NIST issues security certification guidance

Publication creates governmentwide process for improving federal systems

Draft Special Publication 800-37

The National Institute of Standards and Technology last week released the first phase of a project aimed at enhancing the overall security of federal information technology systems.

The draft guide establishes a standard security certification and accreditation process for agencies, which many security experts consider a basic management step and an important initiative for the coming year.

"Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems" defines three assessment levels — low, medium and high — to help agencies evaluate their systems' levels of confidentiality, integrity and availability.

Under the Office of Management and Budget's Circular A-130 and the Computer Security Act of 1987, federal managers must ensure that all IT systems have an "adequate" level of security. Most experts agree that putting systems through a certification and accreditation process is the best way to accomplish that.

NIST has been working with many organizations to adapt and enhance the Defense Information Technology Security Certification and Accreditation Process into a standard that all agencies can use. By following a standard process and evaluating systems against the same criteria, agencies can have greater assurance that their systems provide an appropriate level of data and transaction security.

Establishing a certification and accreditation process is "a major agenda item for this year," said William Hadesty, associate chief information officer for cybersecurity at the Agriculture Department. Several other officials speaking Oct. 24 at a breakfast sponsored by AFCEA International Inc.'s Bethesda, Md., chapter agreed.

The Department of Veterans Affairs is starting a new program to certify its more than 900 IT systems, said Bruce Brody, the VA's associate deputy assistant secretary for cybersecurity.

The Transportation Department has already certified and accredited 25 percent of its mission-critical systems, but now the goal is to certify 50 percent by the end of the year, said Lisa Schlosser, DOT's associate CIO for IT security.

The department uses current guidelines from NIST, but with the new guide available, there will be an even greater emphasis on using the governmentwide standard, she said.

Such departmentwide programs are one way that CIOs are consolidating authority for information security within their departments.

At DOT, the CIO's security role is primarily in policy and oversight, but now the office is taking central control of issues such as incident reporting and analysis, vulnerability scanning and enterprise contracts, Schlosser said.

The VA is making a move to centralize control even further. Effective Nov. 1, all information security policy and activities at the VA will operate out of the CIO's office, Brody said.

NIST's draft guide is the first of three publications to be issued under the initial phase of its System Certification and Accreditation Project.

The other publications, expected to be released next spring, will outline standard minimum security controls at low, medium and high levels, and verification techniques and procedures to test those controls.

NIST is accepting comments on the draft until Jan. 31, 2003, at sec-cert@nist.gov. A tutorial is also available on the agency's Computer Security Resource Center Web site (csrc.nist.gov). And next spring, the Computer Security Division plans to hold a workshop on all three publications.

The second phase of the project will focus on developing capabilities within the public and private sectors to perform assessments based on the new standards. This will include accrediting organizations to conduct security certifications by fall 2004.

***

Guidelines for improving security

The National Institute of Standards and Technology's draft guide on securing federal information technology systems defines three certification and accreditation levels:

* Level 1 — For systems with only basic security concerns.

* Level 2 — For systems with moderate concerns about confidentiality and other security issues.

* Level 3 — For systems that require the top level of security and the most rigorous evaluation. That structure allows agencies to tailor their evaluations more closely to the tasks individual systems must perform.

For example, if a system within an agency's security perimeter contains private information that is accessed by few people, it generally does not need to go through as stringent a certification and accreditation process as a system that holds personal records that will be accessed by numerous internal and external users.