ITL PUBLISHES
GUIDELINES FOR THE SECURITY CERTIFICATION AND ACCREDITATION OF INFORMATION
SYSTEMS
In response to the requirements of the E-Government Act (Public Law 107-347), Title III, Federal Information Security Management Act (FISMA) of December 2002, ITL recently published NIST Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. Developed through an extensive public review process, the document represents a significant contribution to federal agency security management by providing specific recommendations on how to certify and accredit information systems. State, local, and tribal governments, as well as private sector organizations, are encouraged to use the guidelines, as appropriate. The document is available at http://csrc.nist.gov/sec-cert/.
NIST SP 800-37 provides guidelines for
the security certification and accreditation of information systems supporting
the executive agencies of the federal government. The guidelines have been
developed to help achieve more secure information
systems within the federal government by:
·
Enabling more consistent, comparable,
and repeatable assessments of security controls in federal information systems;
·
Promoting a better understanding of
agency-related mission risks resulting from the operation of information
systems; and
·
Creating more complete, reliable, and trustworthy
information for authorizing officials—to facilitate more informed security
accreditation decisions.
Security certification and accreditation are important
activities that support a risk management process and an integral part of an
agency’s information security program.
Security
accreditation is the official management decision given by a senior agency
official to authorize operation of an information system and to explicitly
accept the risk to agency operations, agency assets, or individuals based on
the implementation of an agreed-upon set of security controls. Required by OMB
Circular A-130, Appendix III, security accreditation provides a form of quality
control and challenges managers and technical staffs at all levels to implement
the most effective security controls possible in an information system, given
mission requirements, technical constraints, operational constraints, and
cost/schedule constraints. By accrediting an information system, an agency
official accepts responsibility for the security of the system and is fully accountable
for any adverse impacts to the agency if a breach of security occurs. Thus,
responsibility and accountability are core principles that characterize
security accreditation.
It
is essential that agency officials have the most complete, accurate, and
trustworthy information possible on the security status of their information
systems in order to make timely, credible, risk-based decisions on whether to
authorize operation of those systems. The information and supporting evidence
needed for security accreditation is often developed during a detailed security
review of an information system, typically referred to as security certification.
Security certification is a comprehensive assessment of the
management, operational, and technical security controls in
an information system, made in support of security accreditation, to determine
the extent to which the controls are implemented correctly, operating as
intended, and producing the desired outcome with respect to meeting the
security requirements for the system. The results of a security certification
are used to reassess the risks and update the system security plan, thus
providing the factual basis for an authorizing official to render a security
accreditation decision.
The security certification and
accreditation process consists of four distinct phases:
·
Initiation Phase;
·
Security Certification Phase;
·
Security Accreditation Phase; and
·
Continuous Monitoring Phase.
Each phase in the security
certification and accreditation process consists of a set of well-defined tasks
and subtasks that are to be carried out, as indicated, by responsible
individuals (e.g., the Chief Information Officer, authorizing official,
authorizing official’s designated representative, senior agency information
security officer, information system owner, information owner, information
system security officer, certification agent, and user representatives).
The
Initiation Phase consists of three tasks: (i) preparation; (ii) notification
and resource identification; and (iii) system security plan review, analysis,
and acceptance. The purpose of this phase is to ensure that the authorizing
official and senior agency information security officer are in agreement with
the contents of the system security plan before the certification agent begins
the assessment of the security controls in the information system.
The
Security Certification Phase consists of two tasks: (i) security control
assessment; and (ii) security certification documentation. The purpose of this
phase is to determine the extent to which the
security controls in the information system are implemented correctly,
operating as intended, and producing the desired outcome with respect to
meeting the security requirements for the system. This phase also addresses specific
actions taken or planned to correct deficiencies in the security controls and
to reduce or eliminate known vulnerabilities in the information system. Upon
successful completion of this phase, the authorizing official will have the information
needed from the security certification to determine the risk to agency
operations, agency assets, or individuals, and thus will be able to render an
appropriate security accreditation decision for the information system.
The
Security Accreditation Phase consists of two tasks: (i) security accreditation
decision; and (ii) security accreditation documentation. The purpose of this
phase is to determine if the remaining known vulnerabilities in the information
system (after the implementation of an agreed-upon set of security controls)
pose an acceptable level of risk to agency operations, agency assets, or
individuals. Upon successful completion of this phase, the information system
owner will have: (i) authorization to operate the information system; (ii) an
interim authorization to operate the information system under specific terms
and conditions; or (iii) denial of authorization to operate the information system.
The
Continuous Monitoring Phase consists of three tasks: (i) configuration
management and control; (ii) security control monitoring; and (iii) status
reporting and documentation. The purpose of this phase is to provide oversight
and monitoring of the security controls in the information system on an ongoing
basis and to inform the authorizing official when changes occur that may impact
on the security of the system. The activities in this phase are performed
continuously throughout the life cycle of the information system.
Completing a security accreditation ensures that an information
system will be operated with appropriate management review, that there is
ongoing monitoring of security controls, and that reaccreditation occurs
periodically in accordance with federal or agency policy and whenever there is
a significant change to the system or its operational environment.
Industry is eager to incorporate ITL’s certification
and accreditation guidelines into security product lines. In line with the
growing IT industry response to the requirements of FISMA, vendors are taking
ITL standards and guidelines and creating products that automatically track,
format, and provide management workflows to enable users to implement the
guidelines.
Five ITL researchers have received a patent for their invention of a refreshable Braille reader and methodology. Led by John Roberts, the development team included Oliver Slattery, David Kardos, Edwin Mulkins, and Bretton Swope. The invention provides apparatus and methods for producing refreshable tactile display, in particular refreshable Braille text that can be streamed at a display surface in either forward or backward order by utilizing bi-directional relative movement of components of the apparatus. The apparatus can be produced at a great reduction in cost of manufacture over known devices, while realizing greatly increased mechanical reliability and simplicity. The website is http://www.itl.nist.gov/div895/tactile.html.
ITL publishes guidance documents, research results, and conference proceedings. The publications listed below are available online:
Recommendation for Block Cipher Modes of Operation: The
CCM Mode for Authentication and Confidentiality
Morris
J. Dworkin
NIST
Special Publication 800-38C
May
2004
Available
at http://csrc.nist.gov/publications/nistpubs/index.html
This
Recommendation defines a mode of operation, called CCM, for a symmetric key
block cipher algorithm. CCM may be used to provide assurance of the
confidentiality and the authenticity of computer data by combining the
techniques of the Counter (CTR) mode and the Cipher Block Chaining-Message
Authentication Code (CBC-MAC) algorithm.
Card Technology Development and Gap Analysis Interagency
Report
William C. Barker, Deborah Howard, Tim Grance, Levent Eyuboglu
NISTIR 7056
March 2004
Available at http://csrc.nist.gov/publications/nistir/nistir-7056.pdf
This report presents findings from a July 2003 NIST-sponsored Storage and Processor Card-Based Technologies Workshop, government and industry questionnaires, and feedback from government managers. It makes recommendations regarding policies, infrastructures, standards, and specifications and identifies issues associated with integrating multi-technology composition, security, and interoperability. The intended audience for this document includes federal government, private industry, and public sector interests responsible for developing and implementing storage and processor card technologies programs.
Studies of Plain-to-Rolled Fingerprint Matching Using the NIST Algorithmic Test Bed (ATB)
By Stephen S. Wood and Charles L. Wilson
NISTIR 7112
April 2004
Available at ftp://sequoyah.nist.gov/pub/nist_internal_reports/ir_7112.pdf
This report describes a series of fingerprint matching studies, which were conducted on an experimental laboratory system called the Algorithmic Test Bed (ATB), a system used to test the automated fingerprint identification system (AFIS) component of the FBI's Integrated AFIS (IAFIS). The ATB was designed to match rolled images to a rolled database. These studies measured its performance when making plain to rolled (and plain to plain) matches. Plain to plain matching produced results similar to plain to rolled. The ATB was found to be an accurate model of IAFIS.
Common Biometric Exchange Formats Framework (CBEFF)
By Fernando L. Podio, Jeffrey S. Dunn, Lawrence Reinert, Catherine J. Tilton, Bruno Struif, Fred Herr, James Russell, M. Paul Collier, Mark Jerde, Lawrence O’Gorman, and Brigitte Wirtz
NISTIR 6529-A
April 2004
Available at http://www.itl.nist.gov/div893/biometrics/
This
specification is an augmented and revised version of the original CBEFF, the
Common Biometric Exchange File Format, published in January 2001 as NISTIR
6529. The CBEFF team developed this version based on the specification approved
by the Biometrics Interoperability, Performance, and Assurance Working Group
(NIST/BC WG), co-sponsored by NIST and the Biometric Consortium.
UPCOMING TECHNICAL CONFERENCES
Dates: June 3-4, 2004
Place: George Washington University, Washington, DC
Sponsors: NIST and George Washington University
This workshop will consider current mathematical software development efforts and their use in applications to provide a picture of how mathematical software developers are coping with sometimes-competing forces. Topics include mathematical software, software libraries, problem-solving environments, object-oriented numerical computing, grid computing, differential equations, and linear algebra. The target audience is computational scientists and applied mathematicians.
Technical contact: Ronald Boisvert, 301/975-3812, ronald.boisvert@nist.gov
Website: http://math.nist.gov/workshops/wg25-2004/
Date: June 29, 2004
Place: NIST, Gaithersburg, Maryland
This workshop will bring together digital forensic tool users, digital forensic tool vendors, and hashset producers together to expand user awareness, improve tool capabilities, and guide hashset development. Attendees will learn details about hashsets, learn from other’s experiences with various tools, get exposure to various products, and give feedback to hashset producers. The target audience is digital forensic tool users, digital forensic tool vendors, and hashset producers.
Technical contact: Douglas White, 301/975-4761, douglas.white@nist.gov
Website: http://www.nsrl.nist.gov/hash-a-pa-looza.html
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.