Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] NIST sets FISMA standards for federal IT systems

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] NIST sets FISMA standards for federal IT systems
Date: Thu, 16 Mar 2006 04:03:04 -0600 (CST) 
http://www.gcn.com/online/vol1_no1/40127-1.html

By William Jackson
GCN Staff
03/15/06 

The National Institute of Standards and Technology has released the
final standard for securing agency computer systems under the Federal
Information Security Management Act.

Federal Information Processing Standard 200 [1] sets minimum security
requirements for federal systems in 17 security areas. It is the third
of three publications required from NIST under FISMA, which requires
executive branch agencies to establish consistent, manageable IT
security programs for non-national security systems. The intent of
FISMA is to implement risk-based processes for selecting and
implementing security controls.

FIPS 199 [2], released two years ago, establishes standards for
categorizing IT systems as low, moderate or high-impact, depending on
the effect of a breach of confidentiality, integrity or availability
of the system. Special Publication 800-53 [3] - "Recommended Security
Controls for Federal Information Systems", lays out the tools to be
used under FIPS 200 to secure IT systems.

Agencies must be in compliance with FIPS 200 by March 2007.

Requirements are spelled out for: 

* Access control 
* Awareness and training 
* Audit and accountability 
* Certification, accreditation and security assessments 
* Configuration management 
* Contingency planning 
* Identification and authentication 
* Incident response 
* Maintenance 
* Media protection 
* Physical and environmental protection planning 
* Personnel security 
* Risk assessment 
* System and services acquisition 
* System and communications protection 
* System and information integrity.

Agencies must employ on each system the proper security controls in
each of these areas depending on whether it is a low, moderate or
high-impact system.

NIST also is updating its standards for digital signatures. A draft of
FIPS 186-3 [4], which would replace the current FIPS 186-2, has been
released for comment.

The original digital signature standard was released in 1994 and has
been updated twice, in 1998 and 1999. The current version authorizes
the use of key sizes of 512 and 1024 bits with approved algorithms.  
Key sizes of 1024 now are considered the minimum acceptable level for
security of digital signatures.

"With advances in technology, it is prudent to consider larger key
sizes," NIST said. "Draft FIPS 186-3 allows the use of 1024, 2048 and
3072-bit keys."

Comments on the proposed standard should be made by June 12 to
elaine.barker@nist.gov, or mailed to the Chief, Computer Security
Division, Information Technology Laboratory, Attention: Comments on
Draft FIPS 186-3, 100 Bureau Drive, Stop 8930, National Institute of
Standards and Technology, Gaithersburg, MD 20899-8930.

[1] http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
[2] http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
[3] http://csrc.nist.gov/publications/nistpubs/800-53/SP800-53.pdf
[4] 
http://csrc.nist.gov/publications/drafts/fips_186-3/Draft-FIPS-186-3%20_March2006.pdf



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] NIST sets FISMA standards for federal IT systems, InfoSec News <=
Previous by Date:  [ISN] Stop blaming Winny, fix the real problem, InfoSec News
Next by Date:  [ISN] FrSIRT Puts Exploits up for Sale, InfoSec News
Previous by Thread:  [ISN] Stop blaming Winny, fix the real problem, InfoSec News
Next by Thread:  [ISN] FrSIRT Puts Exploits up for Sale, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]