Software Usability
Format Approved as International Standard
The
Common Industry Format (CIF) for Usability Test Reports, developed jointly by NIST’s
Information Technology Laboratory and industry, has been approved as an
international standard by the International Organization for Standardization (ISO).
CIF, now formally known as Standard 25062 Software Engineering- Software
Quality and Requirements Evaluation - Common Industry Format for Usability Test
Reports, provides a format for describing usability testing of a product,
including the experimental design of the tests, tasks to be performed, test
participants, data collection methods, and usability measures (such as
objective measures of effectiveness, efficiency, and the amount of effort for
learning how to use the product successfully). ITL’s Mary Theofanos
addressed final comments of ISO members at the ISO/IEC JTC1/SC7 Software and
Systems Engineering Plenary, in Helsinki, Finland, on May 23-27, 2005, leading
to ISO final approval in June.
The
purpose of the CIF is to encourage incorporation of usability as an element in
decision making for software procurement. The CIF is designed for usability
professionals who generate reports to be used by stakeholders. Stakeholders can
use the usability data to help make informed decisions concerning the release
of software products or the procurement of such products.
The format is primarily for
reporting results of formal usability tests in which quantitative measurements
were collected and is particularly appropriate for summative/comparative
testing. The format includes the following main sections: Executive Summary,
Introduction, Method, and Results. The Method and Results sections are
particularly important and provide usability professionals with a good framework
for the report. The Method section prescribes the inclusion of details
concerning the participants and their profile, the details of the context of
use employed in the test, technical aspects of the testing facility and
apparatus, and finally all the study design aspects (such as variables and
measurements). The Results section includes subsections for the presentation of
performance data (e.g., times or error rates, etc.) and a subsection for the
presentation of satisfaction results.
The
CIF represents a new, pioneering approach to assuring software quality, an
approach based on user-centered testing of software. Development began in 1997
when ITL brought together representatives from major software suppliers and
customer organizations to form the Industry USability Reporting (IUSR) project. The
CIF was developed, test piloted, and then approved by ANSI/INCITS in December
2001. Companies such as Boeing, Microsoft, and Oracle are using the
reporting standard. It is also being applied to national voting systems,
federal government procurements, and is being included in university curricula.
For more information, visit our website at http://zing.ncsl.nist.gov/iusr/.
ITL Advances Industry Testing of Electronic Health
Record Profile
ITL staffers Bill Majurski,
Mary Lammanen, and Andrew McCaffrey made significant contributions to the
testing of healthcare integration profiles through their involvement with IHE
(Integrating the Healthcare Environment), an industry group that writes
profiles for healthcare supporting technology. A profile is a set of
instructions for integrating one or more standards into a particular
environment for a stated purpose. For the past year, Majurski served as editor
and a primary author of their Cross-Enterprise Document Sharing (XDS) profile
that integrates the Organization for the Advancement of Structured Information
Standards (OASIS) ebXML Registry standard into the healthcare environment as a
supporting element of a patient-oriented Electronic Health Record.
IHE ran two Connectathons
this season involving XDS, one in North America (January in Chicago) and one in
Europe (April in Amsterdam). A Connectathon is the final phase of the
development of an IHE integration profile where vendors assemble at a single
facility to test their implementations against their competitors. Twenty-six
vendors (combination of North American and European events) successfully tested
implementations of some part of the XDS profile. The ITL team constructed and
operated a test facility for XDS used to qualify vendor attendance for the
Connectathon and assisted in running the Connectathons as a Test Manager at
both the North American and European Connectathons.
Plans are being made in the U.S. and
virtually every major EU country to implement XDS as a piece of the technical
infrastructure for an Electronic Health Record. The ITL team has also supplied
the XDS registry implementation for demonstrations at industry trade shows. The
website is http://xw2k.sdct.itl.nist.gov/carnahan/website/generate.asp?tech=ehr.
National Vulnerability
Database Launched
ITL recently released a new
vulnerability management product called the National Vulnerability Database
(NVD). NVD is sponsored by the Department of Homeland Security’s National Cyber
Security Division and is designed to complement their current suite of
vulnerability management products. It is available at http://nvd.nist.gov.
NVD is a comprehensive cyber security vulnerability database that is updated
daily with the latest vulnerabilities. From a single search engine, it
integrates all publicly available U.S. Government vulnerability resources and
provides references to industry resources. As of August 1, 2005, it contained
11,826 NVD vulnerability summaries, 479 US-CERT cyber security alerts, 1085
US-CERT vulnerability notes, 776 OVAL queries, and almost 50,000 industry
vulnerability references (visit NVD to learn more about any of these products).
NVD is a general-purpose tool that can be used for a variety of purposes.
Recommended uses for this community include the following:
- view all publicly available U.S. Government vulnerability mitigation
information,
- learn how to mitigate vulnerabilities referenced within security products
(e.g., intrusion detection systems),
- keep abreast of the latest vulnerabilities,
- research the vulnerability history of a product,
- research what vulnerabilities might exist on a computer that may not be
detected by vulnerability scanners (e.g., vulnerabilities in obscure products),
- view statistics on vulnerability discovery, and
- conduct vulnerability research - map
products to CVE and OVAL.
NVD is built completely upon the common vulnerabilities and exposures (CVE)
vulnerability naming scheme and provides CVE with a fine-grained search engine
and database. CVE is used by almost 300 security products to uniquely identify
vulnerabilities and is a de facto standard in the industry. NIST Special
Publication 800-51 discusses recommendations for the use of CVE within the
federal government. It is available at http://csrc.nist.gov/publications/nistpubs/index.html.
NVD replaces the NIST ICAT product. Existing hyperlink references to the ICAT
product will be intelligently redirected to the appropriate resource within
NVD.
FEDERAL INFORMATION
PROCESSING STANDARD (FIPS) UPDATE
The Draft Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, was announced in the Federal Register notice of July 15, 2005, for public comment. This FIPS is one of a series of security standards and guidelines that NIST is developing to help federal agencies implement their responsibilities under the Federal Information Security Management Act (FISMA). Draft FIPS Publication 200, which will be used with other publications already issued by NIST, specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements. Comments are due by September 13, 2005. See http://csrc.nist.gov/publications/drafts.html#fips200. The Proposed Withdrawal of Ten FIPS was also announced in the Federal Register of July 15th. NIST has proposed the withdrawal of these FIPS because they have not been updated to reference current or revised voluntary industry standards, or do not reflect the changes and updates to data standards that are maintained by other federal agencies. The FIPS proposed for withdrawal are: FIPS 4-2, Representation of Calendar Date to Facilitate Interchange of Data among Information Systems,FIPS 5-2, Codes for the Identification of the States, the District of Columbia and the Outlying Areas of the United States, and Associated Areas,FIPS 6-4, Counties and Equivalent Entities of the U.S., Its Possessions, and Associated Areas,FIPS 10-4, Countries, Dependencies, Areas of Special Sovereignty, and Their Principal Administrative Divisions,FIPS 113, Computer Data Authentication,FIPS 161-2, Electronic Data Interchange (EDI),FIPS 183, Integration Definition for Function Modeling (IDEF0),FIPS 184, Integration Definition for Information Modeling (IDEFIX),FIPS 192, Application Profile for the Government Information Locator Service (GILS), andFIPS 192-1 (a) & (b), Application Profile for the Government Information Locator Service (GILS). Comments on the proposed withdrawal are due by September 13, 2005. For more information, see http://www.itl.nist.gov/fipspubs/message.htm. NEW PUBLICATIONS NOW AVAILABLE
Our list of new publications features work in network
security, mobile device security, and software testing, available online:
Guidelines for the Selection and Use of Transport
Layer Security (TLS) Implementations
By C. Michael Chernick, Charles Edington III, Matthew
J. Fanto, and Rob Rosenthal
NIST Special Publication 800-52
June 2005
http://csrc.nist.gov/publications/nistpubs/index.html
This
publication helps federal and private sector organizations select and use
technical controls at the transport layer of a layered communications protocol
stack. Transport layer security (TLS) can be implemented and used effectively
to authenticate network servers and clients, and to protect the confidentiality
and integrity of data that is exchanged between two communicating information
technology (IT) applications.
Proximity Beacons and Mobile Handheld Devices:
Overview and Implementation
By Wayne Jansen, Serban Gavrila, and Vlad Korolev
NISTIR 7200
June 2005
http://csrc.nist.gov/publications/nistir/index.html
Enabling adequate user authentication is the first line
of defense against unauthorized use of an unattended, lost, or stolen handheld
device. This report describes an innovative type of authentication mechanism
that relies on the presence of a signal from a wireless beacon for access to be
granted. Such proximity beacons can be either organizational or personal
oriented, and require only that handheld devices support a common standard
wireless interface for Personal Area Network (PAN) communications, such as
Bluetooth.
Software Write Block, Testing Support Tools
Validation – Part A – Test Plan, Test Design, and Test Case Specification
http://www.cftt.nist.gov/swbTT%20A%20Validation3.pdf
Software Write Block, Testing Support Tools Validation
– Part B – Test and Code Review Report
http://www.cftt.nist.gov/swbTT%20B%20Valid%20Report3.pdf
By Paul E. Black
NISTIR 7207-A and B
May 2005
This report consists of two parts. Part A covers the
planning, design, and specification of testing and reviewing the Software write
block (SWB) support tools. Part B, which is a companion document, covers the
test and code review support report. Part A gives a test plan, test design specification,
and test case specification for validation of the disk drive software write
block testing support tools. Part B reports the results of reviewing the source
code of the SWB test tools and testing them against Part A of the report.
MARK YOUR CALENDAR
Biometric Consortium
Conference 2005 (BC2005)
BC2005 will address the
latest trends in biometrics research, development, and application on biometric
technologies. It will focus on the important role that biometrics can play in
the identification and verification of individuals in this age of heightened
security and privacy. It will examine the utilization of biometrics in
government and commercial applications. The Biometric Consortium conferences
provide a forum to discuss recent technology advances, new initiatives,
standards, technology evaluation efforts, as well as biometric business models
and market strategies.
Dates:
September 19-21, 2005
Place:
Hyatt Regency Crystal City, Arlington, Virginia
Sponsors:
NIST; National Security Agency; National
Biometric Security Project; DoD Biometrics Management Office; National
Biometric Security Project; Department of Homeland Security; General Services
Administration’s Office of Governmentwide Policy; National Institute of
Justice; and West Virginia USA.
Technical contact: Fernando
Podio, 301/975-2947, fernando.podio@nist.gov
Conference website: http://www.biometrics.org/bc2005/
Physical Security Testing
Workshop
The
purpose of this workshop is to discuss issues specific to physical security
testing and security requirements of cryptographic modules. The target audience
is researchers, technical developers, vendors, and testing laboratories.
Dates:
September 26-29, 2005
Place:
Radisson Waikiki Prince Kuhio, Honolulu, Hawaii
Sponsors:
NIST; NIST Cryptographic Module validation Program (CMVP); The Communications
Security Establishment of the Government of Canada (CSE); Technology Promotion
Agency, Japan (IPA); Information Technology Research and Standardization Center
(INSTAC); Japan Standards Association.
Technical
contacts: Allen Roginsky, 301/975-3603, allen.roginsky@nist.gov
Randall Easter, 301/975-4641, randall.easter@nist.gov
Website:
http://www.nist.gov/public_affairs/confpage/050926htm.htm
Open Web Application
Security Project (OWASP) Conference
This conference will provide
a forum for industry, government, and academia to discuss the state of the
practice in application security, encourage others to get involved, and do what
they need to do to protect the custom applications for which they are
responsible. The target audience is federal government, researchers, and the
software industry involved in software assurance and software vulnerability
detection.
Dates: October 11-12, 2005
Place: NIST, Gaithersburg,
Maryland
Sponsors: NIST and the Open
Web Application Security Project (OWASP)
Technical contacts: Michael
Kass, 301/975-3266, michael.kass@nist.gov
Paul Black, 301/975-4794, paul.black@nist.gov
Conference website: http://www.owasp.org/conferences/appsec2005dc.html
Cryptographic Hash
Workshop
Recently a team of researchers reported that the SHA-1 function offers
significantly less collision resistance than could be expected from a
cryptographic hash function of its output size. This workshop will solicit
public input on how best to respond to the current state of research in this
area.
Dates:
October 31-November 1, 2005
Place:
NIST; Gaithersburg, Maryland; Administration Building, Green Auditorium
Technical contact: Shu-jen
Chang, 301/975-2940, shu-jen.chang@nist.gov
Conference website: http://www.nist.gov/hash-function
Disclaimer: Any mention of commercial products or reference to
commercial organizations is for information only; it does not imply
recommendation or endorsement by the National Institute of Standards and
Technology nor does it imply that the products mentioned are necessarily the
best available for the purpose.