[Federal Register Volume 68, Number 133 (Friday, July 11, 2003)]
[Notices]
[Pages 41313-41314]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-17635]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology


Announcing a Workshop on Building Secure Configurations/Security 
Settings/Security Checklists for Information Technology Products Widely 
Used in the Federal Government

AGENCY: National Institute of Standards and Technology (NIST).

ACTION: Notice of public workshop.

-----------------------------------------------------------------------

SUMMARY: The Cyber Security Research and Development Act of 2002 tasks 
National Institute of Standards and Technology (NIST) to ``develop, and 
revise as necessary, a checklist setting forth settings and option 
selections that

[[Page 41314]]

minimize the security risks associated with each computer hardware or 
software system that is, or is likely to become widely used within the 
Federal Government.'' Various Federal organizations (NIST, NSA, DISA, 
etc.), consortia (e.g., Center for Internet Security), and some 
commercial vendors produce these checklists. Such checklists when 
combined with well-developed guidance, leveraged with high-quality 
security expertise, vendor product knowledge, operational experience, 
and accompanied with tools can markedly reduce the vulnerability 
exposure of an organization. To meet this challenging requirement to 
produce checklists for the spectrum of IT products widely used in the 
government, NIST has developed a proposal to solicit from IT vendors, 
consortia, industry and government organizations, and others in the 
public and private sector to produce additional checklists and 
associated guidance material to NIST. These materials would then be 
made available for display and downloading from the NIST Computer 
Security Resource Center (CSRC) Web site (http://csrc.nist.gov). To 
gather feedback on the proposed approach, NIST is announcing a workshop 
to identify current and planned Federal government checklist activities 
and related needs, existing and planned voluntary efforts for building 
security checklists, and current industry capabilities for the 
development of checklists and the associated templates that describe 
sets of security configurations for IT products widely used in the 
United States Government (USG).
    It is anticipated that the workshop will support the development of 
a standard Extensible Markup Language (XML) template for security 
configuration checklist descriptions, and a guideline on producing 
consensus checklists that can be searched, compared, shared freely, and 
used by the USG and Internet community at large. The goal of this 
initial workshop is to collect suggestions from organizations that have 
already developed or are involved in the development of such checklists 
to gain their input on key items that should be included within the 
template. The detailed draft agenda and supporting documentation for 
the workshop will be available prior to the workshop from the NIST CSRC 
Web site at http://csrc.nist.gov/checklists by July 31, 2003.

DATES: The workshop will be held on September 25 and 26, 2003, from 9 
a.m. to 5 p.m.

ADDRESSES: The workshop will be held in the Lecture Room B, Bldg 101 at 
the National Institute of Standards and Technology, Gaithersburg, MD.

FOR FURTHER INFORMATION CONTACT: Additional information, when 
available, may be obtained from the Computer Security Resource Center 
Web site at http://csrc.nist.gov/checklists or by contacting John Wack, 
National Institute of Standards and Technology, Building 100 Bureau 
Drive, Stop 8930, Gaithersburg, MD 20899-8930; telephone 301-975-3411; 
Fax 301-948-0279, or e-mail: [email protected].

SUPPLEMENTARY INFORMATION:
    NIST will lead an effort in coordination with other agencies and 
private industry to develop and disseminate a standard template 
designed to describe security checklists. Examples of key IT product 
technology areas include: operating systems, database systems, web 
servers, e-mail servers, firewalls, routers, intrusion detection 
systems, virtual private Networks, biometric devices, smart cards, 
telecommunication switching devices and web browsers.
    Vendors, agencies, consortia, and other reputable sources will be 
encouraged to submit checklists and related information called for by 
the template to populate a public web-based repository. The template 
will provide a standardized method of centrally cataloging, describing, 
and categorizing existing and newly developed security checklists for 
IT products. The XML template will be used to populate an online 
database hosted by NIST that will provide the USG and Internet 
community with a centralized database used to consolidate information 
about IT product security checklists.
    The initial workshop is being held to identify the key fields of 
the template. Workshop topics are planned to include:
    [sbull] Target environments,
    [sbull] Risk levels,
    [sbull] Methods to gain wide agency and vendor support,
    [sbull] Methods and incentives to encourage vendors' submissions 
adhering to the proposed template.
    Vendors, agencies, and other reputable sources currently developing 
checklists for IT products are encouraged to present information at the 
workshop describing their checklist development and testing process. 
Speakers wishing to formally present information at the workshop should 
submit proposals to [email protected] by September 1, 2003.
    Because of NIST security regulations, advance registration is 
mandatory; there will be no on-site, same-day registration. To 
register, please register via the Web at http://www.nist.gov/conferences or fax the registration form with your name, address, 
telephone, fax and e-mail address to 301-948-2067 (Attn: Workshop on 
Building Secure Configurations/Security Settings/Security Checklists 
for Federal Government Systems) by September 22, 2003. The registration 
fee will be $85. Payment can be made by credit card, check, purchase 
order, and government training form. Registration questions should be 
addressed to Kimberly Snouffer on 301-975-2776 or 
[email protected].

Authority

    This work effort is being initiated pursuant to NIST's 
responsibilities under the Cyber Security Research and Development Act 
of 2002.

    Dated: July 7, 2003.
Arden L. Bement, Jr.,
Director.
[FR Doc. 03-17635 Filed 7-10-03; 8:45 am]
BILLING CODE 3510-13-P