NIST issues security drafts

NIST Computer Security Resource Center

The National Institute of Standards and Technology last week released drafts of two security publications to help agencies define the levels of security necessary for different types of information systems and establish or fine-tune processes for handling security incidents.

The final draft of Federal Information Processing Standard (FIPS) 199, "Standards for Security Categorization of Federal Information and Information Systems," is the first step in a series of standards, guidelines and requirements mandated under the Federal Information Security Management Act (FISMA) of 2002. The standard, released Sept. 17, outlines ways to link different types of federal information and systems, and the risks each faces. NIST will later tie this to guidance for the appropriate level of security, depending on the assigned level of risk.

The standard focuses on three security areas for information and systems: confidentiality, integrity and availability. It then defines three levels of potential impact on organizations or individuals if any of those security areas are compromised.

Assigning a level of risk is not a clear-cut process, because it must be considered in the context of each agency, states the draft, which includes several examples of how to apply the three security areas and three impact levels. The document, for instance, discusses the difference between a system that needs high availability but holds information that needs only low confidentiality measures, and a system that can be offline for a period of time, but needs both high confidentiality and integrity for its information.

The institute on Sept. 15 released a draft of the Computer Security Incident Handling Guide (Special Publication 800-61), intended to help agencies meet a FISMA requirement to establish some level of incident handling capability and report to the Office of Management and Budget and the Federal Computer Incident Response Center (FedCIRC).

Incident Response Centers are receiving a lot of attention now because of the number and severity of recent attacks, such as the Blaster worm and SoBig.F virus that surfaced last month. Many agencies already have such capabilities, but the latest guide is designed to help existing and new organizations.

It outlines best practices within a response center, common policies to work with outside partners, and examples of how a response center fits within an agency's larger technology and policy structure.

The guidance is designed for the chief information officers and their security staffs, and details sharing information, addressing morale issues, the benefits and pitfalls of having an employee-staffed response center or one that is partially outsourced, and other issues.

Comments on the draft guidance may be sent to NIST by Oct. 15 at IncidentHandlingPub800-61@nist.gov.