Feds to require common IT security settings
By adhering to an agreed upon roster of security settings developed by the National Institute of Standards and Technology (NIST), government procurement officials expect to establish a baseline level of security, cut down on their own research time, leverage outside knowledge and prevent a public loss of confidence in their new IT systems.
The new rule, which becomes effective on March 31, was required by Memorandum M-07-18, which was issued by the Office of Management and Budget last June. Details of the new rule were announced by the Civilian Agency Acquisition Council in the Federal Register on February 28.
Suppliers of IT software and hardware will be required to incorporate a set of common security configurations into the products they supply to their government customers.
NIST maintains what it calls a "security configuration checklist" – sometimes referred to as a lockdown guide, hardening guide or benchmark configuration – for many individual IT products. Such a checklist might include configuration files that automatically set various security settings, documentation that guides a user to manually configure software, documents that explain how to securely install and configure a device and policy documents that set guidelines for activities such as auditing, authentication and ensuring perimeter security.
"Because IT products are often intended for a wide variety of audiences, restrictive security controls are usually not enabled by default, so many IT products are immediately vulnerable out-of-the-box," explains NIST on its Web site. "It is a complicated, arduous, and time-consuming task for even experienced system administrators to identify a reasonable set of security settings for many IT products."
Further information is available from the Federal Acquisition Regulation Secretariat at 202-501-4755.
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/530-3
