Encryption-based digital signatures and public-key certificates, among other techniques, are viewed as means of creating these security controls, but NIST isn't dictating specific processes, according to Regenscheid.

He says the concern is that manufacturers haven't uniformly applied strong security controls over BIOS in the past. This may be because BIOS updates tend to occur far less often than other kinds of computer software updates. But with the , it's time to focus on the BIOS, Regenscheid points out.

NIST already issued BIOS security standards for desktops and laptops in April 2011, and the Department of Homeland Security has told federal agencies to use them as a basis for purchasing laptops and desktops, starting this October. The U.S. Department of Defense has issued similar instructions, says Regenscheid. Manufacturers are aware of NIST's direction in all this and are responding. " Windows 8 has BIOS protection for the desktop," he points out.

Security for BIOS may be more complicated and call for support from OEM manufacturers such as Dell, HP and Lenovo. "We're proposing a tightly controlled update process," says Regenscheid. Proposed standards from NIST typically are approved and take effect within six months.

At that point, the "BIOS Protection Guidelines for Servers" will be a federal standard that is likely to also impact what the government acquires, just as the client BIOS security standard did. One question: Since the federal government is increasingly involved in buying cloud-based services, should cloud providers be asked to support secure BIOS? Regenscheid says that's something that surely will be brought up in discussions by people in government who write procurement requirements.