Washington, D.C. – U. S. federal agencies Tuesday received guidelines on how to evaluate their computer security. Developed by scientists at the National Institute of Standards and Technology (NIST), an agency of the U.S. Commerce Department’s Technology Administration, the guidelines can easily be adapted by the private sector, NIST said.

The department's under secretary for technology, Phillip Bond, said the guidelines will help federal agencies protect their computer systems from the threat of cyberattacks.

"Once final, these guidelines will serve as a critical computer security tool and will further the President’s commitment to a safe and secure cyberspace," Bond said. "This is a very significant step toward making the federal government’s computer systems more secure. It gives agencies a comprehensive, yet flexible way to ensure that their computers are as safe as they should be," he said.

Bond said the guidelines detail a new approach to assessing the security level of entire computer systems and use a hierarchy for confidentiality, integrity and availability. The federal government already has computer security standards for many individual components of information technology (IT) systems.

NIST said it encourages private-sector organizations involved in critical infrastructure activities to consider using the guidelines.

In the spring of 2003, NIST plans to hold an exploratory workshop to study the needs of federal agencies for and the feasibility of developing a voluntary testing regime to assess the technical competence of third parties to conduct the detailed computer security reviews covered in the report.

Agencies can use the guidelines to comply with computer security requirements designed to ensure an adequate level of protection for each system, including those specified by the Office of Management and Budget (OMB) Circular A-130. Under OMB policy, responsible federal officials are required to make a security determination, called "accreditation", to authorize placing IT systems into operation. In order for these officials to make sound, risk-based decisions, a security evaluation, known as "certification", of the IT system is needed.

The guidelines create consistent, comparable evaluations of computer systems by detailing a standard process for agencies to use. They include a hierarchy to organize security controls for confidentiality, data integrity and availability.

This approach includes three levels of security:

Level 1, an entry-level or basic level of security;

Level 2, for computer systems with moderate levels of concern about issues such as confidentiality (this level requires a more detailed analysis); and

Level 3, the top level, requiring the most rigorous evaluation.

NIST said it would accept public comment for three months before revising the guidelines for final issuance.

The draft NIST report, Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems, is available online at NIST’s Computer Security Resource Center (CSRC).

NIST’s CSRC provides access to information, tools, programs and services in the areas of 1) security policies, standards and guidelines; 2) security validated products; 3) training and education; and 4) collaborative work and services. NIST’s Information Technology Laboratory develops computer security standards and provides technical advice and guidelines as a result of its statutory responsibilities under the Computer Security Act of 1987 and the Information Technology Management Reform Act of 1996.