In two of my recent postings (White House Cyberspace Policy Review Requires Full Implementation of HSPD-12) and (Privacy Concerns: Is Einstein Listening and Watching You?), I referenced NIST publications and standards.  Over the years, NIST has always been a very professional government run operation.

From automated teller machines and atomic clocks to mammograms and semiconductors, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

NIST carries out its mission in four cooperative programs:

* the NIST Laboratories, conducting research that advances the nation’s technology infrastructure and is needed by U.S. industry to continually improve products and services;

* the Baldrige National Quality Program, which promotes performance excellence among U.S. manufacturers, service companies, educational institutions, health care providers, and nonprofit organizations; conducts outreach programs and manages the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement;

* the Hollings Manufacturing Extension Partnership, a nationwide network of local centers offering technical and business assistance to smaller manufacturers; and

* the Technology Innovation Program, which is planned to provide cost-shared awards to industry, universities and consortia for research on potentially revolutionary technologies that address critical national and societal needs. (Note: This is a newly created program that has been authorized by Congress.)

* Between 1990 and 2007, NIST also managed the Advanced Technology Program.

NIST’s FY 2009 resources total $1.6 billion. The agency operates in two locations: Gaithersburg, Md., (headquarters—234-hectare/578-acre campus) and Boulder, Colo., (84-hectare/208-acre campus). NIST employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. Also, NIST hosts about 2,600 associates and facility users from academia, industry, and other government agencies. In addition, NIST partners with 1,600 manufacturing specialists and staff at about 400 MEP service locations around the country.

Page C-7 – WH Cyberspace Policy Review

As information technology and systems evolved, Congress enacted a separate body of law governing computers and information systems. The Brooks Act,23 enacted in 1965, gave the National Bureau of Standards—now the Department of Commerce’s National Institute of Standards and Technology (NIST)responsibilities for developing automatic data processing standards and guidelines pertaining to Federal computer systems.

The responsibilities assigned to NBS, however, did not apply to the procurement of automatic data processing equipment or services by the Central Intelligence Agency or to what are now called “national security systems” by the Department of Defense.

The Computer Security Act of 1987,24 which further amended the Brooks Act, gave NIST the authority for developing standards and guidelines for the security of non-national security systems and required NIST to collaborate with NSA.

The Federal Information Security Management Act of 2002 (FISMA)25 amended the Computer Security Act, leaving intact the roles of NIST and NSA, but it gave OMB expanded information security oversight responsibilities over all Executive Branch departments and agencies; it authorized the Director of OMB to require agencies to follow the standards and guidelines developed by NIST, review agency security programs annually and approve or disapprove them, and take authorized actions to ensure compliance. FISMA did not change, however, the dichotomy that exists in the treatment of civilian and national security systems.

While national security systems continued to be excluded from NIST oversight,26 other regimes were established to deal with them, most notably National Security Directive 42. NSD-42, issued in July 1990, expanded the scope of a previously chartered national security telecommunications policy coordinating body to encompass information systems as well. In addition, it established a new body, the National Security Telecommunications and Information Systems Security Committee (NSTISSC).

The NSTISSC was charged, among other things, to provide systems security guidance for national security systems for Executive Branch departments and agencies and to develop appropriate “operating policies, procedures, guidelines, instructions, standards, objectives, and priorities as may be required . . . .”27

The NSTISSC shared many of the structural characteristics of the NCS, including an interagency membership structure (which included the Manager of the NCS) administered by an Executive Agent, which function was assigned to the Secretary of Defense, and a National Manager (the Director of NSA) that assists the Secretary in executing assigned information assurance responsibilities.28

24 Public Law 100-235.

25 Homeland Security Act of 2002, Pub. L. 107-296; see also Title III, e-Gov Act of 2002, Pub. L. 107-347.

26 15 U.S.C. § 278g-3, which incorporates the definition of NSS contained in 44 U.S.C. § 3542(b)(2). NSS are defined as “any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency, the function, operation, or use of which — (A) involves intelligence activities; (B) involves cryptologic activities related to national security; (C) involves command and control of military forces; (D) involves equipment that is an integral part of a weapon or weapons system; or (E) is critical to the direct fulfillment of military or intelligence missions provided that this definition does not apply to a system that is used for routine administrative and business applications (including payroll, finance, logistics, and personnel management applications).”

27 National Security Directive 42, National Policy for the Security of National Security Telecommunications and Information Systems (July 5, 1990), § 5(b). The NSTISSC has since been renamed the Committee on National Security Systems (CNSS). E.O. 13231, Critical Infrastructure Protection in the Information Age (October 16, 2001).

28 Id. §§ 5, 6, 7. In particular, NSA may provide technical assistance to owners of national security systems as well as conduct vulnerability assessments to those systems and disseminate information on threats to and vulnerabilities of national security systems.

The Computer Security Division (CSD) – (893)

The Computer Security Division Responds to the Federal Information Security Management Act of 2002

The E-Government Act [Public Law 107-347] passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), included duties and responsibilities for the Computer Security Division in Section 303 “National Institute of Standards and Technology.”  Work to date includes:

  • Provide assistance in using NIST guides to comply with FISMA – Information Technology Laboratory (ITL) Computer Security Bulletin Understanding the New NIST Standards and Guidelines Required by FISMA: How Three Mandated Documents are Changing the Dynamic of Information Security for the Federal Government (issued November 2004).
  • Provide a specification for minimum security requirements for Federal information and information systems using a standardized, risk-based approach – Developed FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (issued March 2006).
  • Define minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category – Developed SP 800-53 Revision 2, Recommended Security Controls for Federal Information Systems (issued December 2007).
  • Identify methods for assessing effectiveness of security requirements – SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (issued July 2008).
  • Bring the security planning process up to date with key standards and guidelines developed by NIST – SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems (issued February 2006).
  • Provide assistance to Agencies and private sector – Conduct ongoing, substantial reimbursable and non-reimbursable assistance support, including many outreach efforts such as the Federal Information Systems Security Educators’ Association (FISSEA), the Federal Computer Security Program Managers’ Forum (FCSM Forum), the Small Business Corner, and the Program Review for Information Security Management Assistance (PRISMA).
  • Evaluate security policies and technologies from the private sector and national security systems for potential Federal agency use – Host a growing repository of Federal agency security practices, public/private security practices, and security configuration checklists for IT products.  In conjunction with the Government of Canada’s Communications Security Establishment, CSD leads the Cryptographic Module Validation Program (CMVP).  The Common Criteria Evaluation and Validation Scheme (CCEVS) and CMVP facilitate security testing of IT products usable by the Federal government.
  • Solicit recommendations of the Information Security and Privacy Advisory Board on draft standards and guidelines – Solicit recommendations of the Board regularly at quarterly meetings.
  • Provide outreach, workshops, and briefings – Conduct ongoing awareness briefings and outreach to our customer community and beyond to ensure comprehension of guidance and awareness of planned and future activities.  We also hold workshops to identify areas our customer community wishes addressed, and to scope guidance in a collaborative and open format.
  • Satisfy annual NIST reporting requirement – Produce an annual report as a NIST Interagency Report (IR).  The 2003–2008 Annual Reports are available via the Web or upon request.

NIST Directives and Special Publications

Federal Information Processing Standards Publication 201 (FIPS 201), “Personal Identity Verification (PIV) of Federal Employees and Contractors,” February 25, 2005, provides standards for the identity verification, issuance, and use of the common identity standard. It contains two major sections.

Part One describes the minimum requirements for a Federal personal identity verification system that meets the control and security objectives of HSPD-12, including personal identity proofing, registration, and issuance.

Part Two provides detailed specifications that will support technical interoperability of PIV systems of Federal departments and agencies. It describes the card elements, system interfaces, and security controls required to securely store, process, and retrieve personal identity information from the card. The physical card characteristics, storage media, and data elements that make up identity credentials are specified in this standard.

FIPS PUB 201-1, Change Notice-1 (FIPS 201-1) “Personal Identity Verification of Federal Employees and Contractors,” March 2006, updates the requirements established by FIPS 201. Specifically, it makes changes to the graphics on the back of the PIV card and the Abstract Syntax Notation One encoding of the NACI indicator.

National Institute of Standards and Technology (NIST) Special Publication (SP)

800-85B, “PIV Data Model Test Guidelines,” July 2006, provides technical guidance on the methodology to be used during testing applicable components and specifies the derived test requirements, detailed test assertions, and conformance tests for testing the data elements of the PIV system.

NIST SP 800-85A, “PIV Card Application and Middleware Interface Test Guidelines,” April 2006, provides test requirements and test assertions that could be used to validate the compliance/conformance of two PIV components—PIV middleware and PIV card application to specifications in NIST SP 800-73.

NIST SP 800-73-1, “Interfaces for Personal Identity Verification,” March 2006, contains technical specifications for the smart card, the interface, the manner in which data on the credential are protected, and the format in which the data are to be retrieved. These specifications reflect the design goals of interoperability and PIV card functions.

Publications = Special Publications (800 Series)

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Special Publications
Number Date Title
SP 800-124 Oct 2008 Guidelines on Cell Phone and PDA Security
SP 800-123 Jul 2008 Guide to General Server Security
SP 800-122 Jan. 13, 2009 DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
SP 800-121 Sept 2008 Guide to Bluetooth Security
SP 800-120 Dec. 22, 2008 DRAFT Recommendation for EAP Methods Used in Wireless Network Access Authentication
SP 800-118 Apr. 21, 2009 DRAFT Guide to Enterprise Password Management
SP 800-117 May 5, 2009 DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP)
SP 800-116 Nov 2008 A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
SP 800-115 Sept 2008 Technical Guide to Information Security Testing and Assessment
SP 800-114 Nov 2007 User’s Guide to Securing External Devices for Telework and Remote Access
SP 800-113 Jul 2008 Guide to SSL VPNs
SP 800-111 Nov 2007 Guide to Storage Encryption Technologies for End User Devices
SP 800-108 Nov. 2008 Recommendation for Key Derivation Using Pseudorandom Functions
SP 800-107 Feb. 2009 Recommendation for Applications Using Approved Hash Algorithms
SP 800-106 Feb. 2009 Randomized Hashing for Digital Signatures
SP 800-104 Jun 2007 A Scheme for PIV Visual Card Topography
SP 800-103 Oct 6, 2006 DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
SP 800-102 Nov 12, 2008 DRAFT Recommendation for Digital Signature Timeliness
SP 800-101 May 2007 Guidelines on Cell Phone Forensics
SP 800-100 Oct 2006 Information Security Handbook: A Guide for Managers
SP 800-98 Apr 2007 Guidelines for Securing Radio Frequency Identification (RFID) Systems
SP 800-97 Feb 2007 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP 800-96 Sep 2006 PIV Card to Reader Interoperability Guidelines
SP 800-95 Aug 2007 Guide to Secure Web Services
SP 800-94 Feb 2007 Guide to Intrusion Detection and Prevention Systems (IDPS)
SP 800-92 Sep 2006 Guide to Computer Security Log Management
SP 800-90 Mar 2007 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
SP 800-89 Nov 2006 Recommendation for Obtaining Assurances for Digital Signature Applications
SP 800-88 Sep 2006 Guidelines for Media Sanitization
SP 800-87 Rev 1 Apr 2008 Codes for Identification of Federal and Federally-Assisted Organizations
SP 800-86 Aug 2006 Guide to Integrating Forensic Techniques into Incident Response
SP 800-85 B Jul 2006 PIV Data Model Test Guidelines
SP 800-85 A-1 Mar. 2009 PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-2 Compliance)
SP 800-84 Sep 2006 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
SP 800-83 Nov 2005 Guide to Malware Incident Prevention and Handling
SP 800-82 Sep 29, 2008 DRAFT Guide to Industrial Control Systems (ICS) Security
SP 800-81 Rev. 1 Feb. 27, 2009 DRAFT Secure Domain Name System (DNS) Deployment Guide
SP 800-81 May 2006 Secure Domain Name System (DNS) Deployment Guide
SP 800-79 -1 Jun 2008 Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI’s)
SP 800-78 -1 Aug 2007 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
SP 800-77 Dec 2005 Guide to IPsec VPNs
SP 800-76 -1 Jan 2007 Biometric Data Specification for Personal Identity Verification
SP 800-73 -2 Sept. 2008 Interfaces for Personal Identity Verification (4 parts):
1- End-Point PIV Card Application Namespace, Data Model and Representation
2- End-Point PIV Card Application Interface
3- End-Point PIV Client Application Programming Interface
4- The PIV Transitional Data Model and Interfaces
SP 800-72 Nov 2004 Guidelines on PDA Forensics
SP 800-70 Rev. 1 Sept. 19, 2008 DRAFT National Checklist Program for IT Products–Guidelines for Checklist Users and Developers
SP 800-70 May 2005 Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
SP 800-69 Sep 2006 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
SP 800-68 Rev. 1 Oct. 2008 Guide to Securing Microsoft Windows XP Systems for IT Professionals
SP 800-67 1.1 May 2008 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
SP 800-66 Rev 1 Oct 2008 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
SP 800-65 Jan 2005 Integrating IT Security into the Capital Planning and Investment Control Process
SP 800-64 Rev. 2 Oct 2008 Security Considerations in the System Development Life Cycle
SP 800-63 Rev. 1 Dec. 12, 2008 DRAFT Electronic Authentication Guideline
SP 800-63 Version 1.0.2 Apr 2006 Electronic Authentication Guideline
SP 800-61 Rev. 1 Mar 2008 Computer Security Incident Handling Guide
SP 800-60 Rev. 1 Aug 2008 Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) – Volume 1: Guide Volume 2: Appendices
SP 800-59 Aug 2003 Guideline for Identifying an Information System as a National Security System
SP 800-58 Jan 2005 Security Considerations for Voice Over IP Systems
SP 800-57 Part 3 Oct 24, 2008 DRAFT Recommendation for Key Management, Part 3 Application-Specific Key Management Guidance
SP 800-57 Mar 2007 Recommendation for Key Management
SP 800-56 B Dec. 10, 2008 DRAFT Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography
SP 800-56 A Mar 2007 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
SP 800-55 Rev. 1 Jul 2008 Performance Measurement Guide for Information Security
SP 800-54 Jul 2007 Border Gateway Protocol Security
SP 800-53 Rev. 3 June 3, 2009 DRAFT Recommended Security Controls for Federal Information Systems and Organizations
SP 800-53 Rev. 2 Dec 2007 Recommended Security Controls for Federal Information Systems
SP 800-53 Rev.1 Dec 2006 Recommended Security Controls for Federal Information Systems
SP 800-53 A Jul 2008 Guide for Assessing the Security Controls in Federal Information Systems
SP 800-52 Jun 2005 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
SP 800-51 Sep 2002 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
SP 800-50 Oct 2003 Building an Information Technology Security Awareness and Training Program
SP 800-49 Nov 2002 Federal S/MIME V3 Client Profile
SP 800-48 Rev. 1 Jul 2008 Guide to Securing Legacy IEEE 802.11 Wireless Networks
SP 800-47 Aug 2002 Security Guide for Interconnecting Information Technology Systems
SP 800-46 Rev. 1 Jun. 2009 Guide to Enterprise Telework and Remote Access Security
SP 800-45 Version 2 Feb 2007 Guidelines on Electronic Mail Security
SP 800-44 Version 2 Sep 2007 Guidelines on Securing Public Web Servers
SP 800-43 Nov 2002 Systems Administration Guidance for Windows 2000 Professional System
SP 800-41 Rev. 1 July 9, 2008 DRAFT Guidelines on Firewalls and Firewall Policy
SP 800-41 Jan 2002 Guidelines on Firewalls and Firewall Policy
SP 800-40 Version 2.0 Nov 2005 Creating a Patch and Vulnerability Management Program
SP 800-39 April 3, 2008 DRAFT Managing Risk from Information Systems: An Organizational Perspective
SP 800-38 A Dec 2001 Recommendation for Block Cipher Modes of Operation – Methods and Techniques
SP 800-38 B May 2005 Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
SP 800-38 C May 2004 Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
SP 800-38 D Nov 2007 Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
SP 800-37 Rev. 1 August 19, 2008 DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach
SP 800-37 May 2004 Guide for the Security Certification and Accreditation of Federal Information Systems
SP 800-36 Oct 2003 Guide to Selecting Information Technology Security Products
SP 800-35 Oct 2003 Guide to Information Technology Security Services
SP 800-34 Jun 2002 Contingency Planning Guide for Information Technology Systems
SP 800-33 Dec 2001 Underlying Technical Models for Information Technology Security
SP 800-32 Feb 2001 Introduction to Public Key Technology and the Federal PKI Infrastructure
SP 800-30 Jul 2002 Risk Management Guide for Information Technology Systems
SP 800-29 Jun 2001 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
SP 800-28 Version 2 Mar 2008 Guidelines on Active Content and Mobile Code
SP 800-27 Rev. A Jun 2004 Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
SP 800-25 Oct 2000 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
SP 800-24 Aug 2000 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
SP 800-23 Aug 2000 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
SP 800-22 Rev. 1 Aug. 2008 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
SP 800-21 2nd edition Dec 2005 Guideline for Implementing Cryptography in the Federal Government
SP 800-20 Oct 1999 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
SP 800-19 Oct 1999 Mobile Agent Security
SP 800-18 Rev.1 Feb 2006 Guide for Developing Security Plans for Federal Information Systems
SP 800-17 Feb 1998 Modes of Operation Validation System (MOVS): Requirements and Procedures
SP 800-16 Rev. 1 Mar. 20, 2009 DRAFT Information Security Training Requirements: A Role- and Performance-Based Model
SP 800-16 Apr 1998 Information Technology Security Training Requirements: A Role- and Performance-Based Model
SP 800-15 Version 1 Sep 1997 MISPC Minimum Interoperability Specification for PKI Components
SP 800-14 Sep 1996 Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-13 Oct 1995 Telecommunications Security Guidelines for Telecommunications Management Network
SP 800-12 Oct 1995 An Introduction to Computer Security: The NIST Handbook

FIPS Publications

FIPS Publications are issued by NIST after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347.

With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards (FIPS). Therefore, the references to the “waiver process” contained in many of the FIPS are no longer applicable. ).

Number Date Title
FIPS 201–1 Mar 2006 Personal Identity Verification (PIV) of Federal Employees and Contractors
FIPS 200 Mar 2006 Minimum Security Requirements for Federal Information and Information Systems
FIPS 199 Feb 2004 Standards for Security Categorization of Federal Information and Information Systems
FIPS 198–1 Jul 2008 The Keyed-Hash Message Authentication Code (HMAC)
FIPS 197 Nov 2001 Advanced Encryption Standard
FIPS 196 Feb 1997 Entity Authentication Using Public Key Cryptography
FIPS 191 Nov 1994 Guideline for The Analysis of Local Area Network Security
FIPS 190 Sep 1994 Guideline for the Use of Advanced Authentication Technology Alternatives
FIPS 188 Sep 1994 Standard Security Label for Information Transfer
FIPS 186–3 Jun. 2009 Digital Signature Standard (DSS)
FIPS 185 Feb 1994 Escrowed Encryption Standard
FIPS 181 Oct 1993 Automated Password Generator
FIPS 180–3 Oct 2008 Secure Hash Standard (SHS)
FIPS 140–3 Jul 13, 2007 DRAFT Security Requirements for Cryptographic Modules
FIPS 140–2 May 2001 Security Requirements for Cryptographic Modules
FIPS 140–1 Jan 1994 FIPS 140-1: Security Requirements for Cryptographic Modules
FIPS 113 May 1985 Computer Data Authentication (no electronic version available)