[ISN] NIST makes lists
isn at c4i.org
Fri Aug 20 04:26:38 EDT 2004
By Florence Olsen
Aug. 19, 2004
A program that experts have said is the missing piece in federal
efforts to promote secure computing will be ready later this year.
Officials at the National Institute of Standards and Technology
announced that a security configuration checklists program for
information technology products, including a logo that vendors can put
on their wares,  is on track for completion before the end of 2004.
A security configuration checklist describes the software options and
settings that users can choose to minimize the security risks
associated with a particular type of hardware or software. More
commonly referred to as lockdown guides or security benchmarks,
security checklists are basically documents for securing IT hardware
or software in different settings. Security checklists for home
computer users, for example, would be different from those for federal
computer users handling sensitive data.
A checklist could include scripts, templates and pointers to Web sites
where users can download software updates or firmware upgrades to make
products more secure from attack by viruses and other malicious code
spread via the Web.
NIST officials said they plan to distribute the lists through a Web
portal, checklists.nist.gov. The role of NIST employees will be to
screen checklists to see that they meet the program's requirements,
publish the checklists for public review and, finally, to add
checklists to the repository and remove them when they become
NIST officials have already published two security checklists, one for
Microsoft Corp.'s Windows 2000 and XP Professional. They can be
downloaded from a NIST Web site: csrc.nist.gov/itsec.
NIST officials will work with other organizations that produce
security checklists, including the Defense Information Systems Agency
and National Security Agency, and the nonprofit Center for Internet
Security. The checklist program, however, has no connection to the
federal government's National Information Assurance Partnership, a
security program for testing products in a laboratory setting.
The scope of the security checklist program is broad, officials said,
and will include operating systems, database software, Web servers,
e-mail servers, routers, intrusion-detection systems, virtual private
networks, biometric devices, smart cards, telecommunications switches
and Web browsers.
To locate a particular checklist, users will be able to search with at
least 14 different fields, including checklist point of contact,
product manufacturer name, product name, product version and platforms
on which the checklist was tested.
NIST officials envision the portal being used by everyone, including
product developers, government agencies, businesses and citizens.
NIST's authority for creating the security checklist program comes
from a 2002 law, the Cyber Security Research and Development Act. The
Homeland Security Department is listed on NIST's Web site as a program
More information about the ISN