<
 
 
 
 
×
>
hide
You are viewing a Web site, archived on 00:30:27 Oct 15, 2004. It is now a Federal record managed by the National Archives and Records Administration.
External links, forms, and search boxes may not function within this collection.
NIAP NIST nsalogo
Home CCEVS Events Contacts Feedback
  Search NIAP site:
Products & Services
Common Criteria Evaluation
    Validated Scheme (CCEVS)

Configuration Guides
Validated Products
Products In Evaluation
Protection Profiles
   Development Process
   Consistency Instruction
     Manuals

   In Development
   NIAP Validated
Briefings
What's New

Events
Current Events
Past Events

Links & Organizations
NIST Home
NSA Home
NIST Computer Security
   Resource Center

Product / System Configuration Guidance


Product and system implementation guidance are documents that recommended security settings for products and systems. The documents are not meant to replace well-structured security policy or sound judgment. Furthermore most of the documents do not address site-specific configuration issues. Care must be taken to address local operational and policy concerns.

  • Government Security Recommendation Guides
  • Security Recommendation Guides are documents that contain recommended security settings for products. The guides are not meant to replace well-structured security policy or sound judgment. Furthermore the guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. The security changes described in the guides only apply to specifically identified operating systems or architecture components and should not be applied to any other operating systems or architecture components.

    Guides exist for: Windows 2000 Guides, Windows NT Guides, Cisco Router Guides, E-mail, Executable Content Guides and Secure Linux. Check the web site for updates and new offerings.

  • Implementation Guidance
  • The NIST 800 and 500 Special Publication series is a list of implementation guidance.

    Examples include:

    Guidelines on Firewalls and Firewall Policy, Recommendation for Block Cipher Modes of Operation - Methods and Techniques, Underlying Technical Models for Information Technology Security, December 2001, Introduction to Public Key Technology and the Federal PKI Infrastructure, Intrusion Detection Systems (IDS), Risk Management Guide for Information Technology Systems, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, Guidelines on Active Content and Mobile Code, Engineering Principles for Information Technology Security (A Baseline for Achieving Security, Security Self-Assessment Guide for Information Technology Systems, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, Guideline for Implementing Cryptography in the Federal Government, Mobile Agent Security, Guide for Developing Security Plans for Information Technology Systems, Minimum Interoperability Specification for PKI Components (MISPC), Generally Accepted Principles and Practices for Securing Information Technology Systems, An Introduction to Computer Security: The NIST Handbook, and a host of others.

  • Implementation Guidance in Developments
  • Special Publication 800-45 Guidelines on Electronic Mail Security, Special Publication 800-40, Procedures for Handling Security Patches, Special Publication 800-44, Guidelines on Securing Public Web Servers, Draft Special Publication 800-42, Guideline on Network Security Testing, Special Publication 800-43, System Administration Guidance for Windows 2000 Professional, Use of the CVE Vulnerability Naming Scheme Within its Acquired Products and Information Technology Security Procedures, NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems" , Special Publication 800-46, Security for Telecommuting and Broadband Communications, Special Publication 800-47, Security Guide for Interconnecting Information Technology.

  • Security Technical Implementation Guidelines
  • The Department of Defense has the Information Assurance Support Environment (IASE) server at DISA. This site contains the latest copies of Security Technical Implementation Guidance (STIG), as well as checklists, scripts, and other related security information. The site is available to organizations having a .mil or .gov extension.

  • IT Security Metrics
  • Federal IT security personnel are developing system level metrics that can be used to assist with GISRA and other IT reporting requirements. Those metrics are developed from IT security performance goals and objectives reflected in high level policies, requirements, laws, regulations and guidance. Examples include: Clinger Cohen Act, Presidential Decision Directives 63, Government Information Security Reform Act (GISRA), OMB Circular A-130, Appendix III, Critical Elements within NIST Special Publication 800-26, Federal Information Security Compliance Audit Manual (FISCAM), and the new Draft Special Publication (800-37) on Federal Certification and Accreditation.

    Metrics yield quantitative rather than qualitative information that increases the objectivity and validity of data. Metrics should be available or easily collected through interviewing or by accessing data repositories. IT metrics should be repeatable in a standard way, at predetermined intervals to identify trends or identify if changes have resulted in positive corrective actions. Metrics must support stakeholders and yield information that supports IA cost-benefit trade-off analysis.

     


NIST Disclaimer Notice

Please read the NIST Privacy Statement / Security Notice.
Please send comments or suggestions to niap-info@nist.gov.
NIAP is in the Information Technology Laboratory at the National Institute of Standards and Technology.
NIST is an agency of the U.S. Commerce Department's Technology Administration.
NSA is an agency of the U.S. Department of Defense.

Page last updated: June 16, 2004 10:18 AM