[ISN] NIST makes lists

[InfoSec News]

http://www.fcw.com/fcw/articles/2004/0816/web-nist-08-19-04.asp

By Florence Olsen 
Aug. 19, 2004

A program that experts have said is the missing piece in federal 
efforts to promote secure computing will be ready later this year.

Officials at the National Institute of Standards and Technology 
announced that a security configuration checklists program for 
information technology products, including a logo that vendors can put 
on their wares, [1] is on track for completion before the end of 2004.

A security configuration checklist describes the software options and 
settings that users can choose to minimize the security risks 
associated with a particular type of hardware or software. More 
commonly referred to as lockdown guides or security benchmarks, 
security checklists are basically documents for securing IT hardware 
or software in different settings. Security checklists for home 
computer users, for example, would be different from those for federal 
computer users handling sensitive data.

A checklist could include scripts, templates and pointers to Web sites 
where users can download software updates or firmware upgrades to make 
products more secure from attack by viruses and other malicious code 
spread via the Web.

NIST officials said they plan to distribute the lists through a Web 
portal, checklists.nist.gov. The role of NIST employees will be to 
screen checklists to see that they meet the program's requirements, 
publish the checklists for public review and, finally, to add 
checklists to the repository and remove them when they become 
outdated.

NIST officials have already published two security checklists, one for 
Microsoft Corp.'s Windows 2000 and XP Professional. They can be 
downloaded from a NIST Web site: csrc.nist.gov/itsec.

NIST officials will work with other organizations that produce 
security checklists, including the Defense Information Systems Agency 
and National Security Agency, and the nonprofit Center for Internet 
Security. The checklist program, however, has no connection to the 
federal government's National Information Assurance Partnership, a 
security program for testing products in a laboratory setting.

The scope of the security checklist program is broad, officials said, 
and will include operating systems, database software, Web servers, 
e-mail servers, routers, intrusion-detection systems, virtual private 
networks, biometric devices, smart cards, telecommunications switches 
and Web browsers.

To locate a particular checklist, users will be able to search with at 
least 14 different fields, including checklist point of contact, 
product manufacturer name, product name, product version and platforms 
on which the checklist was tested.

NIST officials envision the portal being used by everyone, including 
product developers, government agencies, businesses and citizens.

NIST's authority for creating the security checklist program comes 
from a 2002 law, the Cyber Security Research and Development Act. The 
Homeland Security Department is listed on NIST's Web site as a program 
sponsor.

[1] http://csrc.nist.gov/publications/drafts.html