|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Guidance
- Outreach Awareness
&
Education
- FISMA Implementation
Project
General
Information:
- Site
Map
- List of Acronyms
- Archived
Projects
&
Conferences
- Virus Information
- ICAT Alerts
Search
NIST's ICAT
Vulnerability Archive:
|
|
Guide to Key Services and Materials for the Information Technology Users
Information Technology (IT) users, both individuals and organizations may
be particularly interested in the following NIST security programs and services.
These are grouped by: 1) training and
education, 2) security standards
and guidelines, and 3) security
validated products.
Traning
and Education
- Computer Security Resource Center
- This useful site contains information about a variety of computer security
issues, products, and research of concern to Federal agencies, industry,
and users. It also provides links to a wide variety of security resources,
organizations and other material regarding computer security. This site
is operated and maintained by NIST's Computer Security Division as a service
to the computer security and IT community. Contact: Joan
Hash
- Software Vulnerability & Patch Information - NIST provides an
on-line searchable index of information on computer vulnerabilities known
as ICAT. It provides search capability
at a fine granularity and links users to vulnerability and patch information.
This tool can help agencies ensure that their software is patched and
protected against widely known vulnerabilities. Contact: Vincent
Hu
- International
Common Criteria Conference - NIST and its international partners
annually holds the International Common Criteria Conference, which draws
attendance from user organizations, IT vendors and testing labs. The purpose
of the conference is to further use and understanding of the Common Criteria.
The conference helps ensure that not only do we have truly global standards
for certifying commercial software products, but that these bring real
benefits for both commercial suppliers and end users in both government
and the public sector. Contact: Peggy
Himes
Security
Standards and Guidelines
- Standards - Under
its statutory responsibilities, NIST develops standards and guidelines
to protect sensitive federal systems. While these standards formally apply
only within the Federal government, many organizations in the private
sector voluntarily choose to adopt them as well, particularly those in
the area of cryptography. These standards are formally known as Federal
Information Processing Standards. Examples include the Advanced
Encryption Standard and the Digital
Signature Standard. Contact: Elaine
Barker
- Guidelines -
NIST also develops guidelines in an array of technical (e.g., public
key infrastructure, PBX
security) and security management topics (e.g., security planning,
use of tested products). Contact: Tim
Grance and/or Joan
Hash
- ITL
Bulletins - ITL Bulletins are published by NIST's Information
Technology Laboratory, of which the Computer Security Division is a component.
Many of these bulletins address security topics, typically about six per
year. Each presents an in-depth discussion of a single topic of significant
interest to the information systems community. The computer security ITL
Bulletins are found here. Contact: Tim
Grance
Security
Validated Products
- Validated products - NIST operates two security testing programs
for IT products: the National Information
Assurance Partnership (NIAP) and the Cryptographic Module Validation
Program. A list of validated products is available at the NIAP
and CMVP pages.
Testing the security of products helps give users higher assurance (but
is no guarantee, of course) that they work as intended.
- NIAP, jointly led by NIST and
NSA, provides for the voluntary security evaluation of IT products.
The evaluation is conducted against a set of security specifications
provided to the laboratory by the sponsor of the evaluation. Once
the evaluation is successfully completed, a certificate is issued
and the product is placed on the NIAP Validated Products list.
- The Cryptographic Module
Validation Program, jointly led by NIST and the Government of
Canada's Communications Security Establishment, provides for the voluntary
testing of cryptographic modules (both hardware and software). Testing
is conducted against the security specifications detailed in Security
Requirements for Cryptographic Modules. Testing is also conducted
to help assure the correct implementation of specific cryptographic
algorithms approved to protect sensitive information in the Federal
government. Note that cryptographic modules are typically not sold
directly to consumers but are integrated into commercially available
products. Contact: Ray
Snouffer
Last updated:
August 22, 2004
Page created: January 5, 1999
|