• United States



NIST Seeks Comments on Common Configuration Scoring System

Jun 05, 20082 mins
Data and Information Security

The National Institute of Standards and Technology (NIST) would like feedback on it’s draft scoring system which evaluates various security configurations within operating systems and applications.

The NIST website has the draft “Interagency Report 7502: The Common Configuration Scoring System” available for review.

Government Computer News said this about the report: “The report proposes a set of measures for security configuration issues and a formula to combine those measures into scores for each issue, collectively called the Common Configuration Scoring System (CCSS). It is derived from the Common Vulnerability Scoring System (CVSS) for measuring the relative severity of vulnerabilities caused by software flaws. CCSS adjusts the basic components of CVSS to focus on security configuration issues rather than software flaws. “

Commenting on these documents is a great opportunity for security professionals that want to become engaged in the government processes to ensure that consistent controls are put in place for federal, state, and local networks. More and more federal guidance requires states to comply with  federal standards if state or local governments are custodians of federal data.   

For example: The IRS provides guidane to federal, state, and local entities for use of tax information in their publication 1075.  

Comments on the draft of CCSS should be e-mailed by July 3 to with “Comments IR 7502” in the subject line.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author