NIST releases final security guidelines

Standards group document provides road map for federal agencies to bolster computer system security.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

Feb. 28, 2005 4:02 p.m. PT

A final version of security guidelines designed to protect federal computer systems and the information they hold was released Monday by the National Institute of Standards and Technology.

The guidelines will serve as a road map for federal agencies in meeting mandates set by the Federal Information Security Management Act (FISA). Government agencies will be required to have certain security controls, policies and procedures in place.

"This document of security guidelines is going to play a key role in helping federal agencies effectively select and implement security controls," Shashi Phoha, NIST Information Technology Laboratory director, said in a statement.

At the heart of the initiative is an effort to protect the confidentiality, integrity and availability of all federal information systems that are not part of the national security system.

Earlier this month, an annual FISA-mandated survey gave systems at federal agencies a "D+" for computer security. Key agencies in charge of critical components of the U.S. infrastructure got grades of "D" and lower, with the Department of Homeland Security, the Department of Commerce and the Department of Energy all receiving an "F."

The security controls in the new NIST guidelines span 17 key areas, ranging from user identification to authentication to risk assessment.

Federal agencies and Web sites that have experienced security breaches. These have ranged from denial-of-service attacks on the White House Web site to other such attacks on NASA and the Navy. Hackers have also engaged in such acts as stealing personal information from government agencies and contractors.