Agencies are moving toward purchasing more software from the private sector, however many IT departments are still building niche apps in-house. To help ensure those apps are secure, the National Institute of Standards and Technology (NIST) issued a draft checklist of security controls for developers and users.
The draft Guidelines for Checklist Users and Developers gives agencies and industry advice on creating their own checklists or selecting an established guide from NIST's National Checklist Repository.
Document: Guidelines for Checklist Users and Developers
A checklist – also known as a lockdown, hardening guide, benchmark, security guide or security technical implementation guide (STIG) – can be used to ensure a product is configured correctly, as well as identifying any unauthorized changes that could lead to security holes or problems with implementation.
"Although the solutions to IT security are complex, one simple yet effective tool is the security configuration checklist," NIST writes. "The use of well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products."
The checklist can either be a basic document explaining how to do a manual compliance review or an automated system to set and verify controls.
More: National Checklist Repository
The draft guidance boils down to five major recommendations:
- Organizations should use checklists to reduce cyber vulnerabilities and mitigate the impact of successful attacks;
- Appropriate checklists should be picked based on degree of automation and source;
- Checklists should be customized and tested before being introduced to the production cycle;
- Developers should target checklists to one or more operational environment; and
- Give back by offering finished checklists for inclusion in the national repository.
The document also enumerates best practices for developing a checklist from scratch and the various instances in which one should be applied.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
