The federal government on Tuesday released for comment a new set of guidelines for securing computer systems and networks. Although the guidelines are intended for use by government agencies, officials at the National Institute of Standards and Technology are hoping that enterprises will adopt them as well.
The guidelines spell out in detail the method that security specialists should use in assessing the overall security, integrity and availability of a system. It also lays out steps for selecting and deploying security controls.
Titled “Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems,” the document enumerates three separate certification levels for federal systems: Security Certification Level 1 (SCL-1), SCL-2 and SCL-3. The levels are based on the amount of concern for security, confidentiality and availability that network operators have for a particular system.
Each level has its own verification techniques, ranging from a checklist-based independent security review and personnel interview for SCL-1 to a system design analysis, regression analysis and penetration testing for SCL-3.
NIST is also planning to hold a meeting in early 2003 to consider developing a way to test the technical competence of third parties to conduct the security reviews spelled out in the new guidelines.
“This is a very significant step toward making the federal governments computer systems more secure,” said Phillip Bond, undersecretary for technology at the Department of Commerce in Washington, which oversees NIST. “It gives agencies a comprehensive, yet flexible way to ensure that their computers are as safe as they should be.”
The guidelines are open for public comment through Jan. 31, and are available on the NIST Web site.
- Security Fueling Open-Source Adoption
- Clarke Solicits Cyber-Security Input at MIT