NIST issues 'don't be stupid' security guidelines for contractors

There's no irony here at all: America's National Institute of Standards and Technology (NIST) has finalised its advice to US Federal agencies about how sensitive data should be protected when it's handled by contractors and outsiders.

The recommendations, if they'd existed and been followed, might have helped protect Americans from the now-infamous OPM hack, since external contractors don't seem to have been well-managed.

The guidance will look familiar to those that have studied the Australian Signals Directorate's to-do list (which El Reg calls the “don't be stupid” list).

The NIST publication covers access control, awareness and training, audit and accountability, configuration management, ID and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, system and information integrity.

And yes, the kind of advice it gives would have helped the DBP – for example, agencies should “separate the duties of individuals to reduce the risk of malevolent activity without collusion”, and should “employ the principle of least privilege, including for specific security functions and privileged accounts”.

Patching comes under “configuration management” (except that the bureaucratese the document's written in doesn't specifically call out “apply operating system patches” or “apply application patches” like the ASD's don't-be-stupid list does), as is application whitelisting.

The work began under a White House order issued in 2010, and was released for comment last fall. ®