|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Guidance
- Outreach Awareness
&
Education
- FISMA Implementation
Project
General
Information:
- Site
Map
- List of Acronyms
- Archived
Projects
&
Conferences
- Virus Information
- ICAT Alerts
Search
NIST's ICAT
Vulnerability Archive:
|
|
Guide to Key Services and Materials for the Information Technology Industry
Information Technology (IT) vendors may be particularly interested
in the following NIST security programs and services. These are
grouped by: 1) security specifications,
2) security testing 3) marketing
and education and 4) research.
Security
Specifications
- Cryptographic Standards
- NIST is involved in the development, maintenance, and promotion of
a number of standards and guidance that cover a wide range of cryptographic
technology. As NIST develops new standards, recommendations, and guidance,
they are included in a comprehensive Cryptographic Standards Toolkit
to protect the data, communications, and operations. The toolkit currently
includes a wide variety of cryptographic algorithms and techniques,
and more will be added in the future. The standards included have been
approved and are recommended to protect sensitive Federal information,
but may also be used by anyone else on a voluntary basis. The Cryptographic
Standards Toolkit includes the following categories: Guidance, Encryption,
Modes of Operation, Digital Signatures, Secure Hashing, Key Management,
Random Number Generation, Message Authentication, Entity Authentication,
and Password Usage and Generation. Contact: Elaine
Barker.
- Cryptographic Module Security
- In addition to specific cryptographic security specifications, a wider
range of security specifications for cryptographic modules and IT products
are available. Security Requirements for Cryptographic Modules covers
11 areas related to the design and implementation of a cryptographic
module. Protection of a cryptographic module within a security system
is necessary to maintain the confidentiality and integrity of the information
protected by the module. The standard provides four increasing, qualitative
levels of security intended to cover a wide range of potential applications
and environments. Cryptographic modules can then be tested to verify
that they conform to these specifications under the Cryptographic
Module Validation Program, discussed below: Ray
Snouffer.
- Common Criteria for Information
Technology Security Evaluation (ISO/IEC 15408) specifications
- The Common Criteria provides a methodology for developing security
specifications for IT products. These specifications are known as "protection
profiles" and "security targets." They are then used as the basis for
the evaluation of security properties of IT products and systems via
the National Information Assurance Partnership
(NIAP), described below. Contact: Ron
Ross
- PKI - The National
Institute of Standards and Technology (NIST) is taking a leadership
role in the development of a Federal Public Key Infrastructure that
supports digital signatures and other public key-enabled security services.
NIST is coordinating with industry and technical groups developing PKI
technology to foster interoperability of PKI products and projects.
In support of digital signatures, NIST has worked with the Federal PKI
Steering Committee to produce digital
signature guidance. NIST is currently concentrating on PKI architectures,
security requirements for PKI components, and PKI-enabled applications.
The PKI architecture work is divided between development
of complex PKIs based on the bridge CA concept and theoretical
modeling of PKI performance. The goal of NIST's security
requirements work is a Common Criteria Protection Profile. Contact:
Tim
Polk
Security
Testing
- The National Information Assurance
Partnership (NIAP) - NIAP is a collaboration between the National
Institute of Standards and Technology (NIST) and the National Security
Agency (NSA) in fulfilling their respective responsibilities under the
Computer Security Act of 1987. Private-sector laboratories are currently
accredited as competent under the National Voluntary Laboratory Accreditation
Program (NVLAP) to conduct these evaluations. Each evaluation is conducted
against a set of security specifications provided to the laboratory
by the sponsor of the evaluation. Once the evaluation is successfully
completed, a certificate is issued and the product is placed on the
NIAP Validated Products list. NIST has also led development of an international
"Mutual Recognition Arrangement" (MRA) with more than ten international
partners (including Canada, Germany, U.K., and France) so that successful
evaluations accomplished in the US are recognized by the MRA partners.
NIAP also works with users and vendors to develop security specifications
for specific technologies (e.g., Smart Card Forum) or technology application
areas (e.g., Healthcare Forum).
- The Cryptographic Module
Validation Program (CMVP) - CMVP, jointly led by NIST and the
Government of Canada's Communications Security Establishment, provides
for the voluntary testing of cryptographic modules (both hardware and
software). Private-sector laboratories, which have been accredited as
competent under NVLAP, conduct these validations. Testing is conducted
against the security specifications detailed in Security Requirements
for Cryptographic Modules. Testing is also conducted to help assure
the correct implementation of specific cryptographic algorithms approved
to protect sensitive information in the Federal government. Once the
validation is successfully completed, a certificate is issued and the
product is placed on the Cryptographic
Module Validation List. Contact: Ray
Snouffer
- IPsec Interoperability Testing
- Following a need expressed in the IETF for an Interoperability Test
System for the Internet Security Protocol (IPsec) and its associated
key negotiation protocol (Internet Key Exchange, or IKE), NIST developed
an interactive Web-based IPsec tester. The tester, IPsec-WIT,
is based on Cerberus
and PlutoPlus,
NIST's reference implementations of IPsec and IKE. It enables vendors
to spontaneously test their IPsec and IKE implementations at any time
and from any location. The implementations, and the tester, currently
exploit IPV4, but the intention is to provide an IPV6 version soon,
at which time both versions of the tester will be available in parallel.
Contact: Sheila
Frankel
Security
Education
- International
Common Criteria Conference - NIST and its international partners
annually holds the International Common Criteria Conference, which draws
attendance from user organizations, IT vendors and testing labs. The
purpose of the conference is to further use and understanding of the
Common Criteria. The conference helps ensure that not only do we have
truly global standards for certifying commercial software products,
but that these bring real benefits for both commercial suppliers and
end users in both government and the public sector. Contact: Peggy
Himes
- Computer Security Resource Center
- This site contains information about a variety of computer security
issues, products, and research of concern to Federal agencies, industry,
and users. This site is operated and maintained by NIST's Computer Security
Division as a service to the computer security and IT community. Contact:
Joan
Hash
Research
- Critical Infrastructure Protection Research Grants Program
- This grants program, administered by NIST, funds research in high
priority areas, which are not being adequately addressed elsewhere.
NIST publishes a call for proposals annually. Grants may be for multi-year
work. Contact: Dave
Ferraiolo
- Guest research internships at NIST - Opportunities are available
at NIST for 6 to 24 month long internships at NIST in the security program.
Qualified individuals should contact the Computer Security Division
and provide a statement of qualifications and indicate the area of work
that is of interest. Generally speaking, the salary costs are borne
by the sponsoring institution; however, in some cases, these guest research
internships carry a small monthly stipend paid by NIST. Contact: Ed
Roback
Last updated:
August 22, 2004
Page created: January 28, 2000
|