New Commerce Guidelines to Help Protect Against Cyberattacks

Federal agencies now have a systematic way to evaluate their computer security as a result of guidelines announced today by Commerce Under Secretary for Technology Phillip Bond. Bond said the guidelines would help federal agencies protect their computer systems from the threat of cyberattacks.

"Once final, these guidelines will serve as a critical computer security tool and will further the President's commitment to a safe and secure cyberspace," Bond said. "This is a very significant step toward making the federal government's computer systems more secure. It gives agencies a comprehensive, yet flexible way to ensure that their computers are as safe as they should be," he said.

Computer scientists at the National Institute of Standards and Technology (NIST), an agency of the Commerce Department's Technology Administration, developed the guidelines.

The new guidelines detail a new approach to assessing the security level of entire computer systems and utilize a hierarchy for confidentiality, integrity and availability. The federal government already has computer security standards for many individual components of information technology systems.

While NIST developed the guidelines for federal agencies, the private sector and the military can easily adapt them for use. NIST encourages private-sector organizations involved in critical infrastructure activities to consider using the guidelines.

In the spring of 2003, NIST plans to hold an exploratory workshop to study the needs of federal agencies for and the feasibility of developing a voluntary testing regime to assess the technical competence of third parties to conduct the detailed computer security reviews covered in the report.

Agencies can use the guidelines to comply with computer security requirements designed to ensure an adequate level of protection for each system, including those specified by the Office of Management and Budget (OMB) Circular A-130. Under OMB policy, responsible federal officials are required to make a security determination (called accreditation) to authorize placing IT systems into operation. In order for these officials to make sound, risk-based decisions, a security evaluation (known as certification) of the IT system is needed.

The guidelines create consistent, comparable evaluations of computer systems by detailing a standard process for agencies to use. They include a hierarchy to organize security controls for confidentiality, data integrity and availability.

This approach includes three levels of security:

• Level 1, an entry-level or basic level of security;

• Level 2, for computer systems with moderate levels of concern about issues such as confidentiality (this level requires a more detailed analysis); and

• Level 3, the top level, requiring the most rigorous evaluation.

Public comment will be accepted by NIST for three months before revising the guidelines for final issuance.

The draft NIST report, Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems, is available online through NIST's Computer Security Resource Center (CSRC) at http://csrc.nist.gov/publications/drafts.html. NIST's CSRC provides access to a wealth of information, tools, programs and services in the areas of 1) security policies, standards and guidelines; 2) security validated products; 3) training and education; and 4) collaborative work and services.

NIST's Information Technology Laboratory develops computer security standards and provides technical advice and guidelines as a result of its statutory responsibilities under the Computer Security Act of 1987 and the Information Technology Management Reform Act of 1996. NIST guides address the information needs of systems administrators and other computer professionals. The published guidance covers topics ranging from how to protect a public Web site from computer hackers to steps agencies can take to make electronic mail systems more secure.

As a non-regulatory agency of the U.S. Department of Commerce's Technology Administration, NIST develops and promotes measurements, standards and technology to enhance productivity, facilitate trade and improve the quality of life.