Security guide aims to lock up agencies

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-963966.html?tag=fd_top

By Robert Lemos 
Staff Writer
October 30, 2002, 3:12 PM PT

The U.S. government unveiled a set of guidelines designed to help
protect civilian government agencies from Internet and insider
attacks.

The National Institute of Standards and Technology (NIST) published
this week the first draft of the guidelines, developed to help the
agencies standardize on how they measure the security of their
systems.

When finished, the guidelines will allow agencies to express the
degree of security that their systems can provide--an rating that
could prove important when data is shared amongst other federal
agencies.

The guidelines are all about how to measure the risk of online or
employee breaches to an application, software or computer network,
said Ron Ross, director of the National Information Assurance
Partnership at NIST and co-author of the guidelines.

"The senior official in an agency has to authorize the system for
operation by taking into account the threats and vulnerabilities," he
said. "There is always a residual risk that is left over, and they
have to gauge whether that risk is tolerable."

The document tells information-system administrators how to rate their
networks and applications in terms of how well they protect
confidentiality, maintain integrity and remain running and available

Started in March 2002, the project aims to develop standard guidelines
for certifying and accrediting federal information systems, according
to the report. It also seeks to define the minimum security that is
acceptable in federal systems and promotes the development of public
and private sector assessment labs and the certification of
individuals.

The guideline document is the first in a set of three that will spell
out how agencies should secure themselves against Internet and insider
threats to their computer systems. The second document, due out in
spring 2003, will outline the minimum security that every agency must
have in place. A third document, due out at the same time, will tell
auditors how to verify that systems have been secured properly.

The Office of Management and Budget has repeated found the the United
States' government agencies have not made the grade in security.  
NIST's Ross and his co-author Marianne Swanson agreed with that
assessment in the guidelines.

"A significant percentage of federal (information) systems in critical
infrastructure areas have not completed needed security
certifications, thus placing sensitive government information and
programs at risk and potentially impacting national and economic
security," the authors stated in the report.

In September, the Bush administration released the first public draft
of its "National Strategy to Secure Cyberspace" plan. Among the
problems highlighted in the strategy document are the security
failings of government agencies. The NIST document, released on
Monday, found that many of these are caused by a lack of standards in
measuring risk.

"Currently, there are numerous competing security certification
procedures within the federal government that are excessively complex,
outdated and costly to implement--resulting in assessments that are
often inconsistent, flawed and not repeatable with an degree of
confidence," state the authors in the NIST guidelines.

NIST was one of several U.S. government agencies that teamed with the
Center for Internet Security in July to support a set of benchmarks
aimed at guaranteeing a minimum security standard for computers. Ross
called the tools, the first of which encompasses 500 tests for Windows
2000, a complementary initiative to the guidelines that NIST is
releasing.

The current draft of the guidelines, called the "Guidelines for
Security Certification and Accreditation of IT Systems," will be open
to public comment until January 31, 2003.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.