ITL Newsletter
February 1999
ITL PUBLISHES GUIDANCE ON INFORMATION TECHNOLOGY (IT) SYSTEM SECURITY PLANNING
Today's rapidly changing technical environment requires federal agencies to adopt a
minimum set of management controls to protect their IT resources. These management
controls are directed at individual IT users in order to reflect the distributed nature of
today's technology. Technical and operational controls support management controls. To
be effective, all of these controls must interrelate.
Our new NIST Special Publication 800-18, Guide for Developing Security Plans for
Information Technology Systems, addresses the development of security plans that
document the management, technical, and operational controls for federal automated
information systems. Written primarily for federal agencies, the concepts are also valuable
for industry organizations interested in establishing security plans. ITL's Marianne
Swanson edited the document, which was developed by a working group of the Federal
Computer Security Program Managers' Forum.
The guidance will be most useful for those individuals responsible for IT security at the system level and at the organization level. The document is intended as a guide when
creating security plans. It is written specifically for individuals with little or no computer
security expertise. Auditors, managers, and IT security officers can also use the document
as an auditing tool.
The objective of system security planning is to improve protection of IT resources. All
federal systems have some level of sensitivity and require protection as
part of good management practice. The protection of a system must be documented in a
system security plan. The completion of system security plans is a requirement of the
Office of Management and Budget (OMB) Circular A-130, "Management of Federal
Information Resources," Appendix III, "Security of Federal Automated Information
Resources," and Public Law 100-235, "Computer Security Act of 1987."
The purpose of the security plan is to provide an overview of the security requirements of
the system and describe the controls in place or planned for meeting those
requirements. The system security plan also delineates responsibilities and expected
behavior of all individuals who access the system. The security plan should be viewed as
documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers
with responsibilities concerning the system, including information owners, the system
operator, and the system security manager. Additional information may be included in the
basic plan and the structure and format organized according to agency needs, so long as the major sections described in the guideline are adequately covered and readily
identifiable.
While the guide recommends a format, it is recognized that some agencies have developed
plans using other formats that meet the A-130 requirements described in the document.
The document is intended as guidance only and should not be construed as the only format
allowed. A standardized approach, however, not only makes the development of the plan
easier by providing examples, but also provides a baseline to review plans. The level of detail included within the plan should be consistent with the criticality and value of the system to the organization's mission (i.e., a more detailed plan is required for systems critical to the organization's mission). The security plan should fully identify and describe the controls currently in place or planned for the system and should include a list of rules of behavior.
Agencies should develop policy on the security planning process. Security plans are living
documents that require periodic reviews, modifications, and milestone or
completion dates for planned controls. Procedures should be in place
outlining who reviews the plans and follows up on planned controls. In addition,
procedures are needed for describing how security plans will be used in the authorization for processing process.
We invite you to access the planning guideline at where it is available for download in Microsoft Word `97 (.doc) and Adobe Acrobat (.pdf) formats.
Y2K Information on the Web
To increase awareness and provide information concerning issues surrounding the year 2000 computer problem, ITL developed and maintains the NIST Year 2000 Web Site. Our Software Diagnostics and Conformance Testing Division contributes to NIST's Y2K effort by focusing on information technology (IT) standards and testing. The Web site offers the following:
- free software and tools to assist in assessing year 2000 problems;
- year 2000 assistance for smaller manufacturers;
- documents on year 2000 solutions and testing, including three ITL Bulletins on Y2K issues;
- archives of presentations from the NIST International Symposium on the Year 2000 held in June 1997 for downloading and using in your organization;
- slide shows for use in preparing your own informative sessions on Y2K awareness; and
- links to other outstanding and informative year 2000 Web sites.
FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES
NIST Conducting Review of FIPS 46-2, Data Encryption Standard
A Federal Register notice of January 15, 1999, announced the draft FIPS 46-3, Data
Encryption Standard (DES), and requested comments. The DES provides specifications
for the Data Encryption Algorithm and is used by federal agencies (and others outside the
government) for the protection of sensitive information. NIST proposes to replace FIPS
46-2 with FIPS 46-3 to provide for the use of Triple DES as specified in the American
National Standards Institute (ANSI) X9.52 standard. FIPS 46-2 and draft FIPS 46-3 may
be downloaded from http://csrc.nist.gov/fips. Comments must be received on or before April
15, 1999. Comments may be sent via e-mail to desreview@nist.gov or mailed to Information
Technology Laboratory, ATTN: Review of Draft FIPS 46-3, NIST, 100 Bureau Drive,
Stop 8970, Gaithersburg, MD 20899-8970. For more information, contact Miles Smid at
(301) 975-2938.
Approval of FIPS 186-1, Digital Signature Standard, as Interim Final Standard and
Request for Comments
On December 15, 1998, a Federal Register notice announced that the Secretary of
Commerce approved an interim final standard, which will be known as FIPS 186-1, Digital
Signature Standard. This interim final standard allows for the use of both the Digital
Signature Algorithm (DSA) and the American National Standards Institute X9.31
standard by federal organizations. The X9.31 standard describes the Rivest-Shamir-
Adleman (RSA) digital signature technique. Specifications of FIPS 186 are available
electronically at http://csrc.nist.gov/fips/. Prior to recommending a final decision, NIST is
seeking comments from the public on or before March 15, 1999. Comments can be sent
electronically to FIPS186RSA@nist.gov or mailed to Information Technology
Laboratory, ATTN: DSS/X9.31, NIST, 100 Bureau Drive, Stop 8970, Gaithersburg, MD
20899-8970. For more information, call Edward Roback at (301) 975-3696.
UPDATE ON NEW PUBLICATIONS
ITL publishes the results of studies, investigations, and research. The reports listed below
may be ordered from the following sources as indicated for each:
Superintendent of Documents
U.S. Government Printing Office (GPO)
P.O. Box 371954
Pittsburgh, PA 15250-7954
Telephone (202) 512-1800
Fax (202) 512-2250
Home Page: http://www.access.gpo.gov
National Technical Information
Service (NTIS)
5285 Port Royal Road
Springfield, VA 22161
Telephone (703) 605-6000
Rush Service (800) 553-6847
Fax (703) 321-8547 or (703) 321-9038
Home Page: http://www.ntis.gov/ordernow
Using Model Checking to Generate Tests from Specifications,
By Paul E. Ammann, Paul E. Black, and William Majurski
NISTIR 6166
November 1998
PB99-118812 - $23.00 paper
Order from NTIS - $12.00 microfiche
This paper describes the application of a model checker to the problem of test generation
using a new application of mutation analysis. The method is applied to an example
specification and researchers evaluate the resulting test sets with coverage metrics on a
Java implementation.
User Guide to CADMUS, a Simplified Parallel Routine for Laplacian-Fractal
Growth,
By Howland A. Fowler, Judith E. Devaney, and John G. Hagedorn
NISTIR 6180
June 1998
PB98-146277 - $23.00 paper
Order from NTIS - $12.00 microfiche
This publication describes a model that simulates the growth of high-speed filamentary
streamers, during high-voltage breakdown in liquid dielectrics. Fortran 90 is used as a
high-level parallel language for the code, supplemented by NIST's DPARLIB, a set of
subroutines which extend F90 across block-process boundaries, providing an invisible
interface to the Message Passing Interface (MPI).
Support Vector Machines Applied to Face Recognition
By P. Jonathan Phillips
NISTIR 6241
November 1998
PB99-102667 - $23.00 paper
Order from NTIS - $12.00 microfiche
This report describes the application of support vector machines (SVMs) to face
recognition, resulting in an SVM-based face recognition algorithm. The SVM-based
algorithm is compared with a principal component analysis (PCA)-based algorithm on a
difficult set of images from the FERET database.
Federal Register Document Image Database, NIST Special Database 25 -
Volume 1,
By Michael D. Garris, Stanley A. Janet, and William W. Klein
NISTIR 6245
October 1998
PB99-102808 - $29.50 paper
Order from NTIS - $17.00 microfiche
Using a new, fully automated process developed at NIST to derive ground truth for
document images, ITL researchers produced a new document image database for
evaluating Document Analysis and Recognition technologies and Information Retrieval
systems. The database contains scanned images, SGML-tagged ground truth text,
commercial OCR results, and image quality assessment results for pages published in the
1994 Federal Register. These data files are useful in a wide variety of experiments and
research. This volume of the database contains the pages of 20 books published in January of that year.
The OOF Manual: Version 1.0
By W. Craig Carter, Stephen A. Langer, and Edwin R. Fuller, Jr.
NISTIR 6256
November 1998
PB99-118473 - $36.00 paper
Order from NTIS - $17.00 microfiche
OOF and PPM200F are programs developed at NIST to investigate the properties of
microstructures. The user starts with an image of a real or simulated microstructure,
assigns material properties to the features in the image, and performs virtual experiments
to determine the properties of the whole material. The manual describes OOF, the part of
the package that performs the virtual experiments.
UPCOMING TECHNICAL CONFERENCES
North American ISDN Users' Forum (NIUF)
The NIUF addresses high-level concerns over a broad range of Integrated Services Digital
Network (ISDN) issues and seeks to reach consensus on ISDN Implementation
Agreements. Participants include ISDN users, ISDN implementors, ISDN service
providers, and Customer Premise Equipment (CPE) vendors.
Dates: Feb. 22-24, 1999 (NIST); June 21-23, 1999 (Montreal)
Contact: Diane Honeycutt, (301) 975-2937; niuf@nist.gov;
http://www.niuf.nist.gov/misc/niuf.html
12th Annual Federal Information Systems Security Educators' Association (FISSEA)
Conference
Founded in 1987, FISSEA is an organization run by and for federal information systems
security professionals. FISSEA assists federal agencies in meeting their computer security
training responsibilities. The annual FISSEA conference addresses the major challenges
confronting information security trainers and educators; this year's theme is "Paradigm
Shifts for Teaching Computer Security in the New Millennium."
Date: March 9-12, 1999
Place: Hilton Hotel, Gaithersburg, Maryland
Contact: Fran Nielsen, (301) 975-3669; fnielsen@nist.gov;
http://csrc.nist.gov/organizations/fissea.html
5th Human Factors and the Web Conference
NIST is hosting the 5th Conference on Human Factors and the Web. The theme this year
is "The Future of Web Applications." This is an annual conference whose purpose is to
provide a forum for sharing information among a community of human factors engineers,
designers, and developers who are interested in producing Web sites that are more useful and usable.
Date: June 3, 1999
Place: NIST, Gaithersburg, Maryland
Contact: Sharon Laskowski, 301-975-4535; sharon.laskowski@nist.gov;
http://www.nist.gov/hfweb
22nd National Information Systems Security Conference
An annual conference attended by representatives of a broad range of information security
interests spanning government, industry, and academic communities. This year's
conference theme is "Security Solutions for the New Millenium."The goal of the
conference is to educate the IT community on major information security issues and
solutions, and promote demand and investment in information security products, solutions,
and research. Visit the conference Web site at http://csrc.nist.gov/nissc/.
Sponsors: NIST and the National Computer Security Center
Dates: October 18-21, 1999
Place: Hyatt Regency, Crystal City, Virginia
Technical Contact: Patricia Toth, (301) 975-5140; patricia.toth@nist.gov
National Information Assurance Partnership (NIAP) Training Courses
Check out
the NIAP Web site and click on Events, click on Training Classes.
ITL Publications