|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Guidance
- Outreach Awareness
&
Education
- FISMA Implementation
Project
General
Information:
- Site
Map
- List of Acronyms
- Archived
Projects
&
Conferences
- Virus Information
- ICAT Alerts
Search
NIST's ICAT
Vulnerability Archive:
|
|
Federal organizations may be particularly
interested in the following NIST security programs and services. These are
grouped by: 1) security policies, standards
and guidelines; 2) security validated
products, 3) training and education,
and 4) collaborative work and
services.
Security
Policies
- Standards - Under its
statutory responsibilities, NIST develops standards and guidelines to
protect sensitive federal systems. Some of these standards, formally known
as Federal Information Processing Standards have been made mandatory for
Federal use by the Secretary of Commerce. This is particularly true for
those in the area of cryptography. Examples include the Advanced
Encryption Standard and the Digital
Signature Standard. Contact: Elaine
Barker
- Guidelines -
NIST also develops guidelines in an array of technical (e.g., public
key infrastructure, PBX
security) and security management topics (e.g., security planning,
use of tested products). Contact: Tim
Grance and/or Joan
Hash.
- ITL Bulletins
- ITL Bulletins are published by NIST's Information Technology Laboratory,
of which the Computer Security Division is a component. Many of these
bulletins address security topics, typically about six per year. Each
presents an in-depth discussion of a single topic of significant interest
to the information systems community. Contact: Tim
Grance
- Policies - NIST maintains a listing
of Federal security policies applicable to sensitive systems. For example,
this includes the Federal Information
Security Management Act of 2002, OMB
Circular A-130 & Appendix III, Security
of Federal Automated Information Resources, and OMB
Guidance on Implementing the Government Information Security Reform
Act. Contact: Marianne
Swanson
Security
Validated Products
- Validated Products - NIST operates two security testing programs
for IT products: the National Information
Assurance Partnership (NIAP) and the Cryptographic
Module Validation Program (CMVP). A list of validated products is
available at the NIAP
and CMVP pages.
- NIAP, jointly led by NIST
and NSA, provides for the voluntary security evaluation of IT products.
The evaluation is conducted against a set of security specifications
provided to the laboratory by the sponsor of the evaluation. Once
the evaluation is successfully completed, a certificate is issued
and the product is placed on the NIAP Validated Products list. NIST
encourages agencies to use IT products which have been evaluated
under NIAP when those products meet their functional requirements.
- The Cryptographic Module
Validation Program, jointly led by NIST and the Government of
Canada's Communications Security Establishment, provides for the
voluntary testing of cryptographic modules (both hardware and software).
Testing is conducted against the security specifications detailed
in Security Requirements for Cryptographic Modules. Testing is also
conducted to help assure the correct implementation of specific
cryptographic algorithms approved to protect sensitive information
in the Federal government. Within the Federal government, use of
cryptographic modules that have been validated under the CMVP has
been made mandatory. Note that cryptographic modules are not typically
sold directly to consumers but are integrated into commercially
available products. Contact: Ray
Snouffer
Training
and Education
- Computer Security Resource Center
- This site contains information about a variety of computer security
issues, products, and research of concern to Federal agencies, industry,
and users. This site is operated and maintained by NIST's Computer Security
Division as a service to the computer security and IT community. Contact:
Joan
Hash
- International
Common Criteria Conference - NIST and its international partners
annually holds the International Common Criteria Conference, which draws
attendance from user organizations, IT vendors and testing labs. The purpose
of the conference is to further use and understanding of the Common Criteria.
The conference helps ensure that not only do we have truly global standards
for certifying commercial software products, but that these bring real
benefits for both commercial suppliers and end users in both government
and the public sector. Contact: Peggy
Himes
- Software Vulnerability & Patch Information - NIST provides an
on-line searchable index of information on computer vulnerabilities known
as ICAT. It provides search capability
at a fine granularity and links users to vulnerability and patch information.
This tool can help agencies ensure that their software is patched and
protected against widely known vulnerabilities. Contact: Vincent
Hu
- Details at NIST - Opportunities are available at NIST for 6 to
24 month long details at NIST in the security program. Qualified individuals
should contact the Computer Security Division and provide a statement
of qualifications and indicate the area of work that is of interest. Generally
speaking, the salary costs are borne by the sponsoring agency; however,
in some cases, agency salary costs may be reimbursed by NIST. Contact:
Ed
Roback
Collaborative
Work and Services
- Security Research - NIST occasionally undertakes security work,
primarily in the area of research, funded by other agencies. Such sponsored
work is accepted by NIST when it can cost-effectively furthers the goals
of NIST and the sponsoring institution. Contact: Tim
Grance
- Program Review for Information Security Management Assistance (PRISMA)
- The NIST Program Review for Information Security Management Assistance
(PRISMA) is an new capability which builds upon NIST's former Computer
Security Expert Assistance (CSEAT) Team function and has been revised
to include more review options and incorporate guidance contained in Special
Publication 800-53, Recommended Security Controls for Federal Information
Systems. The PRISMA is based upon existing federal directives including
the Federal Information Security Management Act (FISMA), NIST guidance
and other proven techniques and recognized best practices in the area
of information security. Contact: Joan
Hash
- Federal Computer Security Program
Managers' Forum -
The Forum is an
informal group sponsored and chaired by NIST to promote the sharing of computer
security information among federal agencies. The Forum discusses current
issues and developments of interest to those responsible for protecting
sensitive (unclassified) systems. Half-day meetings of the Forum are held
bi-monthly in the Washington, DC area (often at the NIST campus in Gaithersburg,
Maryland). Forum meetings typically include briefings on topics of general
interest to the federal community and provide time for informal sharing
of information and requests for assistance regarding the security of federal
systems. The Forum also supports the Federal Agency Security
Practices (FASP) website. The FASP site contains federal agency policies,
procedures and practices, the Federal Chief Information Officers' Council
pilot Best Security Practices (BSPs) and a Frequently-Asked-Questions (FAQ)
section. The FAQ section is comprised of questions and answers on computer
security related issues between the members of the Forum. Contact: Elaine
Frye
Last updated:
August 22, 2004
Page created: February 23, 2001
|