On December 10-11, 2003, at the NIST Headquarters in Gaithersburg, Maryland, ITL will host the First NIST Symposium on Building Trust and Confidence in Voting Systems. The goal of the symposium is to provide an open forum for voting and elections stakeholders interested in increasing confidence and trust in the nation’s voting systems. Potential stakeholders include election officials at the federal, state, and local levels, academic researchers, hardware and software vendors of voting systems, disability advocates, independent testing authorities, election lawyers, and voting rights activists.
The Help America Vote Act of 2002 (HAVA) tasked NIST to play a key role in improving the nation’s voting systems by 2006. ITL is coordinating the NIST effort, and Allan Eustis serves as the ITL lead for symposium planning. NIST Director Dr. Arden Bement will chair the December symposium, which will launch the voting standards initiative by bringing together the diverse interests within the election community. The meeting format includes four panels consisting of well-known experts in the voting standards arena:
Panel 1: Specification, Testability, and Qualification in
Voting Systems (STAQ)
Moderator: Mark Skall- NIST
Rebecca Mercuri- Harvard University
Herb Deutsch- Institute of Electrical and Electronics Engineers, Inc.
Tom Wilkey- National Association of State Election Directors
Carolyn Coggins - SysTest Labs, LLC
Doug Jones -University of Iowa
Patrick Curran- Sun Microsystems Inc.
Panel 2: Security and Openness in Voting Systems (SEC)
Moderator: Ed Roback, NIST
Aviel Rubin- Johns Hopkins
Jim Adler -Vote Here Inc.
David Dill- Stanford University
Britt Williams- Kennesaw State University
Donetta Davidson- Colorado Secretary of State
Panel 3: Usability and Accessibility in Voting Systems
(UA)
Moderator: Sharon Laskowski, NIST
Denise Lamb-Director of Elections, State of New Mexico
Jim Dickson -American Association of People with Disabilities
Steven Booth-National Federation of the Blind
Whitney Quesenbery- Usability Professionals Association
Ted Selker-Massachussetts Institute of Technology
Paul Herrnson- University of Maryland
Sanford Morganstern- Populex Corporation
Moderator: Susan Zevin, NIST
Craig Burkhardt- Department of Commerce General Counsel for Technology
Election Assistance Commission Representatives (Invited)
For more information and online registration, see http://vote.nist.gov/.
ITL Releases Initial Draft of Recommended Security Controls for Federal Information Systems for Public Comment
ITL recently released for public comment the first draft of
NIST Special Publication (SP) 800-53, Security Controls for Federal
Information Systems. The draft guideline provides a recommended
set of controls for low and moderate impact systems (based upon the security
categorization definitions in Federal Information Processing System [FIPS] 199,
Standards for Security Categorization of Federal Information and Information
Systems (prepublication final). When completed, the guideline will stand as
NIST interim guidance until 2005, which is the statutory deadline to publish
minimum standards for all non-national security systems. Both documents are
available at http://csrc.nist.gov/publications/drafts.html.
The public comment
period for NIST SP 800-53 ends on January 31, 2004. Comments may be submitted
electronically at sec-cert@nist.gov or
by regular mail to the NIST Computer Security Division, 100 Bureau Drive, Stop
8930, Gaithersburg, MD 20899-8930. Following the public comment period, ITL
will hold an open workshop in March 2004 to share comments and discuss
potential revisions to the draft document.
For more information
about ITL’s Information System Security Project, see http://csrc.nist.gov/sec-cert/index.html.
ITL has joined the File Signature Database
(FSDB) initiative as a research member. The goal of the FSDB initiative is to
enable more secure, reliable, and cost-effective computing environments by
establishing industry-supported standards and mechanisms for capturing and
cataloging file fingerprints from software. ITL joins Tripwire; charter members
HP, IBM, InstallShield Software Corporation, and Sun Microsystems, Inc.; and
contributing member RSA Security, as a research member to advise on the
development, documentation, and implementation of standards for data integrity.
An early work item will be to further develop synergy between the FSDB and
ITL's National Software Reference Library (NSRL). For more information about
the NSRL, see http://www.itl.nist.gov/div897/docs/nsrl.html.
UPDATE
ON NEW PUBLICATIONS
ITL publishes the results of research, investigations, and conferences. The reports listed below are available online at http://csrc.nist.gov/publications/nistpubs/index.html.
Guide to Information Technology Security
Services
By Tim Grance, Joan Hash, Marc Stevens,
Kristofor O'Neal, and Nadya Bartol
NIST Special Publication (SP) 800-35
October 2003
This guide provides assistance with the
selection, implementation, and management of IT security services by guiding
organizations through the various phases of the IT security services life
cycle. The factors to be considered when selecting, implementing, and managing
IT security services include the type of service arrangement; service provider
qualifications, operational requirements and capabilities, experience, and
viability; trustworthiness of service provider employees; and the service
provider’s capability to deliver adequate protection for the organization
systems, applications, and information.
Guide to Selecting Information Security Products
By Tim Grance, Marc Stevens, and Marissa Myers
NIST SP 800-36
October 2003
The selection of IT security products is an
integral part of the design, development, and maintenance of an IT security
infrastructure. This guide defines broad security product categories, specifies
product types within those categories, and provides a list of general
characteristics and questions an organization can ask when selecting a product.
Guideline on Network Security Testing
By John Wack, Miles Tracy, and Murugiah Souppaya
NIST SP 800-42
October 2003
This guide stresses the need for an effective
security testing program within federal agencies. It identifies network testing
requirements, discusses how to prioritize testing activities with limited
resources, and describes several network security testing techniques and tools.
Also presented is a framework for incorporating security into the information
system development life cycle (SDLC) process. The guide seeks to help
organizations select and acquire cost-effective security controls by explaining
how to include information system security requirements in the SDLC.
Building an Information Technology Security
Awareness and Training Program
By Mark Wilson and Joan Hash
NIST SP 800-50
October 2003
This publication provides detailed guidance on
designing, developing, implementing, and maintaining a comprehensive awareness
and training program, as part of an organization’s IT security program. It
provides guidelines that can help federal agencies meet their security training
responsibilities contained in the Federal Information Security Management Act
(FISMA) of 2002 and Office of Management and Budget (OMB) guidelines.
By Marianne Swanson, Nadya Bartol, John Sabato, Joan Hash, and Laurie Graffo
NIST SP 800-55
April 2003
This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or when to research the causes of nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
By William C. Barker
NIST SP 800-59
August 2003
This document provides guidelines developed in conjunction with the Department of Defense, including the National Security Agency, for identifying an information system as a national security system. The basis for these guidelines is the Federal Information Security Management Act of 2002 (FISMA, Title III, Public Law 107-347, December 17, 2002), which provides government-wide requirements for information security, superseding the Government Information Security Reform Act and the Computer Security Act. These guidelines do not establish requirements for national security systems, but rather assist agencies in determining which, if any, of their systems are national security systems as defined by FISMA and are to be governed by applicable requirements for such systems.
Security Considerations in the Information
System Development Life Cycle
By Tim Grance, Joan Hash, and Marc Stevens
NIST SP 800-64
October 2003
The guide presents a framework for incorporating
security into the information system development life cycle (SDLC) process. It
seeks to help organizations select and acquire cost-effective security controls
by explaining how to include information system security requirements in the
SDLC.
Picture Password: A Visual Login Technique for
Mobile Devices
By Wayne Jansen, Serban Gavrila, Vlad Korolev,
Rick Ayers, and Ryan Swanstrom
NISTIR 7030
July 2003
This paper describes a means to authenticate a
user to a PDA using a visual login technique called Picture Password. The
underlying rationale is that a method for login based on visual image selection
is an easy and natural way for users to authenticate, removing the most serious
barriers to users’ compliance with corporate policy. While the technique was
designed specifically for handheld devices, it is also suitable for notebooks,
workstations, and other computational devices.
A Framework for Multi-mode Authentication:
Overview and Implementation Guide
By Wayne Jansen, Vlad Korolev, Serban Gavrila,
Thomas Heute, and Clement Seveillac
NISTIR 7046
August 2003
This report describes a general Multi-mode
Authentication Framework (MAF) for applying organizational security policies,
organized into distinct policy contexts known as echelons, among which a user
may transition. The approach is aimed at helping users easily comply with their
organization’s security policy, yet be able to exercise a significant amount of
flexibility and discretion. The design of the framework allows various types of
authentication technologies to be incorporated readily and provides a simple
interface for supporting different types policy enforcement mechanisms. Details
of the implementation of the framework are provided, as well as two example
authentications mechanisms.
UPCOMING TECHNICAL CONFERENCES
This symposium will help to identify standard authentication metrics that can be applied to knowledge based authentication (KBA) tools and solutions. KBA offers several advantages to traditional (conventional) forms of e-authentication like passwords, PKI, and biometrics. KBA is a particularly useful tool to remotely authenticate individuals who conduct business electronically with federal agencies or businesses infrequently. In these situations, other authentication tools such as passwords and PKI certificates can be expensive to administer for the application provider and difficult to use for the remote individual. By successfully participating in a series of KBA challenge-response queries, the identity of an individual can be established without delay. However, the complexity and interdependencies of KBA solutions used to establish the level of assurance that a remote user is who they claim to be is difficult to quantify.
Audience: Federal agencies, financial community, security researchers, implementers and designers of e-authentication tools and techniques
Sponsors: ITL’s Computer Security Division and the General Services Administration, Office of Electronic Government and Technology
Dates: February 2004 (dates to be announced)
Place: NIST, Gaithersburg, Maryland
Technical contact: Donna Dodson, 301/975-3669, ddodson@nist.gov
Website: available soon at http://csrc.nist.gov
FISSEA Conference: Awareness, Training, and Education,
The Driving Force Behind Information Security
Learn how federal agencies are empowering their workforce through IT security awareness, training, and education (ATE). Learn how agency security trainers are responding to the latest technologies, regulations, and threats as they impact on ATE. Bring away products, techniques, and practices to enhance your own program. Share your experiences and network with your counterparts across government, industry, and academia.
Sponsors: ITL and the Federal Information Systems Security Educator’s Association (FISSEA)
Audience: Information systems security professionals
Dates: March 9-11, 2004
Place: University of Maryland University College, Adelphi, Maryland
Technical contact: Peggy Himes, 301/975-2489, peggy.himes@nist.gov
Website: http://csrc.nist.gov/organizations/fissea/index.html
Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.