In two of my recent postings (White House Cyberspace Policy Review Requires Full Implementation of HSPD-12) and (Privacy Concerns: Is Einstein Listening and Watching You?), I referenced NIST publications and standards. Over the years, NIST has always been a very professional government run operation.
From automated teller machines and atomic clocks to mammograms and semiconductors, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.
Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
NIST carries out its mission in four cooperative programs:
* the NIST Laboratories, conducting research that advances the nation’s technology infrastructure and is needed by U.S. industry to continually improve products and services;
* the Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, health care providers, and nonprofit organizations; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement;
* the Hollings Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and
* the Technology Innovation Program, which is planned to provide cost-shared awards to industry, universities and consortia for research on potentially revolutionary technologies that address critical national and societal needs. (Note: This is a newly created program that has been authorized by Congress.)
* Between 1990 and 2007, NIST also managed the Advanced Technology Program.
NIST’s FY 2009 resources total $1.6 billion. The agency operates in two locations: Gaithersburg, Md., (headquarters—234-hectare/578-acre campus) and Boulder, Colo., (84-hectare/208-acre campus). NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. Also, NIST hosts about 2,600 associates and facility users from academia, industry, and other government agencies. In addition, NIST partners with 1,600 manufacturing specialists and staff at about 400 MEP service locations around the country.
Page C-7 – WH Cyberspace Policy Review
As information technology and systems evolved, Congress enacted a separate body of law governing computers and information systems. The Brooks Act,23 enacted in 1965, gave the National Bureau of Standards—now the Department of Commerce’s National Institute of Standards and Technology (NIST)—responsibilities for developing automatic data processing standards and guidelines pertaining to Federal computer systems.
The responsibilities assigned to NBS, however, did not apply to the procurement of automatic data processing equipment or services by the Central Intelligence Agency or to what are now called “national security systems” by the Department of Defense.
The Computer Security Act of 1987,24 which further amended the Brooks Act, gave NIST the authority for developing standards and guidelines for the security of non-national security systems and required NIST to collaborate with NSA.
The Federal Information Security Management Act of 2002 (FISMA)25 amended the Computer Security Act, leaving intact the roles of NIST and NSA, but it gave OMB expanded information security oversight responsibilities over all Executive Branch departments and agencies; it authorized the Director of OMB to require agencies to follow the standards and guidelines developed by NIST, review agency security programs annually and approve or disapprove them, and take authorized actions to ensure compliance. FISMA did not change, however, the dichotomy that exists in the treatment of civilian and national security systems.
While national security systems continued to be excluded from NIST oversight,26 other regimes were established to deal with them, most notably National Security Directive 42. NSD-42, issued in July 1990, expanded the scope of a previously chartered national security telecommunications policy coordinating body to encompass information systems as well. In addition, it established a new body, the National Security Telecommunications and Information Systems Security Committee (NSTISSC).
The NSTISSC was charged, among other things, to provide systems security guidance for national security systems for Executive Branch departments and agencies and to develop appropriate “operating policies, procedures, guidelines, instructions, standards, objectives, and priorities as may be required . . . .”27
The NSTISSC shared many of the structural characteristics of the NCS, including an interagency membership structure (which included the Manager of the NCS) administered by an Executive Agent, which function was assigned to the Secretary of Defense, and a National Manager (the Director of NSA) that assists the Secretary in executing assigned information assurance responsibilities.28
24 Public Law 100-235.
25 Homeland Security Act of 2002, Pub. L. 107-296; see also Title III, e-Gov Act of 2002, Pub. L. 107-347.
26 15 U.S.C. § 278g-3, which incorporates the definition of NSS contained in 44 U.S.C. § 3542(b)(2). NSS are defined as “any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency, the function, operation, or use of which — (A) involves intelligence activities; (B) involves cryptologic activities related to national security; (C) involves command and control of military forces; (D) involves equipment that is an integral part of a weapon or weapons system; or (E) is critical to the direct fulfillment of military or intelligence missions provided that this definition does not apply to a system that is used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).”
27 National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems (July 5, 1990), § 5(b). The NSTISSC has since been renamed the Committee on National Security Systems (CNSS). E.O. 13231, Critical Infrastructure Protection in the Information Age (October 16, 2001).
28 Id. §§ 5, 6, 7. In particular, NSA may provide technical assistance to owners of national security systems as well as conduct vulnerability assessments to those systems and disseminate information on threats to and vulnerabilities of national security systems.
The Computer Security Division (CSD) – (893)
The Computer Security Division Responds to the Federal Information Security Management Act of 2002
The E-Government Act [Public Law 107-347] passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), included duties and responsibilities for the Computer Security Division in Section 303 “National Institute of Standards and Technology.” Work to date includes:
- Provide assistance in using NIST guides to comply with FISMA – Information Technology Laboratory (ITL) Computer Security Bulletin Understanding the New NIST Standards and Guidelines Required by FISMA: How Three Mandated Documents are Changing the Dynamic of Information Security for the Federal Government (issued November 2004).
- Provide a specification for minimum security requirements for Federal information and information systems using a standardized, risk-based approach – Developed FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (issued March 2006).
- Define minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category – Developed SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems (issued December 2007).
- Identify methods for assessing effectiveness of security requirements – SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (issued July 2008).
- Bring the security planning process up to date with key standards and guidelines developed by NIST – SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems (issued February 2006).
- Provide assistance to Agencies and private sector – Conduct ongoing, substantial reimbursable and non-reimbursable assistance support, including many outreach efforts such as the Federal Information Systems Security Educators’ Association (FISSEA), the Federal Computer Security Program Managers’ Forum (FCSM Forum), the Small Business Corner, and the Program Review for Information Security Management Assistance (PRISMA).
- Evaluate security policies and technologies from the private sector and national security systems for potential Federal agency use – Host a growing repository of Federal agency security practices, public/private security practices, and security configuration checklists for IT products. In conjunction with the Government of Canada’s Communications Security Establishment, CSD leads the Cryptographic Module Validation Program (CMVP). The Common Criteria Evaluation and Validation Scheme (CCEVS) and CMVP facilitate security testing of IT products usable by the Federal government.
- Solicit recommendations of the Information Security and Privacy Advisory Board on draft standards and guidelines – Solicit recommendations of the Board regularly at quarterly meetings.
- Provide outreach, workshops, and briefings – Conduct ongoing awareness briefings and outreach to our customer community and beyond to ensure comprehension of guidance and awareness of planned and future activities. We also hold workshops to identify areas our customer community wishes addressed, and to scope guidance in a collaborative and open format.
- Satisfy annual NIST reporting requirement – Produce an annual report as a NIST Interagency Report (IR). The 2003–2008 Annual Reports are available via the Web or upon request.
NIST Directives and Special Publications
Federal Information Processing Standards Publication 201 (FIPS 201), “Personal Identity Verification (PIV) of Federal Employees and Contractors,” February 25, 2005, provides standards for the identity verification, issuance, and use of the common identity standard. It contains two major sections.
Part One describes the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of HSPD-12, including personal identity proofing, registration, and issuance.
Part Two provides detailed specifications that will support technical interoperability of PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve personal identity information from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard.
FIPS PUB 201-1, Change Notice-1 (FIPS 201-1) “Personal Identity Verification of Federal Employees and Contractors,” March 2006, updates the requirements established by FIPS 201. Specifically, it makes changes to the graphics on the back of the PIV card and the Abstract Syntax Notation One encoding of the NACI indicator.
National Institute of Standards and Technology (NIST) Special Publication (SP)
800-85B, “PIV Data Model Test Guidelines,” July 2006, provides technical guidance on the methodology to be used during testing applicable components and specifies the derived test requirements, detailed test assertions, and conformance tests for testing the data elements of the PIV system.
NIST SP 800-85A, “PIV Card Application and Middleware Interface Test Guidelines,” April 2006, provides test requirements and test assertions that could be used to validate the compliance/conformance of two PIV components—PIV middleware and PIV card application to specifications in NIST SP 800-73.
NIST SP 800-73-1, “Interfaces for Personal Identity Verification,” March 2006, contains technical specifications for the smart card, the interface, the manner in which data on the credential are protected, and the format in which the data are to be retrieved. These specifications reflect the design goals of interoperability and PIV card functions.
Publications = Special Publications (800 Series)
Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.
FIPS Publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347.
With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS). Therefore, the references to the “waiver process” contained in many of the FIPS are no longer applicable. ).