NIST has busy season

Opinion
Sep 15, 20052 mins

* NIST cranks out draft publications over the summer

Studying information assurance through effective statistical research methods is difficult. People often don’t notice computer security breaches until long after they have occurred (or not at all) or they are reluctant to report these breaches – and anyway, there is no centralized agency to collate such incident reports.

In the absence of clear analytical information, we are often thrown back upon “best practices.” These compendia of common sense, industry standards, and opinions of security experts are as close as we get to strict standards in our field.

Anyone interested in helping to define best practices in information assurance can turn to the National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) of the Computer Security Division (CSD). That’s where the Draft Publications are posted for comment.

The months of July and August have been a busy season for the contributors to these drafts. The list of new titles is unusually long:

* Draft Special Publication 800-56, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography

* Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems

* Draft Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems

* Draft Special Publication 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems

* Draft NIST Special Publication 800-85, PIV Middleware and PIV Card Application Conformance Test Guidelines

* Draft NIST Special Publication 800-87, Codes for the Identification of Federal and Federally-Assisted Organizations

* Draft NIST Special Publication 800-40 Version 2, Creating a Patch and Vulnerability Management Program

* Draft NIST Special Publication 800-81, Secure Domain Name System (DNS) Deployment Guide

* Draft NIST Special Publication 800-83, Guide to Malware Incident Prevention and Handling

* Draft NIST Special Publication 800-84, Guide to Single-Organization IT Exercises

* Draft NIST Special Publication 800-86, Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response

* Draft NIST Special Publication 800-26 Revision 1, Guide for Information Security Program Assessments and System Reporting Form

Readers interested in being notified of new security publications from NIST should sign up for alerts.

I’ll be looking at some of these Draft Publications in more detail in upcoming columns.