CSL A Letter from the Computer Systems Laboratory February 1994 PANEL ENVISIONS FEDERAL INTERNETWORKING AS COMPONENT OF NATIONAL INFORMATION INFRASTRUCTURE Our lead article in the November 1993 issue of CSL announced the formation of the Federal Internetworking Requirements Panel, composed of representatives from eight federal agencies, to reassess federal requirements for open systems networks. In its draft report, the panel gives its vision of federal networking as a seamless component of the National Information Infrastructure, providing a full range of communications connectivity among federal agencies and between the federal community and the public. This follow-up article summarizes the panel's draft report. Background In 1988, the federal government adopted Federal Information Processing Standard (FIPS) 146, Government Open Systems Interconnection Profile (GOSIP), which is based on Open System Interconnection (OSI) standards, to achieve interconnection and interoperability of computers and systems acquired from different manufacturers. The current GOSIP Version 2 (FIPS 146-1) became effective in October 1992. The GOSIP standards were expected to displace the Internet Protocol Suite (IPS) and proprietary protocols because they resulted from the international standards process and were expected to be implemented worldwide. Current Status In reality, most GOSIP products have been slower to reach the marketplace than expected and have not been widely deployed to date, while IPS standards have become commodity products that are widely used in local area networks (LANs) and private networks. More significantly, the worldwide Internet has developed as a substantial infrastructure which supports the IPS standards, while a comparable infrastructure has not developed for GOSIP. Although the growth of IPS relative to the GOSIP protocols motivated this policy review, other significant factors charted the direction of the panel's work. These factors include:  the ongoing use of proprietary LANs;  the widespread deployment of proprietary electronic mail systems;  the transition to client-server data processing architectures; and  the continued dominance of proprietary communications architectures for mainframe-based transaction processing. In light of these diverse yet integrated trends, the Federal Internetworking Requirements Panel decided to review the entire strategy of meeting federal internetworking requirements. The group determined that what is now required is an effort to take advantage of the capabilities now available and to rapidly move developing capabilities into operation. Panel Conclusions In its draft report, the panel said that the federal internetworking standards process should focus on providing leadership to clarify and pursue a common vision of how the federal government should be interconnected within itself and with the public. Agencies should receive guidance in achieving interoperability goals, but the guidance should not be tied to specific low-level technologies that are rapidly evolving. The panel's draft says that no single protocol suite meets the full range of federal requirements for data internetworking. The IPS and OSI both have strengths and weaknesses, as do proprietary protocols, according to the study. The panel said that each community within the government should pursue the solution to meeting their mission requirements as a primary goal without a specific technical solution being imposed on them. In addition, agencies need to consider interoperability, existing infrastructure, and cost. Standards alone are not sufficient to meet these goals; federal agencies need to be supported by available products and infrastructure. Rather than technical solutions, agencies need a process that provides guidance to assist them in deciding how to best meet their requirements. The panel will submit its final report to NIST once it has addressed comments on the draft report received from the public during a 30-day comment period which closed February 18, 1994. For a free copy of the draft report, call CSL Publications at (301) 975-2821. We will announce the final report in the newsletter when it becomes available. FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) ACTIVITIES Data Encryption Standards Revised On December 3, the Secretary of Commerce approved a revision to Federal Information Processing Standard (FIPS) 46-1, Data Encryption Standard (DES), and reaffirmed the Data Encryption Algorithm specified in the DES for five years. To be published as FIPS 46-2, the revised standard allows for implementation of the algorithm in software, firmware, or hardware; it also allows for the use of other cryptographic algorithms for protecting unclassified data provided that these algorithms are approved in FIPS. Also approved was FIPS 140-1, Security Requirements for Cryptographic Modules, which will enable federal agencies to specify their security requirements for cryptographic modules which can be used to protect unclassified information in a variety of different applications. FIPS 140-1 is effective June 30, 1994. Software Modeling FIPS Approved Two new FIPS for software modeling techniques have been approved: FIPS 183, Integration Definition for Function Modeling (IDEFO), and FIPS 184, Integration Definition for Information Modeling (IDEF1X). Effective June 30, 1994, these FIPS adopt nonproprietary IDEF modeling techniques developed by government and industry for use in the analysis and development of information systems. FIPS 183 describes the IDEFO modeling language (semantics and syntax) and associated rules and techniques for developing structured graphical representations of a system or enterprise. The standard is based on the Air Force Wright Aeronautical Laboratories Integrated Computer-Aided Manufacturing (ICAM) Architecture, Part II, Volume IV--Function Modeling Manual (IDEFO), June 1981. FIPS 183 will permit the construction of models comprising system functions (activities, actions, processes, operations), functional relationships, and data (information or objects) that support systems integration. FIPS 184 is based on the Integration Information Support System (IISS), Volume V--Common Data Model Subsystem, Part 4-- Information Modeling Manual--IDEF1 Extended, 1(IDEF1X) November 1985. The standard describes the IDEF1X modeling language (semantics and syntax) and associated rules and techniques, for developing a logical model of data. IDEF1X is used to produce a graphical information model which represents the structure and semantics of information within an environment or system. Use of the standard permits the construction of semantic data models which may serve to support the management of data as a resource, the integration of information systems, and the building of computer databases. Escrowed Encryption Standard Approved As FIPS 185 On February 9, 1994, the Secretary of Commerce approved FIPS 185, Escrowed Encryption Standard (EES), for federal agency use. Effective March 11, 1994, FIPS 185 specifies a technology developed by the federal government to provide strong encryption protection for unclassified information and to provide that the keys used in the encryption and decryption processes are escrowed. This latter feature will assist law enforcement and other government agencies, under the proper legal authority, in the collection and decryption of electronically transmitted information. The encryption technology will be implemented in electronic devices. FIPS 185 will facilitate the acquisition of devices that implement escrowed encryption techniques for federal agencies. The standard does not mandate the use of escrowed encryption devices by federal agencies, the private sector, or other levels of government; the use of such devices is totally voluntary. Rather, the standard provides a mechanism for federal agencies to use when they wish to specify key escrowed encryption as a requirement in their acquisition documents. Otherwise, agencies would have to formally waive the requirements of the recently reaffirmed encryption standard, FIPS 46-2, Data Encryption Standard, if they wanted to use escrowed encryption techniques. Raster Graphics Validation Test Service Established CSL has established, on a one-year trial basis, a raster graphics test service for the validation of raster graphics files for conformance to FIPS 150, Facsimile Coding Schemes and Coding Control Functions for Group 4 Facsimile Apparatus, and MIL-R- 28002B, Requirements for Raster Graphics Representation in Binary Format. We will use the trial period to verify the accuracy and completeness of the raster graphics test procedures. The test service trial period will continue through September 1994. FIPS Withdrawn FIPS 30, Software Summary for Describing Computer Programs and Automated Data Systems (Standard Form 185), and FIPS 53, Transmittal Form for Describing Computer Magnetic Tape File Properties (Standard Form 277), have been withdrawn. Approved in the 1970s, these FIPS provided standard forms for describing computer programs and computer magnetic tape files which are now obsolete. UPDATE ON NEW PUBLICATIONS CSL publishes the results of studies, investigations, and research. The reports listed below may be ordered from the following sources as indicated for each: *Superintendent of Documents U.S. Government Printing Office (GPO) Washington, DC 20402 Telephone (202) 783-3238 *National Technical Information Service (NTIS) 5285 Port Royal Road Springfield, VA 22161 Telephone (703) 487-4650 Planning for the Fiber Distributed Data Interface (FDDI) By William E. Burr NIST Spec. Pub. 500-212 October 1993 SN003-003-03239-5 $7.00 Order from GPO This report describes the FDDI standards and the media that FDDI uses, and gives information about wiring for FDDI LANs and about effectively configuring FDDI LANs. It describes the relationship of FDDI to the Government Open Systems Interconnection Profile (GOSIP) and discusses connecting FDDI to other networks. Next Generation Computer Resources: Reference Model for Project Support Environments (Version 2.0) (CMU/SEI-93-TR-23) Alan Brown, David Carney, Patricia Oberndorf, and Marvin Zelkowitz, Editors NIST Spec. Pub. 500-213 November 1993 SN003-003-03244-1 $8.00 Order from GPO This document describes a joint venture of CSL, the Software Engineering Institute, and the U.S. Navy on the Next Generation Computer Resources program to fulfill the Navy's need for standard computing resources. The report presents a reference model that describes the full scope of functionality that is expected of a project support environment. Good Security Practices for Electronic Commerce Including Electronic Data Interchange Roy G. Saltman, Editor NIST Spec. Pub. 800-9 December 1993 SN003-003-03243-3 $4.50 Order from GPO This report presents security procedures and techniques, including internal controls and checks, that constitute good practice in the design, development, testing, and operation of electronic commerce systems. Security techniques considered include audit trails, contingency planning, use of acknowledgments, electronic document management, activities of supporting networks, user access controls to systems and networks, and cryptographic techniques for authentication and confidentiality. Integrated Services Digital Network Conformance Testing, Layer 2- -Data Link Layer (LAPD), Part 1--Basic Rate Interface, User Side Daniel P. Stokesberry, Leslie Collica, and Kathleen M. Roberts, Editors NIST Spec. Pub. 823-4 September 1993 SN003-003-03221-2 $49.00 Order from GPO This document defines the abstract test specifications to verify equipment implementation conformance to the Layer 2, Data Link Layer, Link Access Procedure on the D Channel (LAPD) of an ISDN at the user-side of the user-network interface, for the BRI access arrangements, as defined in the CCITT Recommendations Q.921[1] and ANS T1.602[2]. This test suite is intended for use by all members of the North American ISDN Users' Forum (NIUF). Comparison of Handprinted Digit Classifiers By Patrick J. Grother and Gerald T. Candela NISTIR 5209 June 1993 PB94-118213 $17.50 paper Order from NTIS $ 9.00 microfiche This report presents optical character recognition (OCR) research results for several pattern classifiers trained and tested on disjoint sets of 30620 digits selected from the first 500 writers of NIST Special Database 3. Private Branch Exchange (PBX) Security Guidelines NIST/GCR 93-635 September 1993 PB94-100880 $19.50 paper Order from NTIS $ 9.00 microfiche This document presents the basic concepts of PBX security. It describes a telephone switch system, hardware and software assets, specific security threats, and the functions of the PBX administrator. An example of a security policy and some controls needed to secure the PBX environment are also given. Technology Trends in Telecommunications: An Overview NISTIR 5282 October 1993 PB94-123080 $17.50 paper Order from NTIS $ 9.00 microfiche This paper describes the technology trends for telecommunications and their impact on the services provided to the user. The study focuses on the rapid diversification of the telecommunication industry and summarizes trends in a historic perspective. 1978 Fortran Compiler Validation System User's Guide, Version 2.1 Software Standards Validation Group NISTIR 5287 August 1993 PB94-118460 $27.00 paper Order from NTIS $12.50 microfiche This document describes the procedures that are required to use the Fortran Compiler Validation System (FCVS78) which evaluates compilers for conformance to Federal Information Processing Standard (FIPS) 69-1, Fortran. Validated Products List 1994 No. 1 Judy B. Kailey and Peggy N. Himes, Editors NISTIR 5354 January 1994 PB94-937301 $27.00 paper Order from NTIS $108.00 subscription This document, published quarterly, identifies the COBOL, FORTRAN, Pascal, C, MUMPS, and Ada programming language processors with current validation certificates and the SQL language processors with registered test reports. Also included are GOSIP Conformance Testing Registers, NIST POSIX Testing Laboratories and Validated Products, Graphics, and Computer Security testing programs. UPCOMING TECHNICAL CONFERENCES Lecture Series on High Integrity Systems This lecture series addresses problems and solutions for developing and operating high integrity systems. Date: March 8, 1994 Speaker: Phil Kiviat, Knowledgeware, Inc. Topic: Software Reuse Date: May 10, 1994 Speaker: Winston Royce, TRW, Inc. Topic: Software Architecture for Safety Critical Systems Place: NIST Green Auditorium Time: 2:00 p.m. Contact: Dolores Wallace (301) 975-3340 E-mail: wallace@swe.ncsl.nist.gov Open System Environment (OSE) Implementors Workshop (OIW) This workshop is part of a continuing series to develop implementation specifications from international standard design specifications for computer network protocols. Sponsors: NIST and the IEEE Computer Society Dates: March 14-18, 1994 June 13-17, 1994 September 12-16, 1994 December 12-16, 1994 Place: NIST, Gaithersburg, MD Contact: Brenda Gray (301) 975-3664 E-mail: gray@osi.ncsl.nist.gov Applications Portability Profile (APP)/Open Systems Environment (OSE) Workshop This workshop is designed as a user's forum to discuss the latest developments in the APP/OSE. Dates: May 11-12, 1994 November 15-16, 1994 May 9-10, 1995 November 7-8, 1995 Place: NIST, Gaithersburg, MD Contact: Joe Hungate (301) 975-3368 E-mail: hungate@swe.ncsl.nist.gov Federal Wireless Users Forum (FWUF) This new users group was established to address wireless digital interface issues in the federal government. Although focusing on the requirements of federal wireless telecommunication users, the forum encourages the participation of state and local government, other interested users, product providers, and service providers. Sponsors: NIST and the National Communications System (NCS) Dates: June 7-9, 1994 September 26-28, 1994 Place: NIST, Gaithersburg, MD Contact: Tish Antonishek (301) 975-2922 E-mail: tish@dsys.ncsl.nist.gov 7th Annual Data Administration Management Association (DAMA) Symposium This symposium will disseminate knowledge and experience about data administration and provide a forum for the exchange of ideas and resolution of problems. Sponsors: NIST and DAMA Date: May 17-18, 1994 Place: NIST, Gaithersburg, MD Contact: Judith Newton (301) 975-3256 E-mail: newton@ecf.ncsl.nist.gov North American ISDN Users' Forum (NIUF) The NIUF addresses many concerns over a broad range of Integrated Services Digital Network (ISDN) issues and seeks to reach consensus on ISDN Implementation Agreements. Participants include ISDN users, implementors, and service providers. Dates: June 20-24, 1994 October 3-7, 1994 Place: NIST, Gaithersburg, MD Contact: Dawn Hoffman (301) 975-2937 E-mail: dawn@isdn.ncsl.nist.gov COMPASS '94, Ninth Annual Conference on Computer Assurance COMPASS '94 focuses on technology for computer assurance for systems that require properties such as security, safety, integrity, availability, timeliness, and fault tolerance in combination to satisfy mission requirements. Sponsors: IEEE and the IEEE Aerospace and Electronic Systems Society, in cooperation with the British Computer Society Date: June 27-July 1, 1994 Place: NIST, Gaithersburg, MD Contact: Laura Ippolito (301) 975-5248 E-mail: ippolito@sst.ncsl.nist.gov 17th National Computer Security Conference This year's conference will focus on security issues relating to new Presidential initiatives such as the Information Highway and the National Information Infrastructure (NII). Sponsors: NIST and NSA's National Computer Security Center Date: October 11-14, 1994 Place: Baltimore Convention Center, Baltimore, MD Contacts: Irene Gilbert Perry (301) 975-3360 E-mail: igilbert@csmes.ncsl.nist.gov Dennis Gilbert (301) 975-3872 E-mail: dgilbert@csmes.ncsl.nist.gov