Federal security systems get help

Securing Federal information systems is obviously a large and challenging enterprise. Just last week a study said despite improved efforts  data on Federal PCs and laptops is still vulnerable to theft or loss a year after the officials in the face of the  Veteran's Administration laptop loss scandal promised improvements.  But more help is on the way.  The National Institute of Standards and Technology (NIST) today issued a new version of a draft guide for assessing the effectiveness of security controls in federal information systems.  The content of the new guide is expected to be incorporated into automated tools that support the information security programs of federal agencies. The 387-page guide is designed to help information system owners and security managers ensure that appropriate computer security controls work as intended to protect information systems from being improperly accessed or compromised. The guide is a companion document to NIST Special Publication 800-53, Minimum Security Controls for Federal Information Systems, which spells out the types of security controls such as user authentication, spam protection, cryptography and transmission confidentiality that must be used to protect federal information systems.  For example NIST says there are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:  ·          What security controls are needed to adequately protect the information systems that support the operations and assets of the organization in order to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals?·          Have the selected security controls been implemented or is there a realistic plan for their implementation?·          What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective3 in their application? Key changes in the draft document since include: ·          Assessment procedures that focus on meeting stated objectives;·          Tailoring assessments to whether a security breach would produce low, moderate or high impacts;·          New guidelines for establishing policies and procedures, identifying roles and responsibilities of security managers and assessors, conducting penetration testing, and several other areas. The report includes a comprehensive catalog of assessment procedures matched to specific types of security controls. To download a copy, click here.  NIST will accept comments on the draft document through July 31, 2007. Comments should be emailed to sec-cert@nist.gov. NIST is involved in setting all manner of information standards.  There are over 250 security documents alone.  Recently NIST and others were part of a quantum cryptography security breakthrough that sent particles of light serving as “quantum keys over a record-setting 200-kilometer fiber-optic link. The experiment, using mostly standard components and transmitting at telecommunications frequencies, offers an approach for making practical inter-city terrestrial quantum communications networks as well as long-range wireless systems using communication satellites.  The organization has also announced a public competition to pick a new cryptographic hash algorithm that would become the new federal information processing standard. This evaluation process is expected to run a minimum of three years.  In its essence, a cryptographic hash algorithm is a highly complex math formula that can be used to create digital signatures and authenticate data to ensure it hasn’t been tampered with. The current NIST federal hash standards include variations of the Secure Hash Algorithm, SHA-1, SHA-2, SHA-256, SHA-384 and SHA-512. But because cryptographic researchers have reported serious attacks against these algorithms, NIST has decided to start what’s expected to be a long process to find a new hash standard by eliciting public comment and submissions.    

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.