ITL FOCUSES ON SECURITY CONTROLS
ITL recently published NIST Special
Publication (SP) 800-53, Recommended Security Controls
for Federal
Information Systems, by Ron Ross, Stu Katzke, Arnold Johnson, Marianne Swanson,
Gary Stoneburner, George Rogers, and Annabelle Lee. Mandated by the Federal
Information Security Management Act (FISMA) of 2002, the publication provides
guidelines for selecting and specifying security controls for information
systems supporting the executive agencies of the federal government. The
guidelines have been developed to help achieve
more secure information
systems within the federal government by:
·
Facilitating a more consistent,
comparable, and repeatable approach for selecting and specifying security
controls for information systems;
·
Providing a recommendation for minimum
security controls for information systems categorized in accordance with
Federal Information Processing Standards (FIPS) 199, Standards for
Security Categorization of Federal Information and Information Systems;
·
Promoting a dynamic, extensible catalog
of security controls for information systems to meet the demands of changing
requirements and technologies; and
·
Creating a foundation for the
development of assessment methods and procedures for determining security control
effectiveness.
The
guidelines provided in this special publication are applicable to all federal
information systems other than those systems designated as national security
systems as defined in 44 U.S.C., Section 3542. The guidelines have been broadly
developed from a technical perspective so as to be complementary to similar
guidelines for national security systems. The publication is intended to
provide guidance to federal agencies until the publication of Federal
Information Processing Standard (FIPS) 200, Minimum Security Controls for
Federal Information Systems (projected for publication December 2005).
State, local, and tribal governments, as well as private sector organizations
composing the critical infrastructure of the United States, are encouraged to
consider the use of these guidelines, as appropriate.
The
security controls in NIST SP 800-53 have been developed using inputs from a
variety of sources including NIST SP 800-26, Department of Defense (DoD) Policy
8500, Director of Central Intelligence Directive (DCID) 6/3, ISO/IEC Standard
17799, General Accounting Office (GAO) Federal Information System Controls
Audit Manual (FISCAM), and Health and Human Services (HHS) Centers for Medicare
and Medicaid Services (CMS) Core Security Requirements. The security controls
cover the following topic areas: risk assessment; certification, accreditation
and security assessments; system services and acquisition; security planning;
configuration management; system and communications protection; personnel security;
awareness and training; physical and environmental protection; media
protection; contingency planning; maintenance; system and information
integrity; incident response; identification and authentication; access
control; and accountability and audit. It is envisioned that the set of
security controls in the catalog will evolve over time as technology changes
and new safeguards and countermeasures for information systems are identified. NIST SP 800-53 is available at http://csrc.nist.gov/publications/nistpubs/index.html.
__________________________________________________________
The 2004 ITL Technical Accomplishments Report is available online at
http://www.itl.nist.gov/lab/pubs2005/ITLreportFY04.pdf.
__________________________________________________________
ITL Advances Voting System Guidelines
ITL continues to advance the development of
standards, measures, and technology to enhance the capacity and performance of
the nation’s voting systems. At its second plenary meeting on January 18-19,
2005, the Technical Guidelines Development Committee (TGDC) passed 32
resolutions that will provide a framework for the development of voting system
guidelines in the areas of human factors, privacy, computer security, and the
transparency of voting systems. The fifteen-person TGDC is charged under the
Help America Vote Act of 2002 with the development of a set of recommendations
for voluntary voting system guidelines. ITL staff will lead the effort to
research improvements to the current 2002 Voting System Standards. More
information on the voting project is available at http://vote.nist.gov.
On February 25, 2005, Secretary of Commerce Carlos M. Gutierrez announced the approval of a new standard for a smart-card-based form of identification for all federal government departments and agencies to issue to their employees and contractors requiring access to federal facilities and systems. NIST’s press release announcing the new standard is posted at http://www.nist.gov/public_affairs/releases/federal_ID.htm.
FIPS 201 is available at http://csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf. More to come in the next issue on this important standard.
A Federal Register notice of February 8, 2005, announced that the Secretary of Commerce approved the withdrawal of 17 FIPS. ITL proposed the withdrawal of the FIPS because they are obsolete or have not been updated to adopt current voluntary industry standards, current federal data standards, or current good practices for computer security.
FIPS 8-6, Metropolitan Areas (Including MSAs, CMSAs, PMSAs, and NECMAs)
FIPS 9-1, Congressional Districts of the United States
FIPS 31, Guidelines for Automatic Data Processing Physical Security and
Risk Management
FIPS 48, Guidelines on Evaluation of Techniques for Automated Personal
Identification
FIPS 55-3, Codes for Named Populated Places, Primary County Divisions, and Other Locational Entities of the United States, Puerto Rico, and the Outlying Areas
FIPS 66, Standard Industrial Classification (SIC) Codes
FIPS 73, Guidelines for Security of Computer Applications
FIPS 83, Guideline on User Authentication Techniques for Computer
Network Access Control
FIPS 87, Guidelines for ADP Contingency Planning
FIPS 92, Guideline for Standard Occupational Classification (SOC) Codes
FIPS 95-2, Codes for the Identification of Federal and Federally
Assisted Organizations
FIPS 102, Guideline for Computer Security Certification and
Accreditation
FIPS 112, Password Usage
FIPS 127-2, Database Language SQL (ANSI X3.135-1992)
FIPS 159, Detail Specification for 62.5-um Core Diameter/125-um
Cladding Diameter Class 1A Multimode, Graded-Index Optical Waveguide
Fibers
FIPS 171, Key Management Using ANSI X9.17
FIPS 173-1, Spatial Data Transfer Standard.
We will continue to keep references to the withdrawn FIPS on our website at http://www.itl.nist.gov/fipspubs/withdraw.htm. Where appropriate, we will link to web pages of other federal agencies that will maintain code sets that are used for information exchange between federal, states, and local government as well as industry organizations.
ITL publishes guidance documents, research results, and conference proceedings. The publications listed below are available online:
By Oliver T. Slattery
NIST Special Publication 500-258
September 2004
oliver.slattery@nist.gov for .pdf document
Phase 2 test procedure is designed to test the compatibility of DVD drives with DVD writable media including DVD-R (for general) and DVD+R. The test plan includes detailed instructions on how to create and test the recordable media and how to determine the result from each test. Following implementation of Phase 1 (NIST Special Publication 500-254), NIST, the Optical Technology Storage Association (OSTA), and the DVD Association (DVDA) expanded the scope of testing in Phase 2. Phase 2 includes testing of DVD recordable drives and a procedure to create test media.
By Wayne Jansen and Richard Ayers
NIST Special Publication 800-72
November 2004
http://csrc.nist.gov/publications/nistpubs/index.html
The objective of the guide is twofold: to help organizations evolve appropriate policies and procedures for dealing with Personal Digital Assistants (PDAs), and to prepare forensic specialists to deal with new situations when they are encountered. This guide provides an in-depth look into PDAs and explains associated technologies and their impact on the procedures for forensic specialists. It covers the characteristics of three families of devices: Pocket PC, Palm OS, and Linux-based PDAs and the relevance of various operating systems associated.
By Joan Hash
NIST Special Publication 800-65
January 2005
http://csrc.nist.gov/publications/nistpubs/index.html
Traditionally, information technology (IT) security and capital planning and investment control (CPIC) processes have been performed independently by security and capital planning practitioners. However, the Federal Information Security Management Act (FISMA) of 2002 and other existing federal regulations charge agencies with integrating the two activities. In addition, with increased competition for limited federal budgets and resources, agencies must ensure that available funding is applied towards the agencies' highest priority IT security investments. Applying funding towards high-priority security investments supports the objective of maintaining appropriate security controls, both at the enterprise-wide and system level, commensurate with levels of risk and data sensitivity. This publication introduces common criteria against which agencies can prioritize security activities to ensure that corrective actions identified in the annual FISMA reporting process are incorporated into the capital planning process to deliver maximum security in a cost-effective manner.
By D. Richard Kuhn, Thomas J. Walsh, and Steffen Fries
NIST Special Publication 800-58
December 2004
http://csrc.nist.gov/publications/nistpubs/index.html
Voice over Internet Protocol (VOIP) refers to the transmission of speech across data-style networks. This form of transmission is conceptually superior to conventional circuit switched communication in many ways. However, a plethora of security issues are associated with still-evolving VOIP technology. This publication introduces VOIP, its security challenges, and potential countermeasures for VOIP vulnerabilities.
Is the Urn Well-Mixed? Uncovering False Cofactor
Homogeneity Assumption in Evaluation
By
Ross J. Micheals and T.E. Boult
NISTIR
7156
October
2004
ross.micheals@nist.gov for paper
copies
Measuring
system performance is conceptually straightforward; it is the interpretation of
the results and their use as predictors of future performance that are the
exceptional challenges in system evaluation and the experimentation in general.
Good experimental design is critical in evaluation, but there have been very
few techniques that a scientist may use to check their design for either
overlooked associations or weak assumptions. For biometric and vision system
evaluation, the complexity of the systems make a thorough exploration of the
problem space impossible. This lack of verifiability in experimental design is
a serious issue. In this paper, we present a new evaluation methodology that
aids the researcher in discovering false assumptions about the homogeneity of
cofactors – when the data is not “well mixed.” The new methodology is then
applied in the context of a biometric system evaluation.
Web-Based 3D Visualization in a Digital Library of
Mathematical Functions
By
Qiming Wang and Bonita Saunders
NISTIR
7159
December
2004
qiming.wang@nist.gov for paper copies
NIST
is developing a digital library of mathematical functions to replace the widely
used National Bureau of Standards Handbook of Mathematical Functions published
in 1964 [1]. The NIST Digital Library of Mathematical Functions (DLMF) will
provide a wide range of information about high level functions for scientific,
technical and educational users in the mathematical and physical sciences.
Clear, concise 3D visualizations that allow users to examine poles, zeros,
branch cuts and other key features of complicated functions will be an integral
part of the DLMF. Specially designed controls will enable users to move a
cutting plane through the function surface, select the surface color mapping,
choose the axis style, or transform the surface plot into a density plot. To
date, Virtual Reality Modeling Language and Extensible 3D (VRML/X3D) standards
have been used to implement these capabilities in more than one hundred 3D
visualizations for the DLMF. We discuss the development of these
visualizations, focusing on the design and implementation of the VRML code, and
show several examples.
Federal Information Systems Security Educators’ Association (FISSEA) Annual Conference
Dates: March 22-23, 2005
Place: Bethesda North Marriott Hotel & Conference Center, North Bethesda, Maryland
Sponsors: NIST and FISSEA
With a theme of “Target Training in 2005,” the conference will include presentations, papers, tutorials, and panels. Typical topics include management of information security programs and personnel, conducting security training, information security and assurance curriculums, supporting technologies (network, wireless, encryption, vulnerability tools, educational tools), security labs, intrusion response programs, organizational behavior, certification, regulations, and emerging technologies.
NIST contact: Peggy Himes, peggy.himes@nist.gov
Conference website: http://www.nist.gov/public_affairs/confpage/050322htm.htm
Workshop on
Biometrics and E-Authentication Over Open Networks
Dates:
March 30-31, 2005
Place:
NIST, Gaithersburg, Maryland
Sponsors:
NIST, National Security Agency, Biometric Consortium,
DoD Biometrics Management Office, Department of Homeland Security, General
Services Administration’s Office of Governmentwide Policy, National Institute
of Justice, and the National Biometric Security Project
The objective of this
workshop is to determine how biometrics can be used for remote e-authentication
over open networks by providing equivalent authentication assurance to
conventional secret-based mechanisms defined in NIST SP 800-63, Electronic Authentication Guideline, for each of four authentication levels defined in Office of
Management and Budget Memorandum-04-04: E-Authentication Guidance for Federal
Agencies (documents available at workshop website). Workshop topics will include user
requirements, existing biometric solutions to meet these technical
requirements, authentication threats and countermeasures, biometrics and
privacy, data integrity and confidentiality, end-to-end security mechanisms,
security features of biometric interfaces, strengths and weaknesses common to other authentication
methods, existing or required biometric standards, academic research
efforts, and the industry’s state of the art.
NIST contact:
Fernando Podio, fernando.podio@nist.gov
Website: http://www.nist.gov/biom-eauth
4th Annual PKI
R&D Workshop: Multiple Paths to Trust
Dates: April 19-21,
2005
Place: NIST,
Gaithersburg, Maryland
Sponsors: NIST,
National Institutes of Health, and Internet 2, in cooperation with USENIX and OASIS
This workshop
considers the full range of public key technology (PKI) used for security
decisions and supporting functionalities, including authentication,
authorization, identity (syndication, federation, and aggregation), and trust.
This year, the workshop will focus on how PKI and emerging trust mechanisms
will interact with each other at technical, policy, and user levels to support
trust models that lack a central authority. The target audience is security
researchers from academia and industry.
NIST contact: Nelson
Hastings, nelson.hastings@nist.gov
Conference website: http://www.nist.gov/public_affairs/confpage/new050419.htm
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.