For more information about ITL programs come visit our web site, at http://www.itl.nist.gov, or write to us at:
Information Technology Laboratory, National Institute of Standards and Technology, Mail Stop 8900, Gaithersburg, MD 20899-0001. Telephone: (301) 975-4601, Fax: (301) 840-1357, E-mail: judith.moline@nist.gov
COMPUTER SECURITY ACTIVITIES
Organizations in all sectors of the economy depend upon information systems and communications networks, and share common requirements to protect sensitive information. ITL works with industry and government to establish secure information technology systems for protecting the integrity, confidentiality, reliability, and availability of information.
Under the Computer Security Act of 1987 (P.L. 104-106), ITL develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, internetworking security, criteria and assurance, and security management and support.
ITL BULLETINS
ITL Bulletins are published by NIST's Information Technology Laboratory. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are available on ITL's Computer Security Resource Clearinghouse. To receive a specific bulletin or to be placed on a mailing list to receive future bulletins, send your name, organization, and mailing address to:
ITL Publications, National Institute of Standards and Technology, Building 225, Room B263, Gaithersburg, MD 20899-0001 Telephone: (301) 975-2832, Fax: (301) 840-1357, E-mail: elizabeth.lennon@.nist.gov
ITL BULLETINS VIA E-MAIL
To subscribe to this service, send an e-mail message to listproc@nist.gov with the message "subscribe itl-bulletin" and your proper name, e.g., John Doe. For instructions on using listproc, type listproc@nist.gov with message HELP. To have the bulletin sent to an e-mail address other than the From address, contact the ITL editor at (301) 975-2832.
Current bulletins include the following:
SPECIAL PUBLICATIONS AND OTHER REPORTS
These publications present the results of NIST studies, investigations, and research on information technology security issues. Special Publications present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. NIST Internal Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. Publications are sold by the Government Printing Office or the National Technical Information Service, as indicated for each entry on the Publication Price List at the end of the brochure.
ACCESS CONTROL & AUTHENTICATION TECHNOLOGY
NISTIR 6192
A REVISED MODEL FOR ROLE BASED ACCESS CONTROL
By Wayne A. Jansen
July 1998
This report reviews the original Role Based Access Control (RBAC) model, corrects notational problems, and formulates a revised model to address noted discrepancies. The aim is to improve understanding of implications within the original model and to provide a firm baseline for subsequent activities involving the use or implementation of the model.
NIST SPEC PUB 500-157
SMART CARD TECHNOLOGY: NEW METHODS FOR COMPUTER ACCESS CONTROL
By Martha E. Haykin and Robert B. J. Warner
September 1988
This document describes the basic components of a smart card and provides background information on the underlying integrated circuit technologies. The capabilities of a smart card are discussed, especially its applicability for computer security. The report describes research being conducted on smart card access control techniques; other major U.S. and international groups involved in the development of standards for smart cards and related devices are listed in the appendix.
NBS SPEC PUB 500-156
MESSAGE AUTHENTICATION CODE (MAC) VALIDATION SYSTEM: REQUIREMENTS AND PROCEDURES
By Miles Smid, Elaine Barker, David Balenson and Martha Haykin
May 1988
Describes the Message Authentication Code (MAC) Validation System (MVS) which was developed by NBS to test message authentication devices for conformance to two data authentication standards (including FIPS 113). This publication describes the basic design and configuration of the MVS, and the requirements and administrative procedures to be followed for requesting validations.
CRITERIA AND ASSURANCE
NISTIR 6068
REPORT ON THE TMACH EXPERIMENT
By Ellen Flahavin, Goswin Eisen, Steve Hill, Heribert Spindler, Julian Straw and Andy Webber
July 1997
This report documents the findings of a multi-national evaluation experiment, funded by the U.S. Advanced Research Projects Agency (ARPA), to explore alternative approaches to security evaluation.
NISTIR 5810
THE TMACH EXPERIMENT PHASE I - PRELIMINARY DEVELOPMENTAL EVALUATION
By Ellen Colvin Flahavin
June 1996
This document describes the multi-national evaluation experiment of the Trusted Mach system. The report focuses on Phase I - The Developmental Evaluation Phase.
NISTIR 5590
PROCEEDINGS REPORT OF THE INTERNATIONAL INVITATION WORKSHOP ON DEVELOPMENTAL ASSURANCE
By Patricia Toth
January 1995
This publication presents the proceedings of an invitational workshop on development assurance held in June 1994. Co-sponsors of the workshop were NIST, the National Security Agency, the Canadian Communications Security Establishment, and the European Commission.
NISTIR 5540
MULTI-AGENCY CERTIFICATION AND ACCREDITATION (C&A) PROCESS: A WORKED EXAMPLE
By Ellen Flahavin, Annabelle Lee, and Dawn Wolcott
December 1994
This document describes a worked example of a multi-agency certification and accreditation process. Although it focuses on the Mountain Pass Project implemented for the Drug Enforcement Administration, the document presents lessons learned and provides practical guidance to federal agencies that perform multi-agency C&A.
NISTIR 5472
A HEAD START ON ASSURANCE PROCEEDINGS OF AN INVITATIONAL WORKSHOP ON INFORMATION TECHNOLOGY (IT) ASSURANCE AND TRUSTWORTHINESS
Marshall D. Abrams and Patricia R. Toth, Editors
August 1994
This document presents the proceedings of a workshop held in March 1994 in Williamsburg, Virginia, to identify crucial issues on assurance in IT systems and to provide input into the development of policy guidance on determining the type and level of assurance appropriate in a given environment.
NISTIR 5153
MINIMUM SECURITY REQUIREMENTS FOR MULTI-USER OPERATING SYSTEMS
By David Ferraiolo, Nickilyn Lynch, Patricia Toth, David Chizmadia, Michael Ressler, Roberta Medlock, and Sarah Weinberg
March 1993
This document provides basic commercial computer system security requirements applicable to both government and commercial organizations. These requirements form the basis for the commercially oriented protection profiles in Volume II of the draft Federal Criteria for Information Technology Security document (known as the Federal Criteria).
NISTIR 4774
A REVIEW OF U.S. AND EUROPEAN SECURITY EVALUATION CRITERIA
By Charles R. Dinkel
March 1992
This report reviews five U.S. and European documents which describe criteria for specifying and evaluating the trust of computer products and systems.
NBS SPEC PUB 500-153
GUIDE TO AUDITING FOR CONTROLS AND SECURITY: A SYSTEM DEVELOPMENT LIFE CYCLE APPROACH
Editors/Authors: Zella G. Ruthberg, Bonnie Fisher, William E. Perry, John W. Lainhart IV, James G. Cox, Mark Gillen, and Douglas B. Hunt
April 1988
CRYPTOGRAPHY
NIST SPEC PUB 800-17
MODES OF OPERATION VALIDATION SYSTEM (MOVS): REQUIREMENTS AND PROCEDURES
By Sharon Keller and Miles Smid
February 1998
The Modes of Operation Validation System (MOVS) specifies the procedures involved in validating implementations of the DES and Skipjack algorithms. It is designed to perform automated testing on Implementations Under Test (IUTs). The MOVS consists of two categories of tests - Known Answer tests and Modes tests - which are detailed for each mode of operation. This publication also specifies the requirements and administrative procedures to be followed by those seeking formal NIST validation of an implementation of the DES or Skipjack algorithm.
NIST SPEC PUB 800-15
MINIMUM INTEROPERABILITY SPECIFICATION FOR PKI COMPONENTS (MISPC), VERSION 1
By William E. Burr, Donna F. Dodson, Noel A. Nazario, and William T. Polk
January 1998
The Minimum Interoperability Specification for PKI Components (MISPC) supports interoperability for a large-scale public key infrastructure (PKI) that issues, revokes, and manages X.509 version 3 digital signature public key certificates and version 2 certificate revocation lists (CRLs). The MISPC supports both hierarchical and network trust models.
NISTIR 5788
PUBLIC KEY INFRASTRUCTURE INVITATIONAL WORKSHOP SEPTEMBER 28, 1995, MITRE CORPORATION, MCLEAN, VIRGINIA
William E. Burr, Editor
November 1995
This report constitutes the proceedings of an invitational workshop cosponsored by NIST, the Security Infrastructure Program Management Office (SI-PMO), and the MITRE Corporation. Papers were presented on the current state of technology and standards for a Public Key Infrastructure, management and technical issues, escrowing keys used for confidentiality exchanges, and cost models.
NISTIR 5234
REPORT OF THE NIST WORKSHOP ON DIGITAL SIGNATURE CERTIFICATE MANAGEMENT, DECEMBER 10-11, 1992
Dennis K. Branstad, Editor
August 1993
This report summarizes the major topics of discussion at a workshop on Digital Signature Certificate Management held at NIST on December 10-11, 1992. The purpose of the workshop was to review existing and required technologies for digital signature certification and to develop recommendations for certificate contents and formats.
NIST SPEC PUB 800-2
PUBLIC-KEY CRYPTOGRAPHY
By James Nechvatal
April 1991
This publication surveys public-key cryptography, discussing the theory and examining examples of public-key cryptosystems. The related topics of digital signatures, hash functions, and zero-knowledge protocols are also covered.
NBS SPEC PUB 500-61
MAINTENANCE TESTING FOR THE DATA ENCRYPTION STANDARD
By Jason Gait
August 1980
ELECTRONIC COMMERCE
NIST SPEC PUB 800-9
GOOD SECURITY PRACTICES FOR ELECTRONIC COMMERCE, INCLUDING ELECTRONIC DATA INTERCHANGE
Roy G. Saltman, Editor
December 1993
This report presents security procedures and techniques, including internal controls and checks, that constitute good practice in the design, development, testing, and operation of electronic commerce systems. Security techniques considered include audit trails, contingency planning, use of acknowledgements, electronic document management, activities of support networks, user access controls to systems and networks, and cryptographic techniques for authentication and confidentiality.
GENERAL COMPUTER SECURITY
NIST SPEC PUB 800-18
GUIDE FOR DEVELOPING SECURITY PLANS FOR INFORMATION TECHNOLOGY SYSTEMS
By Marianne Swanson and Federal Computer Security Program Managers' Forum
December 1998
This guideline addresses the development of security plans that document the management, technical, and operational controls for federal automated information systems. Written primarily for federal agencies, the concepts are also valuable for industry organizations interested in establishing security plans.
NIST SPEC PUB 800-16
INFORMATION TECHNOLOGY SECURITY TRAINING REQUIREMENTS: A ROLE- AND PERFORMANCE-BASED MODEL (supersedes NIST Spec Pub 500-172)
Mark Wilson, Editor; Dorothea E. de Zafra, Sadie I. Pitcher, John D. Tressler, and John B. Ippolito
March 1998
This document is designed for use by federal agencies who develop security training and awareness courses, or for those personnel who develop information technology (IT) security training for government use. The document emphasizes training criterial or standards, rather than fixed content of specific courses and audiences. The emphasis on roles and results gives the training requirements flexibility, adaptability, and longevity.
NIST SPEC PUB 800-14
GENERALLY ACCEPTED PRINCIPLES AND PRACTICES FOR SECURING INFORMATION TECHNOLOGY SYSTEMS
By Marianne Swanson and Barbara Guttman
June 1996
This document provides a baseline that organizations can use to establish and review their information technology (IT) security programs. It presents a foundation of generally accepted system security principles and gives common practices that are used in securing IT systems. The guideline assists managers, internal auditors, users, system developers, and security professionals to gain an understanding of basic security requirements.
NIST SPEC PUB 800-12
AN INTRODUCTION TO COMPUTER SECURITY: THE NIST HANDBOOK
By Barbara Guttman and Edward Roback October 1995
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It gives a broad overview of computer security to help readers understand their computer security needs and to develop a sound approach in selecting appropriate security controls.
NISTIR 5308
GENERAL PROCEDURES FOR REGISTERING COMPUTER SECURITY OBJECTS
Noel A. Nazario, Editor
December 1993
This publication describes the object-independent procedures for operating the Computer Security Objects Register (CSOR) which services organizations and individuals seeking to use a common set of tools and techniques in computer security.
NIST SPEC PUB 800-6 AUTOMATED TOOLS FOR TESTING COMPUTER SYSTEM VULNERABILITY By W. Timothy Polk December 1992 This document discusses the use of automated tools to perform system vulnerability tests. The tests examine a system for vulnerabilities that can result from improper use of controls or mismanagement, such as easily guessed passwords or improperly protected system files. NIST SPEC PUB 800-5
A GUIDE TO THE SELECTION OF ANTI-VIRUS TOOLS AND TECHNIQUES
By W. Timothy Polk and Lawrence E. Bassham
December 1992
This guide gives criteria for judging the functionality, practicality, and convenience of anti-virus tools so that users can determine which tools are best suited to target environments.
NISTIR 4939
THREAT ASSESSMENT OF MALICIOUS CODE AND EXTERNAL ATTACKS
By Lawrence E. Bassham and W. Timothy Polk
October 1992
This report provides an assessment of the threats associated with malicious code and external attacks on systems using commercially available hardware and software.
NIST SPEC PUB 800-4
COMPUTER SECURITY CONSIDERATIONS IN FEDERAL PROCUREMENTS: A GUIDE FOR PROCUREMENT INITIATORS, CONTRACTING OFFICERS, AND COMPUTER SECURITY OFFICIALS
By Barbara Guttman
March 1992
This document assists federal agencies in selecting and acquiring cost-effective computer security by explaining how to include computer security requirements in federal information processing procurements.
NISTIR 4749
SAMPLE STATEMENTS OF WORK FOR FEDERAL COMPUTER SECURITY SERVICES: FOR USE IN-HOUSE OR CONTRACTING OUT
Dennis M. Gilbert, Project Leader
Nickilyn Lynch, Editor
December 1991
This document presents a set of Statements of Work (SOWs) describing significant computer security activities. It assists federal agencies and government contractors in the acquisition of computer security services by standardizing the description of typical services available from within or outside of the organization.
NIST SPEC PUB 800-3
ESTABLISHING A COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY (CSIRC)
By John Wack
November 1991
This publication describes increased computer security efforts, designated as Computer Security Incident Response Capabilities (CSIRC), which offer an efficient and cost-effective response to computer security threats. A CSIRC is a proactive approach to computer security, one that combines reactive capabilities with active steps to prevent future incidents.
NIST SPEC PUB 500-172
COMPUTER SECURITY TRAINING GUIDELINES
By Mary Anne Todd and Constance Guitian
November 1989
These guidelines provide a framework for determining the training needs of employees involved with computer systems. It describes the learning objectives of agency computer security training programs " what the employee should know and be able to direct or actually perform " so that agencies may use the guidance to develop or acquire training programs that fit the agency environment.
NIST SPEC PUB 500-166
COMPUTER VIRUSES AND RELATED THREATS: A MANAGEMENT GUIDE
By John P. Wack and Lisa J. Carnahan
August 1989
This document contains guidance for managing the threats of computer viruses and related software and unauthorized use. It is geared towards managers of end-user groups and managers dealing with multi-user systems, personal computers and networks. The guidance is general and addresses the vulnerabilities that are most likely to be exploited.
NBS SPEC PUB 500-134
GUIDE ON SELECTING ADP BACKUP PROCESS ALTERNATIVES
By Irene Isaac
November 1985
NBS SPEC PUB 500-133
TECHNOLOGY ASSESSMENT: METHODS FOR MEASURING THE LEVEL OF COMPUTER SECURITY
By William Neugent, John Gilligan, Lance Hoffman, and Zella G. Ruthberg
October 1985
NBS SPEC PUB 500-120
SECURITY OF PERSONAL COMPUTER SYSTEMS - A MANAGEMENT GUIDE
By Dennis D. Steinauer
January 1985
NETWORK SECURITY
NIST SPEC PUB 800-10
KEEPING YOUR SITE COMFORTABLY SECURE: AN INTRODUCTION TO INTERNET FIREWALLS
By John P. Wack and Lisa J. Carnahan
December 1994
This publication provides an overview of the Internet and security-related problems. It describes firewall components, the reasoning behind firewall usage, several types of network access policies, and resources for more information. The document assists federal and industry users in planning and purchasing a firewall.
NIST SPEC PUB 800-7
SECURITY IN OPEN SYSTEMS
By R. Bagwill, J. Barkley, L. Carnahan, S. Chang, R. Kuhn, P. Markovitz, A. Nakassis, K. Olsen, M. Ransom, and J. Wack John Barkley, Editor
July 1994
This report provides information for service designers and programmers involved in the development of telecommunications application software; it focuses on building security into software based on open system platforms. The document is also useful for product planners, administrators, users, and management personnel who are interested in understanding the capabilities and limitations of open systems.
NISTIR 5232
REPORT OF THE NSF/NIST WORKSHOP ON NSFNET/NREN SECURITY, JULY 6-7, 1992
By Arthur E. Oldehoeft
May 1993
This report describes a workshop hosted by NIST and sponsored by the National Science Foundation to address the need for improving the security of national computer networks.
NISTIR 4734
FOUNDATIONS OF A SECURITY POLICY FOR USE OF THE NATIONAL RESEARCH AND EDUCATIONAL NETWORK
By Arthur E. Oldehoeft
February 1992
This report explores the foundations of a national network security policy and proposes a draft policy for the National Research and Educational Network (NREN).
RISK MANAGEMENT
NIST SPEC PUB 500-174
GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS TOOLS
By Irene E. Gilbert
October 1989
This document recommends a process for selecting automated risk analysis tools, describing important considerations for developing selection criteria for acquiring risk analysis software. The report describes three essential elements that should be present in an automated risk analysis tool: data collection, analysis, and output results. It is intended primarily for managers and those responsible for managing risks in computer and telecommunications systems.
NBSIR 86-3386
WORK PRIORITY SCHEME FOR EDP AUDIT AND COMPUTER SECURITY REVIEW
By Zella Ruthberg and Bonnie Fisher
August 1986
This publication describes a methodology for prioritizing the work performed by EDP auditors and computer security reviewers. Developed at an invitational workshop attended by government and private sector experts, the work plan enables users to evaluate computer systems for both EDP audit and security review functions and to develop a measurement of the risk of the systems. Based on this measure of risk, the auditor can then determine where to spend review time.
SPECIAL TOPICS
NISTIR 5570
AN ASSESSMENT OF THE DOD GOAL SECURITY ARCHITECTURE (DGSA) FOR NON-MILITARY USE
By Arthur E. Oldehoeft
November 1994
This study assesses the potential of the DGSA as a model and framework for the development of non-military computer and information security architectures.
NIST GCR 94-654
FEDERAL CERTIFICATION AUTHORITY LIABILITY AND POLICY
By Michael S. Baum
June 1994
This report identifies technical, legal, and policy issues affecting a certificate-based public key cryptographic infrastructure utilizing digital signatures supported by "trusted entities."
NISTIR 5283
SECURITY OF SQL-BASED IMPLEMENTATIONS OF PRODUCT DATA EXCHANGE USING STEP
By Lawrence E. Bassham and W. Timothy Polk
October 1993
This report examines the security implications of the versions of the SQL standard as used to implement the Standard for the Exchange of Product Model Data (STEP), an emerging international standard.
NIST SPEC PUB 800-8
SECURITY ISSUES IN THE DATABASE LANGUAGE SQL
By W. Timothy Polk and Lawrence E. Bassham
August 1993
The Database Language SQL is a standard interface for accessing and manipulating relational databases. This document examines the security functionality that might be required of relational database management systems (DBMS) and compares these functions with the requirements and options of the SQL specifications.
NBS SPEC PUB 500-158
ACCURACY, INTEGRITY, AND SECURITY IN COMPUTERIZED VOTE-TALLYING
By Roy G. Saltman
August 1988
This study surveys some events concerning computerized vote-tallying and reviews current problems. The report recommends that accepted practices of internal control be applied to vote-tallying, including the use of software for integrity and logical correctness; dedicated software use and dedicated operation; improved design and certification of vote-tallying systems that do not use ballots; and improved pre-election testing and partial manual recounting of ballots.
TELECOMMUNICATIONS
NIST SPEC PUB 800-13
TELECOMMUNICATIONS SECURITY GUIDELINES FOR TELECOMMUNICATIONS MANAGEMENT NETWORK
By John Kimmins, Charles Dinkel, and Dale Walters
October 1995
This document gives guidance on enhancing the security of the Public Switched Network (PSN) which provides critical commercial telecommunications services and National Security and Emergency Preparedness (NSEP). The guidance assists telecommunications vendors in developing systems and service providers in implementing systems with appropriate security for integration into the PSN. It is also useful to government agencies or commercial organizations in formulating a specific security policy.
NIST SPEC PUB 800-11
THE IMPACT OF THE FCC's OPEN NETWORK ARCHITECTURE ON NS/EP TELECOMMUNICATIONS SECURITY
By Karen Olsen and John Tebbutt
February 1995
This report provides an overview of the Federal Communications Commission's Open Network Architecture (ONA), describes National Security and Emergency Preparedness (NS/EP) telecommunications security concerns, and details NS/EP telecommunications security concerns that the FCC's ONA requirement introduces into the Public Switched Network (PSN).
NIST GCR 93-635
PRIVATE BRANCH EXCHANGE (PBX) SECURITY GUIDELINES
September 1993
This document presents the basic concepts of PBX security. It describes a telephone switch system, hardware and software assets, specific security threats, and the functions of the PBX administrator. An example of a security policy and some controls needed to secure the PBX environment are also given.
NIST SPEC PUB 500-189
SECURITY IN ISDN
By William E. Burr
September 1991
This document discusses the standards needed to implement user security in Integrated Services Digital Network (ISDN) technology. The publication provides a broad discussion of user security needs and suggests possible solutions.
NIST SPEC PUB 500-137
SECURITY FOR DIAL-UP LINES
By Eugene F. Troy
July 1986
This publication describes a set of solutions to the problem of intrusion into government and private computers via dial-up telephone lines, the so-called "hacker problem."
To Top of Page
FEDERAL INFORMATION PROCESSING STANDARDS
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST) after approval by the Secretary of Commerce pursuant to Section 5131 of the Information Technology Reform Act of 1996, Public Law 104-106, and the Computer Security Act of 1987 (Public Law 100-235).
FIPS PUBS are sold by the National Technical Information Service (NTIS), U.S. Department of Commerce. The FIPS Home Page is http://www.nist.gov/itl/fipspubs/ .
Information Technology Laboratory, Mail Stop 8900, National Institute of Standards and Technology, Gaithersburg, MD 20899-8900, Telephone: (30l) 975-2832, Fax: (301) 840-1357, E-mail: Elizabeth Lennon.
ACCESS CONTROL(FIPS)
FIPS PUB 48
GUIDELINES ON EVALUATION OF TECHNIQUES FOR AUTOMATED PERSONAL IDENTIFICATION
April 1977
This guideline discusses the performance of personal identification devices, how to evaluate them and considerations for their use within the context of computer systems security.
FIPS PUB 83
GUIDELINE ON USER AUTHENTICATION TECHNIQUES FOR COMPUTER NETWORK ACCESS CONTROL
September 1980
This document provides guidance in the selection and implementation of techniques for authenticating the users of remote terminals in order to safeguard against unauthorized access to computers and computer networks. Describes use of passwords, identification tokens, verification by means of personal attributes, identification of remote devices, role of encryption in network access control, and computerized authorization techniques.
FIPS PUB 112
STANDARD ON PASSWORD USAGE
May 1985
This standard defines ten factors to be considered in the design, implementation, and use of access control systems that are based on passwords. It specifies minimum security criteria for such systems and provides guidance for selecting additional security criteria for password systems which must meet higher security requirements.
FIPS PUB 190
GUIDELINE FOR THE USE OF ADVANCED AUTHENTICATION TECHNOLOGY ALTERNATIVES
September 1994
This guideline describes the primary alternative methods for verifying the identities of computer system users, and provides recommendations to federal agencies and departments for the acquisition and use of technology which supports these methods.
CRYPTOGRAPHY(FIPS)
FIPS PUB 46-2
DATA ENCRYPTION STANDARD
December 1993 (Reaffirmed until 1998, FIPS PUB 46-3 is in progress)
This standard reaffirms the Data Encryption Algorithm (DEA) until 1998 and allows for implementation of the DEA in software, firmware or hardware. The DEA is a mathematical algorithm for encrypting and decrypting binary-coded information.
FIPS PUB 74
GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD
April 1981
This document provides guidance for the use of cryptographic techniques when such techniques are required to protect sensitive or valuable computer data. For use in conjunction with FIPS PUB 46-2 and FIPS PUB 81.
FIPS PUB 81
DES MODES OF OPERATION
December 1980
This standard defines four modes of operation for the Data Encryption Standard which may be used in a wide variety of applications. The modes specify how data will be encrypted (cryptographically protected) and decrypted (returned to original form). The modes included in this standard are the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode.
FIPS PUB 113
STANDARD ON COMPUTER DATA AUTHENTICATION
May 1985
This standard specifies a Data Authentication Algorithm (DAA) which, when applied to computer data, automatically and accurately detects unauthorized modifications, both intentional and accidental. Based on the Data Encryption Standard (DES), this standard is compatible with the requirements adopted by the Department of the Treasury and the banking community to protect electronic fund transfer transactions.
FIPS PUB 139
INTEROPERABILITY AND SECURITY REQUIREMENTS FOR USE OF THE DATA ENCRYPTION STANDARD IN THE PHYSICAL LAYER OF DATA COMMUNICATIONS
August 1983
This standard facilitates the interoperation of government data communication facilities, systems, and data that require cryptographic protection using the Data Encryption Standard (DES) algorithm. The standard specifies interoperability and security-related requirements using encryption at the Physical Layer of the ISO Open Systems Interconnection (OSI) Reference Model (International Standard 7498) in the telecommunications systems conveying ADP or narrative text information.
FIPS PUB 140-1
SECURITY REQUIREMENTS FOR CRYTOGRAPHIC MODULES
January 1994
This standard provides specifications for cryptographic modules which can be used within computer and telecommunications systems to protect unclassified information in a variety of different applications.
FIPS PUB 141
INTEROPERABILITY AND SECURITY REQUIREMENTS FOR USE OF THE DATA ENCRYPTION STANDARD WITH CCITT GROUP 3 FACSIMILE EQUIPMENT
April 1985
This standard specifies interoperability and security-related requirements for use of encryption with International Telegraph and Telephone Consultative Committee (CCITT), Group 3 type facsimile equipment conveying Automatic Data Processing (ADP) and/or narrative text information.
FIPS PUB 171
KEY MANAGEMENT USING ANSI X9.17
April 1992
This standard specifies a selection of options for the automated distribution of keying material by the federal government when using the protocols of ANSI X9.17. The standard defines procedures for the manual and automated management of keying materials and contains a number of options. The selected options will allow the development of cost effective systems which will increase the likelihood of interoperability.
FIPS PUB 180-1
SECURE HASH STANDARD
April 1995
This standard specifies a Secure Hash Algorithm (SHA) which can be used to generate a condensed representation of a message called a message digest. The SHA is required for use with the Digital Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) and whenever a secure hash algorithm is required for federal applications. The SHA is used by both the transmitter and intended receiver of a message in computing and verifying a digital signature.
FIPS PUB 181
AUTOMATED PASSWORD GENERATOR (APG)
October 1993
This publication specifies a standard to be used by federal organizations that require computer generated pronounceable passwords to authenticate the personal identity of an automated data processing (ADP) system user, and to authorize access to system resources. The standard describes an automated password generation algorithm that randomly creates simple pronounceable syllables as passwords. The password generator accepts input from a random number generator based on the Data Encryption Standard (DES) cryptographic algorithm defined in FIPS PUB 46-2.
FIPS PUB 185
ESCROWED ENCRYPTION STANDARD (EES)
February 1994
This standard specifies a technology developed by the federal government to provide strong encryption protection for unclassified information and to provide that the keys used in the encryption and decryption processes are escrowed.
FIPS PUB 186-1
DIGITAL SIGNATURE STANDARD (DSS)
December 1998
This standard specifies a suite of algorithms that can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. This is known as nonrepudiation since the signatory cannot, at a later time, repudiate the signature.
FIPS PUB 196
ENTITY AUTHENTICATION USING PUBLIC KEY CRYPTOGRAPHY
February 1997
This standard specifies two challenge-response protocols by which entities in a computer system may authenticate their identities to one another. These protocols may be used during session initiation, and at any other time that entity authentication is necessary. Depending on which protocol is implemented, either one or both entities involved may be authenticated. The defined protocols are derived from an international standard for entity authentication based on public key cryptography, which uses digital signatures and random number challenges.
GENERAL COMPUTER SECURITY(FIPS)
FIPS PUB 31
GUIDELINES FOR ADP PHYSICAL SECURITY AND RISK MANAGEMENT
June 1974
This document provides guidance to federal organizations in developing physical security and risk management programs for their ADP facilities. Covers security analysis, natural disasters, failure of supporting utilities, system reliability, procedural measures and controls, protection of off-site facilities, contingency plans security awareness, and security audit. Can be used as a checklist for planning and evaluating security of computer systems.
FIPS PUB 41
COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE PRIVACY ACT OF 1974
May 1975
This publication provides guidance in the selection of technical and related procedural methods for protecting personal data in automated information systems. Discusses categories of risks and the related safeguards for physical security, information management practices, and system controls to improve system security.
FIPS PUB 73
GUIDELINES FOR SECURITY OF COMPUTER APPLICATIONS
June 1980
This guideline describes the different security objectives for a computer application, explains the control measures that can be used, and identifies the decisions that should be made at each stage in the life cycle of a sensitive computer application. For use in planning, developing and operating computer systems which require protection. Fundamental security controls such as data validation, user identity verification, authorization, journaling, variance detection, and encryption are discussed.
FIPS PUB 87
GUIDELINES FOR ADP CONTINGENCY PLANNING
March 1981
This guideline describes what should be considered when developing a contingency plan for an ADP facility. Provides a suggested structure and format which may be used as a starting point from which to design a plan to fit each specific operation.
FIPS PUB 102
GUIDELINE FOR COMPUTER SECURITY CERTIFICATION AND ACCREDITATION
September 1983
This guideline describes how to establish and carry out a certification and accreditation program for computer security. Certification consists of a technical evaluation of a sensitive system to see how well it meets its security requirements. Accreditation is the official management authorization for the operation of the system and is based on the certification process.
FIPS PUB 188
STANDARD SECURITY LABEL FOR INFORMATION TRANSFER
September 1994
This standard defines a security label syntax for information exchanged over data networks and provides label encodings for use at the Application and Network Layers of the Open Systems Interconnection (OSI) Reference Model. Security labels convey information used by protocol entities to determine how to handle data communicated between open systems. Information on a security label can be used to control access, specify protective measures, and determine additional handling restrictions required by a communications security policy.
FIPS PUB 191
GUIDELINE FOR THE ANALYSIS OF LOCAL AREA NETWORK SECURITY
November 1994
This guideline can be used as a tool to help improve the security of a local area network (LAN). A LAN security architecture is described that discusses threats and vulnerabilities that should be examined, as well as security services and mechanisms that should be explored.
COMPUTER SECURITY RESOURCE CLEARINGHOUSE
ITL maintains an electronic Computer Security Resource Clearinghouse (CSRC) to encourage the sharing of information on computer security. The CSRC contains computer security awareness and training information, publications, conferences, software tools, security alerts, and prevention measures. The CSRC system, available 24 hours a day, also points to other computer security servers.
Internet Access
To access the clearinghouse via an http client, use the following Uniform Resource Locator (URL): http://csrc.nist.gov. For information on the Cryptographic Module Validation Program: http://csrc.nist.gov/cryptval/
FedCIRC
The Federal Computer Incident Response Capability (FedCIRC) is a new initiative undertaken by NIST, the Department of Energy's Computer Incident Advisory Capability (CIAC), and the Carnegie Mellon, Software Engineering Institute's CERT/CC. These established computer security organizations have banded together to offer the federal civilian community assistance and guidance in handling computer security-related incidents.
Most agencies require incident response assistance now because of their rapid and expanding involvement in the use of the Internet and other networking technologies. OMB has recognized this long-term need by requiring agency incident response capabilities in OMB Circular A-130 (Appendix III). FedCIRC is designed to address those near-term and long-term needs.
For more information on FedCIRC, call (301) 975-4369, e-mail fedcirc-info@fedcirc.nist.gov, or visit the Web site at: http://csrc.nist.gov/fedcirc.
PUBLICATION PRICE LIST
| PUBLICATION | ORDERING NUMBER | PRICE | |
| SPEC PUB 500-61 | PB80-221211 | $24.50 | |
| SPEC PUB 500-120 | PB85-161040 | $27.00 | |
| SPEC PUB 500-133 | PB86-129954 | $47.50 | |
| SPEC PUB 500-134 | PB86-154820 | $24.50 | |
| SPEC PUB 500-137 | PB86-213097 | $31.50 | |
| SPEC PUB 500-153 | PB88-217450 | $55.00 | |
| SPEC PUB 500-156 | PB88-223441 | $27.00 | |
| SPEC PUB 500-157 | PB89-129514 | $27.00 | |
| SPEC PUB 500-158 | PB89-114136 | $35.00 | |
| SPEC PUB 500-166 | PB90-115601 | $24.50 | |
| SPEC PUB 500-172 | PB90-780172 | $24.50 | |
| SPEC PUB 500-174 | PB90-148784 | $24.50 | |
| SPEC PUB 500-189 | PB92-116391 | $27.00 | |
| SPEC PUB 800-2 | PB91-187864 | $39.00 | |
| SPEC PUB 800-3 | PB92-123140 | $24.50 | |
| SPEC PUB 800-4 | PB92-183714 | $31.50 | |
| SPEC PUB 800-5 | PB93-152049 | $24.50 | |
| SPEC PUB 800-6 | PB93-146025 | $24.50 | |
| SPEC PUB 800-7 | PB95-105383 | $67.50 | |
| SPEC PUB 800-8 | PB94-104585 | $19.50 | |
| SPEC PUB 800-9 | PB94-139045 | $21.50 | |
| SPEC PUB 800-10 | PB95-182275 | $34.00 | |
| SPEC PUB 800-11 | PB95-189445 | $28.50 | |
| SPEC PUB 800-12 | PB96-131610 | $54.00 | |
| SPEC PUB 800-13 | PB96-139415 | $19.50 | |
| SPEC PUB 800-14 | PB97-110811 | $21.50 | |
| SPEC PUB 800-15 | SN003-003-03494-1 | $8.50 | |
| SPEC PUB 800-16 | PB98-153513 | $51.00 | |
| SPEC PUB 800-17 | SN003-003-03567-0 | $13.00 | |
| SPEC PUB 800-18 | PB99-105116 | $33.00 | |
| To Top of Page NBSIR 86-3386 | PB86-247897 | $27.00 | |
| NIST GCR 93-635 | PB94-100880 | $21.50 | |
| NIST GCR 94-654 | PB94-191202 | $61.00 | |
| NISTIR 4734 | PB92-172030 | $27.00 | |
| NISTIR 4749 | PB92-148261 | $27.00 | |
| NISTIR 4774 | PB92-172022 | $24.50 | |
| NISTIR 4939 | PB93-120699 | $24.50 | |
| NISTIR 5153 | PB93-185999 | $24.50 | |
| NISTIR 5232 | PB93-228682 | $27.00 | |
| NISTIR 5234 | PB94-135001 | $35.00 | |
| NISTIR 5283 | PB94-139649 | $19.50 | |
| NISTIR 5308 | PB94-134897 | $19.50 | |
| NISTIR 5472 | PB94-215746 | $21.50 | |
| NISTIR 5540 | PB95-171955 | $34.00 | |
| NISTIR 5570 | PB95-189510 | $28.50 | |
| NISTIR 5590 | PB95-189494 | $28.50 | |
| NISTIR 5788 | PB96-166004 | $31.00 | |
| NISTIR 5810 | PB96-195318 | $19.50 | |
| NISTIR 6068 | PB98-104169 | $21.50 | |
| NISTIR 6192 | PB99-130825 | $23.00 | |
| To Top of Page FIPS PUB 31 | FIPSPUB 31 | $27.00 | |
| FIPS PUB 46-2 | FIPSPUB 46-2 | $22.50 | |
| FIPS PUB 48 | FIPSPUB 48 | $12.50 | |
| FIPS PUB 73 | FIPSPUB 73 | $27.00 | |
| FIPS PUB 74 | FIPSPUB 74 | $24.50 | |
| FIPS PUB 81 | FIPSPUB 81 | $24.50 | |
| FIPS PUB 83 | FIPSPUB 83 | $24.50 | |
| FIPS PUB 87 | FIPSPUB 87 | $24.50 | |
| FIPS PUB 102 | FIPSPUB 102 | $36.50 | |
| FIPS PUB 112 | FIPSPUB 112 | $27.00 | |
| FIPS PUB 113 | FIPSPUB 113 | $24.50 | |
| FIPS PUB 139 | FIPSPUB 139 | $14.00 | |
| FIPS PUB 140-1 | FIPSPUB 140-1 | $25.00 | |
| FIPS PUB 141 | FIPSPUB 141 | $14.00 | |
| FIPS PUB 171 | FIPSPUB 171 | $68.00 | |
| FIPS PUB 180-1 | FIPSPUB 180-1 | $22.50 | |
| FIPS PUB 181 | FIPSPUB 181 | $25.00 | |
| FIPS PUB 185 | FIPSPUB 185 | $19.00 | |
| FIPS PUB 186-1 | FIPSPUB 186 | $22.50 | |
| FIPS PUB 188 | FIPSPUB 188 | $22.50 | |
| FIPS PUB 190 | FIPSPUB 190 | $22.50 | |
| FIPS PUB 191 | FIPSPUB 191 | $25.00 | |
| FIPS PUB 196 | FIPSPUB 196 | $21.50 |
ITL Publications |
Other Reports