The National Institute of Standards and Technology (NIST) has released its draft cyber security guidelines to help federal agencies comply with computer security requirements recently mandated by the Office of Management and Budget (OMB). The NIST is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration.
Under OMB policy, federal officials must make a security determination (called accreditation) to authorize placing IT systems into operation. In order for these officials to make "sound, risk-based decisions," a security evaluation (known as certification) of the IT system is also needed.
The new NIST guidelines establish standard processes, depending upon the sensitivity and exposure of the system, to verify the correctness and effectiveness of security controls to ensure adequate security. They include a hierarchy to organize security controls for confidentiality, data integrity and availability.
According to the NIST, "a significant percentage of federal IT systems have not completed needed security certifications, thus placing sensitive government information and programs at risk and potentially impacting national and economic security."
While NIST developed the guidelines for federal agencies, the private sector and the military can easily adapt them for use, the Commerce Department said in a statement. Public comment will be accepted by NIST for three months before revising the guidelines for final issuance.
The NIST is seeking public comments on the draft until Jan. 31.