July 17, 2002 12:25 PM PDT
Taking a stand for PC security
The National Security Agency, the National Institute of Standards and Technology, the Defense Information Systems Agency and the General Services Administration all planned to voice support for the benchmark certification in a meeting at the GSA headquarters in Washington, sources familiar with the proceedings said.
The benchmark is a program that checks the target operating system for unpatched flaws and system settings that could make PCs vulnerable to intrusions or bugs. While the first such benchmark focuses on Windows 2000 workstations, versions of the program for Windows 2000 and NT servers, Sun Microsystems' Solaris operating system, Cisco's IOS router operating system, Linux and HP-UX are in the works.
"This is an example of a public-private partnership that can help government agencies and corporations better secure their systems against cyber attack," Richard Clarke, special advisor to the president on cyberspace security, said in a statement.
Several of the agencies may require any new computers they purchase pass the benchmark, said Bert Miuccio, director of benchmark services for the Center for Internet Security, the group that originally created the benchmark process. However, even those that don't will help make the minimum security specifications a reality.
"Their support will accelerate the adoption (of the benchmark) because of the buying power of the federal government," he said.
As previously reported, the benchmark--bearing the unwieldy moniker "Windows 2000 Professional Operating System Benchmark - Consensus Baseline Security Settings (v1.0)"--is the first of several such benchmarks that will help certify that an operating system meets certain patch and configuration requirements and, thus, meets a minimum level of security.
A representative of the National Institute of Standards and Technology (NIST) said the new benchmark would not be a "real" standard within the federal government, but the agency would recommend that civilian government groups, for whom NIST sets standard, use it.
"We have a very specific meaning when we talk about standards," said spokesman Philip Bulman. "That is something we develop and it's a big deal that affects all types of folks. But a lot of what we do is called guidance. This is more along the lines of guidance."
The DISA, the GSA and the NSA could not immediately be reached for comment.
While the group does not allow operating system makers such as Microsoft to join, the software giant has been discussing the benchmarks with the Center for Internet Security for some time, said Steve Lipner, director of security assurance for Microsoft.
"They are very similar to the high security workstation template that is in the Windows 2000 product when it ships," he said. While he added that the new benchmarks are a good thing, "Our hope is that we will do such a good job with default security that people won't need to do separate templates."
One problem that could arise from the new security benchmarks is that a computer that is brought up to specification might find that some applications won't work properly anymore. Lipner pointed out that many applications were made for Windows 9x systems and may not be as security-aware as they should be.
"The world has changed," he said.
The four government agencies are only the latest of 170 corporate, government and individual members to join the Center for Internet Security's mission to create a way to guarantee that organizations have a way to certify that their computers meet a minimum security standard.
Among the groups other large members are The Institute of Internal Auditors, the System Administration, Networking and Security Institute, Visa, Intel and Stanford University.