NIST keeps publishing

NIST has to finish a report on recommended security controls by December 2005.

One way to quantify the growth in importance of computer security work is to count the pages of security guidelines published by the National Institute of Standards and Technology in the past year. The total is 1,200 pages, said Ed Roback, chief of the Computer Security Division.

Speaking June 4 in Washington, D.C., at the E-Gov Institute's Annual Government Solutions Forum, Roback said documents on topics as unremarkable sounding as security categorization often generate strong responses. When NIST released "Federal Information Processing Standard Publication 199: Standards for Security Categorization of Federal Information and Information Systems," it was a 10-page document, but it provoked 200 pages of public comment, he said. "We have an awful lot of folks paying attention to each and every word in the standard."

Roback said NIST officials are drafting another security document that defines the minimum information security controls that agencies must use to protect their information systems under the Federal Information Security Management Act of 2002. By law, the document, "Special Publication 800-53, Recommended Security Controls for Federal Information Systems," must be completed by December 2005.

On that date, the guidelines in SP 800-53 will become mandatory as FIPS 200, a document that "is going to have an absolutely profound effect across the government," he said.

Roback used the E-Gov forum to show off many of the wares on NIST's csrc.nist.gov Web site. The site, www.csrc.nist.gov/fasp, has a showcase, for example, of more than 100 federal agency security practices and policies for things such as contingency planning and e-authentication. "See how your colleagues are addressing these issues," he said.

For a fee, NIST also offers help to agencies by providing a team of experts to review computer security programs. The NIST experts see their role as giving "sort of white-hat advice before some of the other folks — General Accounting Office, inspectors general and so forth — show up," he said.