CSRC Homepage
 
 CSRC Site Map

 CSD Publications:
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Guidance
   - Outreach Awareness
       & Education
   - FISMA Implementation
       Project

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - ICAT Alerts

Federal organizations may be particularly interested in the following NIST security programs and services. These are grouped by: 1) security policies, standards and guidelines; 2) security validated products, 3) training and education, and 4) collaborative work and services.

Security Policies

• Standards - Under its statutory responsibilities, NIST develops standards and guidelines to protect sensitive federal systems. Some of these standards, formally known as Federal Information Processing Standards have been made mandatory for Federal use by the Secretary of Commerce. This is particularly true for those in the area of cryptography. Examples include the Advanced Encryption Standard and the Digital Signature Standard. Contact: Elaine Barker
  
  
• Guidelines - NIST also develops guidelines in an array of technical (e.g., public key infrastructure, PBX security) and security management topics (e.g., security planning, use of tested products). Contact: Tim Grance and/or Joan Hash.
  
  
• ITL Bulletins - ITL Bulletins are published by NIST's Information Technology Laboratory, of which the Computer Security Division is a component. Many of these bulletins address security topics, typically about six per year. Each presents an in-depth discussion of a single topic of significant interest to the information systems community. Contact: Tim Grance
  
  
• Policies - NIST maintains a listing of Federal security policies applicable to sensitive systems. For example, this includes the Federal Information Security Management Act of 2002, OMB Circular A-130 & Appendix III, Security of Federal Automated Information Resources, and OMB Guidance on Implementing the Government Information Security Reform Act. Contact: Marianne Swanson

Security Validated Products

• Validated Products - NIST operates two security testing programs for IT products: the National Information Assurance Partnership (NIAP) and the Cryptographic Module Validation Program (CMVP). A list of validated products is available at the NIAP and CMVP pages.
  
  
  • NIAP, jointly led by NIST and NSA, provides for the voluntary security evaluation of IT products. The evaluation is conducted against a set of security specifications provided to the laboratory by the sponsor of the evaluation. Once the evaluation is successfully completed, a certificate is issued and the product is placed on the NIAP Validated Products list. NIST encourages agencies to use IT products which have been evaluated under NIAP when those products meet their functional requirements.
     
    
  • The Cryptographic Module Validation Program, jointly led by NIST and the Government of Canada's Communications Security Establishment, provides for the voluntary testing of cryptographic modules (both hardware and software). Testing is conducted against the security specifications detailed in Security Requirements for Cryptographic Modules. Testing is also conducted to help assure the correct implementation of specific cryptographic algorithms approved to protect sensitive information in the Federal government. Within the Federal government, use of cryptographic modules that have been validated under the CMVP has been made mandatory. Note that cryptographic modules are not typically sold directly to consumers but are integrated into commercially available products. Contact: Ray Snouffer
    

Training and Education

• Computer Security Resource Center - This site contains information about a variety of computer security issues, products, and research of concern to Federal agencies, industry, and users. This site is operated and maintained by NIST's Computer Security Division as a service to the computer security and IT community. Contact: Joan Hash
  
  
• International Common Criteria Conference - NIST and its international partners annually holds the International Common Criteria Conference, which draws attendance from user organizations, IT vendors and testing labs. The purpose of the conference is to further use and understanding of the Common Criteria. The conference helps ensure that not only do we have truly global standards for certifying commercial software products, but that these bring real benefits for both commercial suppliers and end users in both government and the public sector. Contact: Peggy Himes
  
  
• Software Vulnerability & Patch Information - NIST provides an on-line searchable index of information on computer vulnerabilities known as ICAT. It provides search capability at a fine granularity and links users to vulnerability and patch information. This tool can help agencies ensure that their software is patched and protected against widely known vulnerabilities. Contact: Vincent Hu
  
  
• Details at NIST - Opportunities are available at NIST for 6 to 24 month long details at NIST in the security program. Qualified individuals should contact the Computer Security Division and provide a statement of qualifications and indicate the area of work that is of interest. Generally speaking, the salary costs are borne by the sponsoring agency; however, in some cases, agency salary costs may be reimbursed by NIST. Contact: Ed Roback

Collaborative Work and Services

• Security Research - NIST occasionally undertakes security work, primarily in the area of research, funded by other agencies. Such sponsored work is accepted by NIST when it can cost-effectively furthers the goals of NIST and the sponsoring institution. Contact: Tim Grance
  
  
• Program Review for Information Security Management Assistance (PRISMA) - The NIST Program Review for Information Security Management Assistance (PRISMA) is an new capability which builds upon NIST's former Computer Security Expert Assistance (CSEAT) Team function and has been revised to include more review options and incorporate guidance contained in Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including the Federal Information Security Management Act (FISMA), NIST guidance and other proven techniques and recognized best practices in the area of information security. Contact: Joan Hash
  
  
• Federal Computer Security Program Managers' Forum -
The Forum is an informal group sponsored and chaired by NIST to promote the sharing of computer security information among federal agencies. The Forum discusses current issues and developments of interest to those responsible for protecting sensitive (unclassified) systems. Half-day meetings of the Forum are held bi-monthly in the Washington, DC area (often at the NIST campus in Gaithersburg, Maryland). Forum meetings typically include briefings on topics of general interest to the federal community and provide time for informal sharing of information and requests for assistance regarding the security of federal systems. The Forum also supports the Federal Agency Security Practices (FASP) website. The FASP site contains federal agency policies, procedures and practices, the Federal Chief Information Officers' Council pilot Best Security Practices (BSPs) and a Frequently-Asked-Questions (FAQ) section. The FAQ section is comprised of questions and answers on computer security related issues between the members of the Forum. Contact: Elaine Frye