The US National Institute of Standards and Technology (NIST) has published recommended security controls for federal information systems.
The new guidelines will be the basis for a proposal due later this year by NIST for a Federal Information Processing Standard (FIPS). The standard will become mandatory for federal agencies in December 2005.
"This document of security guidelines is going to play a key role in helping federal agencies effectively select and implement security controls and, by using a risk-based approach, do so in a cost-effective manner," said Shashi Phoha, director of NIST’s Information Technology Laboratory.
The standard, which is expected to be of interest to non-governmental organisation as well, recommends management, operational and technical controls needed to protect all federal information systems that are not national security systems.
The controls cover 17 key security focus areas, including risk assessment, contingency planning, incident response, access control, and identification and authentication.
The security guidelines also provide information on selecting the appropriate controls needed to achieve security for low-, moderate- and high-impact information systems.
All of NIST’s security standards and guidelines are available at http://csrc.nist.gov