NIST updates information security guidelines

The National Institute of Standards and Technology on Tuesday updated recommendations for how federal agencies should certify and accredit computer systems as secure, emphasizing the need to build protections in to system development and management processes and to monitor networks continuously for potential vulnerabilities.

The first revision to Special Publication 800-37 -- "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life-Cycle Approach" -- will help agencies comply with the 2002 Federal Information Security Management Act, which requires them to identify and take inventories of their IT systems and determine the sensitivity of information stored on those systems. FISMA has long been criticized for focusing too heavily on compliance and not enough on monitoring and testing of computer systems for vulnerabilities.

"We're transforming the traditional certification and accreditation process to tie back to the enterprise architecture, so [agencies] can define security requirements early in the development process," said Ron Ross, senior computer scientist and information security researcher at NIST. The revision describes six steps agencies can follow to incorporate security best practices into development and routine system management so safeguards are maintained cradle to grave, he said.

One of the most significant changes is a stronger emphasis on continuous monitoring. Currently, agencies are required to certify the security of their information systems every three years or after a significant change.

"Cyberattacks are constantly getting more sophisticated [and] more frequent and targeted," Ross said. "This is a tool organizations will be able to use to not only build more secure systems, but to monitor the security of those systems on a near-real-time basis."

The public draft of the SP 800-37 Rev. 1 will remain available for public comment through Dec. 31. NIST expects to finalize the document in early 2010.

This is the second in a series of five publications designed to "develop a unified framework for information security for the entire federal government," Ross said. The recommendations were put together by the Joint Task Force Transformation Initiative, which has representatives from the Defense Department, Office of the Director of National Intelligence and Committee on National Security Systems.

"[The latest] revision tries to get away from the checklist mentality of security, and more into the business of actually managing security factors," said Dale Meyerrose, vice president for cyber and information assurance at Harris Corp. Meyerrose was involved in early revisions of the NIST standards during his tenure as chief information officer for ODNI during the Bush administration.

"I see this as a continuum that [Defense CIO] John Grimes and I and some other CIOs from across government were working on to give [security standards] more punch and relevance across the broader part of the government," he said. "I can't take credit, but I can take pride in being a part of the movement."

The first in the series of publications contained updates for computer security controls. In the next six months, the task force will offer steps for assessing whether the security controls are effective and working properly, and provide a more holistic, top-down approach to recognizing potential threats to computer systems and reducing vulnerabilities.

The last of the five publications will guide agencies in assessing risk and determining how best to address existing vulnerabilities.

"We're committed to working together, and moving these standards and guidelines forward accelerates that by making sure we speak the same language," Ross said.