ACCESSIBILITY TO INFORMATION TECHNOLOGY SOURCES
Over the past three years, ITL actively participated through the InterNational Committee for Information Technology (INCITS) V2 Technical Committee in the development of five universal remote console standards. On September 19, 2005, the American National Standards Institute (ANSI) announced the adoption of these standards. The five approved standards are:

 

When adopted by industry, these standards will provide a way for products to disclose information about their functions and controls to the universal remote console (i.e., a cell phone, computer, and/or handheld organizer). The universal remote console could then be easily configured by users to display only the functions that they need.

In the development of these standards, ITL provided invaluable resources including technical reviews and editorial changes to the standard specifications, writing XML schemas, and implementing a prototype environment for testing the specifications of the standards. The prototype environment has provided much-needed verification of the standard specifications and is available for testing future enhancements. The XML schemas are critical for the legal building blocks of XML documents that are required by industry when implementing the standards.

Through INCITS V2’s International Representative to ISO SC35, working drafts of these ANSI standards are being developed for adoption as international standards. The website is http://www.itl.nist.gov/iaui/vvrg/.

 

Guidance on Creating Implementable Technical Specifications

ITL played an integral role in the drafting and leadership of the development of the Specification Guidelines and its companion documents. Quality Assurance Framework: Specification Guidelines successfully completed the standardization process and was published as a new World Wide Web Consortium (W3C) Recommendation. The Specification Guidelines provide clear instructions to writers and editors on creating implementable technical specifications. The document focuses on how to define and specify conformance and addresses how a specification might allow variation among conforming implementations.

 

Many of ITL’s experiences in developing conformance test suites for W3C technologies are reflected in the document as good practices, examples, and techniques. The applicability of the specification guidelines recommendation goes beyond W3C; it has been used to guide the development of conformance clauses for the Health Level 7 (HL7) Electronic Health Record System draft standard as well as for the Voluntary Voting Systems Guidelines to be published by the U.S. Election Assistance Commission. In addition to the specification guidelines, ITL was instrumental in writing several companion documents, including the Quality Assurance Working Group Note: Variability in Specification that contains advanced specification design considerations and conformance-related techniques. The website is http://www.w3.org/TR/qaframe-spec/.

 

Networking Research Compendium
ITL recently released a compendium of 27 research papers investigating technical issues surrounding networking for pervasive computing. Six papers explore interference effects between wireless personal-area networks (WPANs) and wireless local-area networks (WLANs). Eight additional papers identify and characterize technical approaches to mitigate interference among WPANs and WLANs. Six papers investigate robustness of various service discovery systems proposed by industry. Six papers identify and characterize self-adaptive approaches to improve performance in discovery systems. The compendium, NIST Special Publication 500-259, Network for Pervasive Computing, is available at http://w3.antd.nist.gov/pubs05.shtml.

 

Findings from this research were conveyed to appropriate standards-setting organizations and commercial engineers to provide a better understanding of current systems and to help improve future designs. This work resulted from a five-year program of research conducted by ITL to help the information technology industry overcome some looming technical roadblocks that seemed likely to slow development and acceptance of pervasive computing. In addition to networking concerns, ITL's pervasive computing research program examined issues related to human-computer interaction and programming
models.

FEDERAL INFORMATION PROCESSING STANDARD (FIPS) ACTIVITIES

 

Proposed Changes to FIPS 201
A Federal Register notice of September 8, 2005, announced proposed changes to FIPS 201, Standard for Personal Identity Verification of Federal Employees and Contractors. The changes to Section 2.2, PIV Identify Proofing and Registration Requirements, and to Section 5.3.1, PIV Card Issuance, will clarify the identity proofing and registration process that departments and agencies should follow when issuing identity credentials. These changes are required to make FIPS 201 consistent with the Memorandum for All Departments and Agencies (M-05-24), issued by the Office of Management and Budget on August 5, 2005, Implementation of Homeland Security Presidential Directive (HSPD) 12--Policy for a Common Identification Standard for Federal Employees and Contractors. 
 
Before recommending these proposed changes to FIPS 201 to the Secretary of Commerce for review and approval, NIST invited comments from the public, users, the information technology industry, and federal, state and local government organizations concerning the proposed changes. The public review period ended on October 11, 2005, and ITL is in the process of reviewing and evaluating the comments received. For more information, see http://www.itl.nist.gov/fipspubs/message.htm.
 

UPDATE ON NEW PUBLICATIONS

Our list of new publications features work in service discovery systems, text retrieval, key management, and personal identity verification, available online:

 

A Model-Based Analysis of First-Generation Service Discovery Systems

By Chris Dabrowski, Kevin Mills, and Steve Quirolgico

NIST Special Publication 500-260

October 2005

http://www.antd.nist.gov/pubs/SP500_260final.pdf

 

Using three widely used service discovery systems as a basis, this publication first presents a high-level overview of the operation of service discovery protocols. A detailed generic model of first-generation service discovery systems, written in UML, follows. The UML model provides an in-depth analysis of the alternative service discovery designs available today, including the major functional components that comprise these designs, the behaviors of these components, and the information they exchange. The report also identifies issues that designers should attempt to resolve in the next generation of service discovery systems.

 

The Thirteenth Text REtrieval Conference Proceedings (TREC 2004)

Ellen Voorhees and Lori Buckland, Editors

NIST Special Publication 500-261

August 2005

http://trec.nist.gov/pubs/trec13/t13_proceedings.html

 

This report constitutes the proceedings of the Thirteenth Text REtrieval Conference (TREC 2004) held in Gaithersburg, Maryland, November 16-19, 2004. The conference was co-sponsored by the National Institute of Standards and Technology (NIST) the Defense Advanced Research Projects Agency (DARPA) and the Advanced Research and Development Activity (ARDA).

 

Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication

By Morris Dworkin

NIST Special Publication 800-38B

May 2005

http://csrc.nist.gov/publications/nistpubs/index.html

 

This recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. The block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity, and, hence the integrity, of binary data.

 

Recommendation for Key Management – Part 1: General, and Part 2 – Best Practices for Key Management Organization

By Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid

NIST Special Publication 800-57

August 2005

http://csrc.nist.gov/publications/nistpubs/index.html

 

This recommendation provides cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Users and developers are presented with many choices in their use of cryptographic mechanisms. Inappropriate choices may result in an illusion of security, but little or no real security for the protocol or application. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of mechanisms and protocols associated with keys, and the protection afforded the keys.

 

Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers

By Murugiah Souppaya, John Wack, and Karen Kent

NIST Special Publication 800-70

May 2005

http://csrc.nist.gov/checklists/download_sp800-70.html

 

This publication is intended for users and developers of IT product security configuration checklists. For checklist users, the document gives an overview of the NIST Checklist Program, explains how to retrieve checklists from NIST’s repository, and provides general information about threat discussions and baseline technical security practices for associated operational environments. For checklist developers, the document sets forth the policies, procedures, and general requirements for participation in the NIST Checklist Program.

 

Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations

By Dennis Branstad, Alicia Clay, and Joan Hash

NIST Special Publication 800-79

July 2005

http://csrc.nist.gov/publications/nistpubs/index.html

 

This document should be used by any federal department or agency to accredit the reliability of the organization that will issue Personal Identity Verification (PIV) Cards that comply with FIPS 201 to their federal employees or federal contractor employees. The document describes a set of attributes that should be exhibited by a PIV Card Issuing (PCI) organization in order to be accredited and should be used for assessing the reliability of an organization providing PCI services to a federal agency or contractor.

 

PIV Middleware and On-Card Application Conformance Test Guidance

By Ramaswamy Chandramouli, Levent Eyuboglu, and Ketan Mehta

NIST Special Publication 800-85

October 2005

http://csrc.nist.gov/publications/nistpubs/index.html

 

This document specifies the test plan, processes, derived test requirements, and detailed test assertions for  testing the following: (a) PIV middleware (client application API conformance), (b) PIV on-card application (for conformance to card application card command interface), (c) PIV data objects representation, and (d) PIV authentication use cases. The test requirements are based on the specifications in NIST Special Publication 800-73, Interfaces for Personal Identity Verification.

 

UPCOMING TECHNICAL CONFERENCES

 

ANSI/NIST Fingerprint Standard Update Workshop II

The purpose of this workshop is to identify and propose specific modifications and additions to the ANSI/NIST-ITL 1-2000, Standard Data Format for the Interchange of Fingerprint, Facial, & Scar Mark & Tattoo (SMT) Information. Decisions for inclusion of these proposals in the update to the standard will be made at this meeting. The target audience is Automated Fingerprint Identification System (AFIS) vendors, users, consultants, and system integrators; law enforcement and government agency administrators; and other interested parties.

 

Dates: December 5-6, 2005

Place: NIST, Gaithersburg, Maryland

Sponsors: NIST and Federal Bureau of Investigation

 

Technical contact: R. Michael McCabe, 301-975-2928, mccabe@nist.gov

Conference website: http://fingerprint.nist.gov/standard/

 

Nanosecurity Workshop
As the promise of nanotechnology is realized, researchers at NIST and Southern Methodist University (SMU) recognize the importance of understanding the security issues associated with fabrication and deployment of nanodevices. The focus of the workshop is to identify new security applications enabled with the availability of nanotechnology components and characterize special security threats and requirements at the nanoscale.
 
Dates: February 22-23, 2006
Place: NIST; Gaithersburg, Maryland
 
Technical contact: Donna Dodson, 301-975-3669, ddodson@nist.gov

Conference website: http://www.nist.gov/nano-sec

 

Hands-on Workshop on Estimating and Reporting Measurement Uncertainty

The purpose of this workshop is to describe the statistical framework and methods needed to develop uncertainty statements based on the ISO Guide to the Expression of Uncertainty in Measurement. The target audience is industry and government metrologists.

 

Dates: February 27-28, 2005

Place: Measurement Science Conference, Anaheim, California

 

Technical contact: Will Guthrie, 301-975-2854, william.guthrie@nist.gov

Conference website: http://www.msc-conf.com/msc/index.html

 

Regression Analysis Using NIST/SEMATECH e-Handbook of Statistical Methods

This workshop will use the handbook to present and illustrate the basics of linear and nonlinear regression along with other topics that are related to regression, such as prediction and calibration. The workshop will emphasize, through practical examples, the proper application of regression techniques. The target audience is industry and government managers.

 

Dates: February 27-28, 2005

Place: Measurement Science Conference, Anaheim, California

 

Technical contact: Jolene Splett, 303-497-3808, jsplett@boulder.nist.gov

Conference website: http://www.msc-conf.com/msc/index.html

Disclaimer: Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology nor does it imply that the products mentioned are necessarily the best available for the purpose.