "A significant percentage of federal (information) systems in critical infrastructure areas have not completed needed security certifications, thus placing sensitive government information and programs at risk and potentially impacting national and economic security," the authors stated in the report. In September, the Bush administration released the first public draft of its "National Strategy to Secure Cyberspace" plan. Among the problems highlighted in the strategy document are the security failings of government agencies. The NIST document, released on Monday, found that many of these are caused by a lack of standards in measuring risk. "Currently, there are numerous competing security certification procedures within the federal government that are excessively complex, outdated and costly to implement--resulting in assessments that are often inconsistent, flawed and not repeatable with an degree of confidence," state the authors in the NIST guidelines. NIST was one of several U.S. government agencies that teamed with the Center for Internet Security in July to support a set of benchmarks aimed at guaranteeing a minimum security standard for computers. Ross called the tools, the first of which encompasses 500 tests for Windows 2000, a complementary initiative to the guidelines that NIST is releasing. The current draft of the guidelines, called the "Guidelines for Security Certification and Accreditation of IT Systems," will be open to public comment until January 31, 2003. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Oct 31 2002 - 08:43:10 PST