NIST releases security level guidance

NIST draft publications

The National Institute of Standards and Technology recently released a draft of the last piece of guidance for agencies to determine the proper level of security on information systems.

Released late last week by NIST's Computer Security Division, "Special Publication 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories" provides the middle step for guidance and standards required under the Federal Information Security Management Act (FISMA) of 2002.

NIST's categories of security impact are based on draft Federal Information Processing Standard (FIPS) 199, which the division released in September. The goal of the guidance is to have agencies assign impact levels without considering potential security controls and countermeasures, but in October, NIST released another draft guide outlining minimum-security controls for each category.

Officials plan to hold a government-only workshop about the latest draft Feb. 26-27, 2004. For details, e-mail elaine.fry@nist.gov. Comments on the draft publication are due by Feb. 20, 2004, and can be sent to 800-60_comments@nist.gov.

NIST also released a draft interagency report on smart card technology development and adoption within agencies. The draft report is in response to a January General Accounting Office report that recommended that NIST play a greater role in smart card implementation governmentwide.

Also in response to that report, NIST hosted the Storage and Processor Card-Based Technology Workshop to identify requirements from agencies and industry. The draft outlines the results of that workshop, which identified gaps in many areas of the smart card arena, including biometric interoperability, co-existence of multiple technologies on a single card and the need for common standards for identity methods.

Comments on the smart card draft report should be submitted to card-comment@nist.gov by Jan. 30, 2004.