The National Institute of Standards and Technology (NIST) published this week a draft of the first guidelines, developed to help the agencies standardize how they measure the security of their systems.
When finished, the guidelines will allow agencies to express the degree of security that their systems can provide--a rating that could prove important when data is shared among other federal agencies.
The guidelines address how to measure the risk of online or employee breaches to an application, software or computer network, said Ron Ross, director of the National Information Assurance Partnership at NIST and co-author of the guidelines.
"The senior official in an agency has to authorize the system for operation by taking into account the threats and vulnerabilities," he said. "There is always a residual risk that is left over, and they have to gauge whether that risk is tolerable."
The document tells information-system administrators how to rate their networks and applications in terms of how well they protect confidentiality, maintain integrity and remain running and availableStarted in March 2002, the project aims to develop standard guidelines for certifying and accrediting federal information systems, according to the report. It also seeks to define the minimum security that is acceptable in federal systems and promotes the development of public and private sector assessment labs and the certification of individuals.
The guideline document is the first in a set of three that will spell out how agencies should secure themselves against Internet and insider threats to their computer systems. The second document, due in spring 2003, will outline the minimum security that every agency must have in place. A third document, due at the same time, will tell auditors how to verify that systems have been secured properly.
The Office of Management and Budget has repeatedly found that U. S. government agencies have notin security. NIST's Ross and his co-author Marianne Swanson agreed with that assessment in the guidelines.
"A significant percentage of federal (information) systems in critical infrastructure areas have not completed needed security certifications, thus placing sensitive government information and programs at risk and potentially impacting national and economic security," the authors stated in the report.
In September, the Bush administration released the first public draft of its "" plan. Among the problems highlighted in the strategy document are the security failings of government agencies. The NIST document, released Monday, found that many of these are caused by a lack of standards in measuring risk.
"Currently, there are numerous competing security certification procedures within the federal government that are excessively complex, outdated and costly to implement--resulting in assessments that are often inconsistent, flawed and not repeatable with a degree of confidence," said the authors in the NIST guidelines.
NIST was one of several U.S. government agencies thatwith the Center for Internet Security in July to support a set of benchmarks aimed at guaranteeing a minimum security standard for computers. Ross called the tools, the first of which encompasses 500 tests for Windows 2000, a complementary initiative to the guidelines that NIST is releasing.
The current draft of the guidelines, called the "Guidelines for Security Certification and Accreditation of IT Systems," will be open to public comment until Jan. 31, 2003.