NIST Issues Security Configuration Guidance

Guidance Identities Major Phases of Security Configuration The National Institute of Standards and Technology on Thursday issued two draft publications aimed at securing digital assets: Guide for Security Configuration Management of Information Systems and Maintaining and Using Key History on Personal Identity Verification (PIV) Cards.

NIST Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems, furnishes guidelines for managing the configuration of information system architectures and associated components for secure processing, storing and transmitting of information. "Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems," a NIST statement accompanying the draft said.

NIST SP 800-128 identifies the major phases of security configuration management and describes the process of applying security configuration management practices for information systems including:

Planning security configuration management activities for the organization;
Planning security configuration management activities for the information system;
Configuring the IT system to a secure state;
Maintaining the configuration of the information system in a secure state; and
Monitoring the configuration of the information system to ensure that the configuration is not inadvertently alerted from its approved state.

The security configuration management concepts and principles described in this publication provide supporting information for NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations that include the configuration management family of security controls and other security controls that draw upon configuration management activities in implementing those controls. This publication also provides important supporting information for the Monitor Step (Step 6) of the Risk Management Framework that is discussed in NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.

NIST requests comments on the initial public draft of SP 800-128, by June 14. Submit comments to sec-cert@nist.gov.

Draft NIST Interagency Report 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards, also has been released for public comment. The report complements SP 800-73-3, Interfaces for Personal Identity Verification, which introduced the ability to store retired key management keys within the PIV card application on a PIV card, by providing some of the rationale for the design of the mechanism for storing retired key management keys on PIV dards and by providing suggestions to smart card vendors, PIV card issuers and middleware developers on the use of the key history mechanism.

NIST requests comments on Draft NIST IR 7676 be sent by April 2 to PIV_comments@nist.gov with "Comments on Public Draft NISTIR 7676" in the subject line.





Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.