go to NIST home page go to CSRC home page go to Focus Areas page go to Publications page go to Advisories page go to Events page go to Site Map page go to ITL home page CSRC home page link
header image with links

 CSRC Homepage
 
 CSRC Site Map

   Search CSRC:
 
 

 CSD Publications:
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Guidance
   - Outreach Awareness
       & Education
   - FISMA Implementation
       Project

 General Information:
   - Site Map
   - List of Acronyms
    - Archived Projects
        & Conferences
   - Virus Information
   - ICAT Alerts

 News & Events  
   - Federal News
   - Security Events

 Services For the: 
   - Federal Community
   - Vendor
   - User

 Links & Organizations
   - Academic
   - Government
   - Professional
   - Additional Links

 Search NIST's ICAT
 Vulnerability Archive:
   Enter vendor, software, or keyword
   
   

    Guide to Key Services and Materials for the Information Technology Industry Of particular interest to IT Vendors

Information Technology (IT) vendors may be particularly interested in the following NIST security programs and services. These are grouped by: 1) security specifications, 2) security testing 3) marketing and education and 4) research.

Security Specifications

  • Cryptographic Standards - NIST is involved in the development, maintenance, and promotion of a number of standards and guidance that cover a wide range of cryptographic technology. As NIST develops new standards, recommendations, and guidance, they are included in a comprehensive Cryptographic Standards Toolkit to protect the data, communications, and operations. The toolkit currently includes a wide variety of cryptographic algorithms and techniques, and more will be added in the future. The standards included have been approved and are recommended to protect sensitive Federal information, but may also be used by anyone else on a voluntary basis. The Cryptographic Standards Toolkit includes the following categories: Guidance, Encryption, Modes of Operation, Digital Signatures, Secure Hashing, Key Management, Random Number Generation, Message Authentication, Entity Authentication, and Password Usage and Generation. Contact: Elaine Barker.

  • Cryptographic Module Security - In addition to specific cryptographic security specifications, a wider range of security specifications for cryptographic modules and IT products are available. Security Requirements for Cryptographic Modules covers 11 areas related to the design and implementation of a cryptographic module. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. Cryptographic modules can then be tested to verify that they conform to these specifications under the Cryptographic Module Validation Program, discussed below: Ray Snouffer.

  • Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) specifications - The Common Criteria provides a methodology for developing security specifications for IT products. These specifications are known as "protection profiles" and "security targets." They are then used as the basis for the evaluation of security properties of IT products and systems via the National Information Assurance Partnership (NIAP), described below. Contact: Ron Ross

  • PKI - The National Institute of Standards and Technology (NIST) is taking a leadership role in the development of a Federal Public Key Infrastructure that supports digital signatures and other public key-enabled security services. NIST is coordinating with industry and technical groups developing PKI technology to foster interoperability of PKI products and projects. In support of digital signatures, NIST has worked with the Federal PKI Steering Committee to produce digital signature guidance. NIST is currently concentrating on PKI architectures, security requirements for PKI components, and PKI-enabled applications. The PKI architecture work is divided between development of complex PKIs based on the bridge CA concept and theoretical modeling of PKI performance. The goal of NIST's security requirements work is a Common Criteria Protection Profile. Contact: Tim Polk
    •

Security Testing

  • The National Information Assurance Partnership (NIAP) - NIAP is a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) in fulfilling their respective responsibilities under the Computer Security Act of 1987. Private-sector laboratories are currently accredited as competent under the National Voluntary Laboratory Accreditation Program (NVLAP) to conduct these evaluations. Each evaluation is conducted against a set of security specifications provided to the laboratory by the sponsor of the evaluation. Once the evaluation is successfully completed, a certificate is issued and the product is placed on the NIAP Validated Products list. NIST has also led development of an international "Mutual Recognition Arrangement" (MRA) with more than ten international partners (including Canada, Germany, U.K., and France) so that successful evaluations accomplished in the US are recognized by the MRA partners. NIAP also works with users and vendors to develop security specifications for specific technologies (e.g., Smart Card Forum) or technology application areas (e.g., Healthcare Forum).

  • The Cryptographic Module Validation Program (CMVP) - CMVP, jointly led by NIST and the Government of Canada's Communications Security Establishment, provides for the voluntary testing of cryptographic modules (both hardware and software). Private-sector laboratories, which have been accredited as competent under NVLAP, conduct these validations. Testing is conducted against the security specifications detailed in Security Requirements for Cryptographic Modules. Testing is also conducted to help assure the correct implementation of specific cryptographic algorithms approved to protect sensitive information in the Federal government. Once the validation is successfully completed, a certificate is issued and the product is placed on the Cryptographic Module Validation List. Contact: Ray Snouffer

  • IPsec Interoperability Testing - Following a need expressed in the IETF for an Interoperability Test System for the Internet Security Protocol (IPsec) and its associated key negotiation protocol (Internet Key Exchange, or IKE), NIST developed an interactive Web-based IPsec tester. The tester, IPsec-WIT, is based on Cerberus and PlutoPlus, NIST's reference implementations of IPsec and IKE. It enables vendors to spontaneously test their IPsec and IKE implementations at any time and from any location. The implementations, and the tester, currently exploit IPV4, but the intention is to provide an IPV6 version soon, at which time both versions of the tester will be available in parallel. Contact: Sheila Frankel
    •

Security Education

  • International Common Criteria Conference - NIST and its international partners annually holds the International Common Criteria Conference, which draws attendance from user organizations, IT vendors and testing labs. The purpose of the conference is to further use and understanding of the Common Criteria. The conference helps ensure that not only do we have truly global standards for certifying commercial software products, but that these bring real benefits for both commercial suppliers and end users in both government and the public sector. Contact: Peggy Himes

  • Computer Security Resource Center - This site contains information about a variety of computer security issues, products, and research of concern to Federal agencies, industry, and users. This site is operated and maintained by NIST's Computer Security Division as a service to the computer security and IT community. Contact: Joan Hash

Research

  • Critical Infrastructure Protection Research Grants Program - This grants program, administered by NIST, funds research in high priority areas, which are not being adequately addressed elsewhere. NIST publishes a call for proposals annually. Grants may be for multi-year work. Contact: Dave Ferraiolo

  • Guest research internships at NIST - Opportunities are available at NIST for 6 to 24 month long internships at NIST in the security program. Qualified individuals should contact the Computer Security Division and provide a statement of qualifications and indicate the area of work that is of interest. Generally speaking, the salary costs are borne by the sponsoring institution; however, in some cases, these guest research internships carry a small monthly stipend paid by NIST. Contact: Ed Roback


 

Last updated: August 22, 2004
Page created: January 28, 2000

 :