NIST to set security standard

OMB Circular A-130

The National Institute of Standards and Technology is creating a process to provide a standard way for agencies to certify the security level of their systems and networks.

The new process, which is expected to be released at the end of June as a NIST special publication, will measure the confidentiality, integrity and availability of a system and whether it attained a high, medium or low rating.

The process also will provide an accurate way to compare the security of systems within an agency and with other systems across government, said Ron Ross, a supervisor within the security metrics and testing group at NIST's Computer Security Division. This is particularly important as data sharing and cross-agency systems become the norm.

For instance, the FBI and the Immigration and Naturalization Service are integrating systems and want to be sure that the appropriate security is in place on each side, Ross said. Connecting a system accredited at a high level for data integrity with a system that is accredited at a low level is not good because the data in the low-level system may be untrustworthy, he said.

Agency policies and the Office of Management and Budget's Circular A-130 require that every information system in government go through a security certification and accreditation process. However, only the defense and national security communities have a common method for performing those evaluations.

The new NIST process, which is designed for civilian agencies, will be modeled after the Defense Information Technology Security Certification and Accreditation Process. It will be based on the internationally accepted Common Criteria security standard for products, Ross said.

NIST and the National Security Agency, through the National Information Assurance Partnership, are encouraging the use of the Common Criteria standard within civilian agencies for procuring and developing secure products [see "New hopes for a security lockdown"].

Because using evaluated products does not guarantee a secure network, agencies must also perform certification and accreditation to ensure confidence in each system — and that's what the NIST process will attempt to address.

Common Criteria "does not prescribe an end-to-end solution for information security; it's merely standardizing some of the equipment," said Craig Janus, vice president of the Center for Information Systems at Mitretek Systems.

"There's a systems integration requirement between the Common Criteria and the holistic solution for an agency that needs to be met," he said, "and that is usually met by an overarching security plan."

***

New credentials

The National Institute of Standards and Technology will provide a standard methodology to accredit and certify agency systems and networks. The security of the systems will be rated on the level of confidentiality, integrity and availability provided.

The certification can be done in-house or by a third party familiar with the process. The result will help agencies involved in data sharing or cross-agency projects know the security level of the systems to which they are connecting.