U.S. DEPARTMENT OF COMMERCE TECHNOLOGY ADMINISTRATION NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY COMPUTER SYSTEMS LABORATORY COMPUTER SECURITY PUBLICATIONS NIST PUBLICATION LIST 91 REVISED OCTOBER 1995 (This electronic version updated February 1996.) COMPUTER SYSTEMS LABORATORY NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY GAITHERSBURG, MARYLAND 20899 Information technology occupies a vital place in our daily lives and in our country's enterprises. Information technology stimulates new products, services, and economic growth, and is central to the development of an information infrastructure that will enable users to access information that they need, when and where they need it. The Computer Systems Laboratory (CSL) at the National Institute of Standards and Technology (NIST) serves government and industry by developing and demonstrating test methods, reference materials, measurements and standards to advance new uses of information technology and to spur productivity improvement. CSL's products and services include electronic bulletin boards, electronic home pages, newsletters, workshops, seminars, and selection guides to aid in planning for the use of new technology. CSL works with industry to advance the development of standards, and common implementations of standards, needed for interconnected, secure, reliable information technology systems. CSL works with a broad spectrum of organizations including federal, state and local governments, industry computer users and manufacturers, research organizations, and voluntary standards groups. Current information about CSL is available through the Internet system. The CSL Home Page can be accessed at: http://www.nist.gov/itl.csl CSL PUBLICATIONS This brochure lists CSL computer security publications and reports from 1989 to the present. These publications are issued as: Special Publications (Spec.Pub.), NISTIRs (Internal Reports) and CSL Bulletins. Special Publications series include the Spec. Pub. 500 series (Computer Systems Technology) and the Spec. Pub. 800 series (Computer Security). Computer security-related Federal Information Processing Standards (FIPS) are also included. For more information about CSL programs, contact: Computer Systems Laboratory Building 820, Room 509 National Institute of Standards and Technology Gaithersburg, Maryland 20899-0001 Telephone: (301) 975-2833 Fax: (301) 948-6213 Email: shirley.radack@nist.gov COMPUTER SECURITY ACTIVITIES Under the Computer Security Act of 1987 (P.L. 100-235), CSL performs research, develops standards and guidelines, develops validation procedures for standards, provides assistance to federal agencies and the private sector, and assists federal agencies with their security planning and training activities. As information technology becomes integral to all aspects of government and commerce, the security or protection of that technology becomes critical. If government, commercial, and personal activities cannot be conducted through information technology (IT) with the same (or better) level of confidence and trust in underlying systems as is perceived in traditional systems, the new technology will not be used--or it will not be used effectively. HOW TO ORDER PUBLICATIONS These publications are available through either the Government Printing Office (GPO) or the National Technical Information Service (NTIS). The source, price, and order number for each publication are indicated on the Publication Price List at the end of the brochure. Orders for publications should include title of publication, NIST publication number (Spec. Pub. 000, NISTIR 000, etc.) and GPO or NTIS number. You may order at the price listed; however, prices are subject to change without notice. Mailing addresses are: Superintendent of Documents U.S. Government Printing Office Washington, DC 20402 National Technical Information Service 5285 Port Royal Road Springfield, VA 22161 Telephone numbers for information are: GPO Order Desk (202) 512-1800 GPO FAX # (703) 512-2250 NTIS Orders (703) 487-4650 Rush Telephone Service (800) 553-6847 NTIS FAX # (703) 321-8547 or (703) 321-9038 Note: Publications with SN numbers are stocked by GPO. Publications with PB numbers are stocked by NTIS. CSL BULLETINS CSL Bulletins are published by NIST's Computer Systems Laboratory. Each bulletin presents an in-depth discussion of a single topic of significant interest to the information systems community. Bulletins are available on CSL's Computer Security Resource Clearinghouse (CSRC)(see below). To receive a specific bulletin or to be placed on a mailing list to receive future bulletins, send your name, organization, and mailing address to CSL Publications, National Institute of Standards and Technology, Building 820, Room 509, Gaithersburg, MD 20899-0001 Telephone: (301) 975-3587, Fax: (301) 948-6213, CSL BULLETINS VIA E-MAIL To subscribe to this service, send an e-mail message to mailserv@nist.gov with the message subscribe csl-bulletin. For instructions on using mailserv, type mailserv@nist.gov with message HELP. To have the bulletin sent to an e-mail address other than the From address, contact the CSL Editor at (301) 975- 2832. Current bulletins include the following: Computer Virus Attacks, August 1990 Computer Security Roles of NIST and NSA, February 1991 Security Issues in the Use of Electronic Data Interchange, June 1991 File Transfer, Access and Management, July 1991 The NIST POSIX Testing Program, October 1991 Advanced Authentication Technology, November 1991 Establishing a Computer Security Incident Response Capability, February 1992 An Introduction to Secure Telephone Terminals, March 1992 Disposition of Sensitive Automated Information, October 1992 Sensitivity of Information, November 1992 Using Information Technology Standards in Federal Acquisitions, December 1992 Guidance on the Legality of Keystroke Monitoring, March 1993 The NIST Graphics Testing Program, April 1993 Security Issues in Public Access Systems, May 1993 Connecting to the Internet: Security Considerations, July 1993 Security Program Management, August 1993 People: An Important Asset in Computer Security, October 1993 Computer Security Policy: Setting the Stage for Success, Jan 1994 Threats to Computer Systems: An Overview, March 1994 Reducing the Risks of Internet Connection and Use, May 1994 Digital Signature Standard, November 1994 The Data Encryption Standard: An Update, February 1995 Acquiring and Using Asynchronous Transfer Mode in the Workplace, March 1995 Standards for Open Systems: More Flexibility for Federal Users, May 1995 FIPS 140-1: A Framework for Cryptographic Standards, August 1995 Preparing for Contingencies and Disasters, September 1995 An Introduction to Role-Based Access Control, December 1995 COMPUTER SECURITY RESOURCE CLEARINGHOUSE CSL maintains an electronic Computer Security Resource Clearinghouse (CSRC) to encourage the sharing of information on computer security. The CSRC contains computer security awareness and training information, publications, conferences, software tools, as well as, security alerts and prevention measures. The CSRC system, available 24 hours a day, also points to other computer security servers. Internet Access The CSRC system can be accessed via the Internet (http, gopher, and ftp). To connect via gopher and ftp, use the following: gopher csrc.ncsl.nist.gov or 129.6.54.11 ftp csrc.ncsl.nist.gov or 129.6.54.11 To download CSRC files, Internet users can use ftp as follows: Type 'ftp csrc.ncsl.nist.gov' or 'ftp 129.6.54.11' Log in to account anonymous, using your Internet ID as the password. CSRC files are located in directory bbs To access the clearinghouse via an http client, such as Mosaic, use the following Uniform Resource Locator (URL): http://csrc.ncsl.nist.gov/ Dial Access Dial access to the CSRC requires a standard ASCII terminal or personal computer with serial communications capability. The terminal/workstation must be configured to support the following communications parameters: Modem Speed: 28.8 KBPS-300 BPS Data Bits: 8 bit- no parity, or 7 bit - even parity Stop Bits: 1 Default Terminal type = VT100 1. Dial 301-948-5717 and wait for the system to answer. If the line is busy or is not answered in two rings, hang up and try again. 2. When the CONNECT message is displayed, you are automatically connected to the CSRC system. Press the 'ENTER' key to access the initial system screen. Note: To ensure that the screen characters are correctly formatted for your display, visually verify that your terminal emulation setting (this parameter is set in your communications software program) matches the default terminal type setting shown at the bottom of the screen. 3. The CSRC provides you with on-line help and various choices of documents. The user mode of operation (for the session) can be set to 'NOVICE', 'INTERMEDIATE', OR 'ADVANCED' by selecting the 'OPTIONS' menu option. Key stroke commands are available via the 'H' (HELP) key. If you are using a personal computer, you may download files to your PC using various download protocols, such as ascii, kermit, xmodem, ymodem, and zmodem. From any screen, press the 'd' key to access the screen that allows you to download a file. TABLE OF CONTENTS Special Publications and Other Reports 1 Access Control and Authentication Technology 2 Criteria and Assurance 3 Cryptography 5 Electronic Commerce 6 General Computer Security 7 Network Security 11 Risk Management 14 Special Topics 15 Telecommunications 17 Federal Information Processing Standards 18 Access Control 19 Cryptography 20 General Computer Security 23 Risk Analysis and Contingency Planning 25 Publication Price List 26 SPECIAL PUBLICATIONS AND OTHER REPORTS These publications present the results of CSL studies, investigations, and research on computer security and risk management issues. Special Publications present documents of general interest to the computer security community. The Special Publications 800 series was established in 1990 to provide a separate identity and to enhance the visibility of CSL's expanded computer security program. NIST Internal Reports (NISTIRs) describe CSL research of a technical nature of interest to a specialized audience. Publications are sold by either the Government Printing Office or the National Technical Information Service, as indicated for each entry on the Publication Price List at the end of the brochure. ACCESS CONTROL & AUTHENTICATION TECHNOLOGY NIST SPEC PUB 500-157 SMART CARD TECHNOLOGY: NEW METHODS FOR COMPUTER ACCESS CONTROL AUTHORS = By Martha E. Haykin and Robert B. J. Warner DATE = September 1988 This document describes the basic components of a smart card and provides background information on the underlying integrated circuit technologies. The capabilities of a smart card are discussed, especially its applicability for computer security. The report describes research being conducted on smart card access control techniques; other major U.S. and international groups involved in the development of standards for smart cards and related devices are listed in the appendix. NBS SPEC PUB 500-156 MESSAGE AUTHENTICATION CODE (MAC) VALIDATION SYSTEM: REQUIREMENTS AND PROCEDURES AUTHORS = By Miles Smid, Elaine Barker, David Balenson and Martha Haykin DATE = May 1988 Describes the Message Authentication Code (MAC) Validation System (MVS) which was developed by NBS to test message authentication devices for conformance to two data authentication standards (including FIPS 113). This publication describes the basic design and configuration of the MVS, and the requirements and administrative procedures to be followed for requesting validations. CRITERIA AND ASSURANCE NISTIR 5590 PROCEEDINGS REPORT OF THE INTERNATIONAL INVITATION WORKSHOP ON DEVELOPMENTAL ASSURANCE AUTHORS = By Patricia Toth DATE = January 1995 This publication presents the proceedings of an invitational workshop on development assurance held in June 1994. Co-sponsors of the workshop were NIST, the National Security Agency, the Canadian Communications Security Establishment, and the European Commission. NISTIR 5540 MULTI-AGENCY CERTIFICATION AND ACCREDITATION (C&A) PROCESS: A WORKED EXAMPLE AUTHORS = By Ellen Flahavin, Annabelle Lee, and Dawn Wolcott DATE = December 1994 This document describes a worked example of a multi-agency certification and accreditation process. Although it focuses on the Mountain Pass Project implemented for the Drug Enforcement Administration, the document presents lessons learned and provides practical guidance to federal agencies that perform multi-agency C&A. NISTIR 5472 A HEAD START ON ASSURANCE PROCEEDINGS OF AN INVITATIONAL WORKSHOP ON INFORMATION TECHNOLOGY (IT) ASSURANCE AND TRUSTWORTHINESS AUTHORS = Marshall D. Abrams and Patricia R. Toth, Editors DATE = August 1994 This document presents the proceedings of a workshop held in March 1994 in Williamsburg, Virginia, to identify crucial issues on assurance in IT systems and to provide input into the development of policy guidance on determining the type and level of assurance appropriate in a given environment. NISTIR 5386 PROCEEDINGS OF THE WORKSHOP ON THE FEDERAL CRITERIA FOR INFORMATION TECHNOLOGY SECURITY AUTHORS = By J. Cugini, P. Toth, G. Troy, L. Ambuel, F. Mayer, T. Mayfield, M. Abrams, L. Fraime, and V. Gilgor DATE = March 1994 This publication presents the proceedings of a Federal Criteria Workshop co-sponsored by NIST and NSA in June 1993 to address comments received on the first draft of the Federal Criteria made public in January 1993. NISTIR 5153 MINIMUM SECURITY REQUIREMENTS FOR MULTI-USER OPERATING SYSTEMS AUTHORS = By David Ferraiolo, Nickilyn Lynch, Patricia Toth, David Chizmadia, Michael Ressler, Roberta Medlock, and Sarah Weinberg DATE = March 1993 This document provides basic commercial computer system security requirements applicable to both government and commercial organizations. These requirements form the basis for the commercially oriented protection profiles in Volume II of the draft Federal Criteria for Information Technology Security document (known as the Federal Criteria). NISTIR 4774 A REVIEW OF U.S. AND EUROPEAN SECURITY EVALUATION CRITERIA AUTHORS = By Charles R. Dinkel DATE = March 1992 This report reviews five U.S. and European documents which describe criteria for specifying and evaluating the trust of computer products and systems. NIST SPEC PUB 500-168 REPORT OF THE INVITATIONAL WORKSHOP ON DATA INTEGRITY AUTHORS = By Zella G. Ruthberg and William T. Polk DATE = September 1989 NIST SPEC PUB 500-160 REPORT OF THE INVITATIONAL WORKSHOP ON INTEGRITY POLICY IN COMPUTER INFORMATION SYSTEMS (WIPCIS) AUTHORS = Stuart W. Katzke and Zella G. Ruthberg, Editors DATE = January 1989 NBS SPEC PUB 500-153 GUIDE TO AUDITING FOR CONTROLS AND SECURITY: A SYSTEM DEVELOPMENT LIFE CYCLE APPROACH AUTHORS = Editors/Authors: Zella G. Ruthberg, Bonnie Fisher, William E. Perry, John W. Lainhart IV, James G. Cox, Mark Gillen, and Douglas B. Hunt DATE = April 1988 CRYPTOGRAPHY NISTIR 5468 REPORT OF THE NIST WORKSHOP ON KEY ESCROW ENCRYPTION AUTHORS = By Arthur E. Oldehoeft; Dennis Branstad, Editor DATE = June 1994 This document presents the proceedings of the NIST Workshop on Key Escrow Encryption in June 1994 to engage the private sector in dialogue on the issues of key escrow encryption. NISTIR 5234 REPORT OF THE NIST WORKSHOP ON DIGITAL SIGNATURE CERTIFICATE MANAGEMENT, DECEMBER 10-11, 1992 AUTHORS = Dennis K. Branstad, Editor DATE = August 1993 This report summarizes the major topics of discussion at a workshop on Digital Signature Certificate Management held at NIST on December 10-11, 1992. The purpose of the workshop was to review existing and required technologies for digital signature certification and to develop recommendations for certificate contents and formats. NIST SPEC PUB 800-2 PUBLIC-KEY CRYPTOGRAPHY AUTHORS = By James Nechvatal DATE = April 1991 This publication surveys public-key cryptography, discussing the theory and examining examples of public-key cryptosystems. The related topics of digital signatures, hash functions, and zero-knowledge protocols are also covered. NBS SPEC PUB 500-61 MAINTENANCE TESTING FOR THE DATA ENCRYPTION STANDARD AUTHORS = By Jason Gait DATE = August 1980 ELECTRONIC COMMERCE NIST SPEC PUB 800-9 GOOD SECURITY PRACTICES FOR ELECTRONIC COMMERCE, INCLUDING ELECTRONIC DATA INTERCHANGE AUTHORS = Roy G. Saltman, Editor DATE = December 1993 This report presents security procedures and techniques, including internal controls and checks, that constitute good practice in the design, development, testing, and operation of electronic commerce systems. Security techniques considered include audit trails, contingency planning, use of acknowledgements, electronic document management, activities of support networks, user access controls to systems and networks, and cryptographic techniques for authentication and confidentiality. NISTIR 5247 WORKSHOP ON SECURITY PROCEDURES FOR THE INTERCHANGE OF ELECTRONIC DOCUMENTS: SELECTED PAPERS AND RESULTS AUTHORS = Roy G. Saltman, Editor DATE = August 1993 This document presents the findings of a workshop held at NIST on November 12-13, 1992. Co-sponsored by CSL and the Office of Management and Budget, the workshop focused on the need to devise rules for the use of security procedures for the electronic transmission of documents between organizations. GENERAL COMPUTER SECURITY NIST SPEC PUB 800-12 AN INTRODUCTION TO COMPUTER SECURITY: THE NIST HANDBOOK AUTHORS = By Barbara Guttman and Edward Roback DATE = October 1995 This handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It assists in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. The handbook illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations. NISTIR 5495 COMPUTER SECURITY TRAINING AND AWARENESS COURSE COMPENDIUM (supersedes NISTIR 4846) AUTHORS = Kathie Everhart, Editor DATE = September 1994 This document assists federal agencies in locating computer security training resources nationwide. The publication organizes courses into training areas within audience categories as defined in NIST Special Publication 500-172, Computer Security Training Guidelines; target audiences include executives, managers, and users. NISTIR 5308 GENERAL PROCEDURES FOR REGISTERING COMPUTER SECURITY OBJECTS AUTHORS = Noel A. Nazario, Editor DATE = December 1993 This publication describes the object-independent procedures for operating the Computer Security Objects Register (CSOR) which services organizations and individuals seeking to use a common set of tools and techniques in computer security. NIST SPEC PUB 800-6 AUTOMATED TOOLS FOR TESTING COMPUTER SYSTEM VULNERABILITY AUTHORS = By W. Timothy Polk DATE = December 1992 This document discusses the use of automated tools to perform system vulnerability tests. The tests examine a system for vulnerabilities that can result from improper use of controls or mismanagement, such as easily guessed passwords or improperly protected system files. NIST SPEC PUB 800-5 A GUIDE TO THE SELECTION OF ANTI-VIRUS TOOLS AND TECHNIQUES AUTHORS = By W. Timothy Polk and Lawrence E. Bassham DATE = December 1992 This guide gives criteria for judging the functionality, practicality, and convenience of anti-virus tools so that users can determine which tools are best suited to target environments. NISTIR 4939 THREAT ASSESSMENT OF MALICIOUS CODE AND EXTERNAL ATTACKS AUTHORS = By Lawrence E. Bassham and W. Timothy Polk DATE = October 1992 This report provides an assessment of the threats associated with malicious code and external attacks on systems using commercially available hardware and software. NIST SPEC PUB 800-4 COMPUTER SECURITY CONSIDERATIONS IN FEDERAL PROCUREMENTS: A GUIDE FOR PROCUREMENT INITIATORS, CONTRACTING OFFICERS, AND COMPUTER SECURITY OFFICIALS AUTHORS = By Barbara Guttman DATE = March 1992 This document assists federal agencies in selecting and acquiring cost-effective computer security by explaining how to include computer security requirements in federal information processing procurements. NISTIR 4749 SAMPLE STATEMENTS OF WORK FOR FEDERAL COMPUTER SECURITY SERVICES: FOR USE IN-HOUSE OR CONTRACTING OUT AUTHORS = Dennis M. Gilbert, Project Leader AUTHORS = Nickilyn Lynch, Editor DATE = December 1991 This document presents a set of Statements of Work (SOWs) describing significant computer security activities. It assists federal agencies and government contractors in the acquisition of computer security services by standardizing the description of typical services available from within or outside of the organization. NIST SPEC PUB 800-3 ESTABLISHING A COMPUTER SECURITY INCIDENT RESPONSE CAPABILITY (CSIRC) AUTHORS = By John Wack DATE = November 1991 This publication describes increased computer security efforts, designated as Computer Security Incident Response Capabilities (CSIRC), which offer an efficient and cost-effective response to computer security threats. A CSIRC is a proactive approach to computer security, one that combines reactive capabilities with active steps to prevent future incidents. NISTIR 4545 COMPUTER SECURITY: SELECTED ARTICLES AUTHORS = Marianne Swanson and Elizabeth B. Lennon, Editors DATE = April 1991 This document presents nine articles representing a wide spectrum of computer security information and a reading list of computer security publications. NIST SPEC PUB 500-172 COMPUTER SECURITY TRAINING GUIDELINES AUTHORS = By Mary Anne Todd and Constance Guitian DATE = November 1989 These guidelines provide a framework for determining the training needs of employees involved with computer systems. It describes the learning objectives of agency computer security training programs what the employee should know and be able to direct or actually perform so that agencies may use the guidance to develop or acquire training programs that fit the agency environment. NIST SPEC PUB 500-171 COMPUTER USER'S GUIDE TO THE PROTECTION OF INFORMATION RESOURCES AUTHORS = By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd DATE = December 1989 Computers have changed the way we handle our information resources. Large amounts of information are stored in one central place with the ability to be accessed from remote locations. Users have a personal responsibility for the security of the system and the data stored in it. This document outlines the user's responsibilities and provides security and control guidelines to be implemented. NIST SPEC PUB 500-170 MANAGEMENT GUIDE TO THE PROTECTION OF INFORMATION RESOURCES AUTHORS = By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd DATE = October 1989 This guide introduces information systems security concerns and outlines the issues that must be addressed by all agency managers in meeting their responsibilities to protect information systems within their organizations. It describes essential components of an effective information resource protection process that applies to a stand-alone personal computer or to a large data processing facility. NIST SPEC PUB 500-169 EXECUTIVE GUIDE TO THE PROTECTION OF INFORMATION RESOURCES AUTHORS = By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd DATE = October 1989 This guide assists executives to address a host of questions regarding the protection and safety of computer systems and their information resources. The publication introduces information systems security concerns, outlines the management issues that must be addressed by agency policies and programs, and describes essential components of an effective implementation process. NIST SPEC PUB 500-166 COMPUTER VIRUSES AND RELATED THREATS: A MANAGEMENT GUIDE AUTHORS = By John P. Wack and Lisa J. Carnahan DATE = August 1989 This document contains guidance for managing the threats of computer viruses and related software and unauthorized use. It is geared towards managers of end-user groups and managers dealing with multi-user systems, personal computers and networks. The guidance is general and addresses the vulnerabilities that are most likely to be exploited. NBS SPEC PUB 500-134 GUIDE ON SELECTING ADP BACKUP PROCESS ALTERNATIVES AUTHORS = By Irene Isaac DATE = November 1985 NBS SPEC PUB 500-133 TECHNOLOGY ASSESSMENT: METHODS FOR MEASURING THE LEVEL OF COMPUTER SECURITY AUTHORS = By William Neugent, John Gilligan, Lance Hoffman, and Zella G. Ruthberg DATE = October 1985 NBS SPEC PUB 500-120 SECURITY OF PERSONAL COMPUTER SYSTEMS - A MANAGEMENT GUIDE AUTHORS = By Dennis D. Steinauer DATE = January 1985 NETWORK SECURITY NIST SPEC PUB 800-10 KEEPING YOUR SITE COMFORTABLY SECURE: AN INTRODUCTION TO INTERNET FIREWALLS AUTHORS = By John P. Wack and Lisa J. Carnahan DATE = December 1994 This publication provides an overview of the Internet and security-related problems. It describes firewall components, the reasoning behind firewall usage, several types of network access policies, and resources for more information. The document assists federal and industry users in planning and purchasing a firewall. NIST SPEC PUB 800-7 SECURITY IN OPEN SYSTEMS AUTHORS = By R. Bagwill, J. Barkley, L. Carnahan, S. Chang, R. Kuhn, P. Markovitz, A. Nakassis, K. Olsen, M. Ransom, and J. Wack John Barkley, Editor DATE = July 1994 This report provides information for service designers and programmers involved in the development of telecommunications application software; it focuses on building security into software based on open system platforms. The document is also useful for product planners, administrators, users, and management personnel who are interested in understanding the capabilities and limitations of open systems. NISTIR 5325 CONFORMANCE ASSESSMENT OF TRANSPORT LAYER SECURITY IMPLEMENTATIONS AUTHORS = Wayne A. Jansen, Editor DATE = December 1993 This paper presents a framework for evaluating conformance of a protocol implementation to the Security Protocol at layer 4 (SP4) standard. SP4 is one element of the Secure Data Network System (SDNS) architecture, used to provide security services at the Transport layer of the Open Systems Interconnection (OSI) reference model. NISTIR 5232 REPORT OF THE NSF/NIST WORKSHOP ON NSFNET/NREN SECURITY, JULY 6-7, 1992 AUTHORS = By Arthur E. Oldehoeft DATE = May 1993 This report describes a workshop hosted by NIST and sponsored by the National Science Foundation to address the need for improving the security of national computer networks. NISTIR 4983 A STUDY OF OSI KEY MANAGEMENT AUTHORS = By Roberto Zamparo DATE = November 1992 This report addresses key management as it applies to communications protocols based on the Open Systems Interconnection (OSI) architecture. It contains a criteria and model of OSI key management that allows schemes based on both secret key and public key cryptography to be incorporated. NISTIR 4934 PROTOCOL IMPLEMENTATION CONFORMANCE STATEMENT (PICS) PROFORMA FOR THE SDNS SECURITY PROTOCOL AT LAYER 4 (SP4) AUTHORS = By Wayne A. Jansen DATE = October 1992 This report specifies the Protocol Implementation Conformance Statement (PICS) proforma for SP4, the Transport Layer of the reference model for Open Systems Interconnection (OSI). The PICS identifies the capabilities and options of the protocol that have been implemented. NISTIR 4792 A FORMAL DESCRIPTION OF THE SDNS SECURITY PROTOCOL AT LAYER 4 (SP4) AUTHORS = By Wayne A. Jansen DATE = March 1992 This report contains a formal description of the Secure Data Network System (SDNS) security protocol at layer 4 (SP4) of the Open Systems Interconnection (OSI) reference model. Estelle is the OSI formal description technique used for the SP4 specification. NISTIR 4734 FOUNDATIONS OF A SECURITY POLICY FOR USE OF THE NATIONAL RESEARCH AND EDUCATIONAL NETWORK AUTHORS = By Arthur E. Oldehoeft DATE = February 1992 This report explores the foundations of a national network security policy and proposes a draft policy for the National Research and Educational Network (NREN). NISTIR 4614 STANDARD SECURITY LABEL FOR GOSIP, AN INVITATIONAL WORKSHOP AUTHORS = By Noel Nazario DATE = June 1991 This proceedings documents the discussion and recommendations of NIST's Second Workshop on Security Labels held April 9-10 1991. Forty representatives from the federal government, industry, and the Canadian Government discussed a NIST-proposed Standard Security Label for the U.S. Government Open Systems Interconnection Profile (GOSIP). NISTIR 4362 SECURITY LABELS FOR OPEN SYSTEMS: AN INVITATIONAL WORKSHOP AUTHORS = By Noel Nazario DATE = June 1990 This publication presents the results of a workshop on security labels held May 30-31, 1990, at NIST. The workshop covered general issues of labels in end systems as well as specific issues of labels in secure Open System Interconnection (OSI) networks. RISK MANAGEMENT NIST SPEC PUB 500-174 GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS TOOLS AUTHORS = By Irene E. Gilbert DATE = October 1989 This document recommends a process for selecting automated risk analysis tools, describing important considerations for developing selection criteria for acquiring risk analysis software. The report describes three essential elements that should be present in an automated risk analysis tool: data collection, analysis, and output results. It is intended primarily for managers and those responsible for managing risks in computer and telecommunications systems. NBSIR 86-3386 WORK PRIORITY SCHEME FOR EDP AUDIT AND COMPUTER SECURITY REVIEW AUTHORS = By Zella Ruthberg and Bonnie Fisher DATE = August 1986 This publication describes a methodology for prioritizing the work performed by EDP auditors and computer security reviewers. Developed at an invitational workshop attended by government and private sector experts, the work plan enables users to evaluate computer systems for both EDP audit and security review functions and to develop a measurement of the risk of the systems. Based on this measure of risk, the auditor can then determine where to spend review time. SPECIAL TOPICS NISTIR 5731 VALIDATED PRODUCTS LIST 1995 NO.4 (supersedes NISTIR 5693) AUTHORS = L. Arnold Johnson and Peggy N. Himes, Editors DATE = October 1995 This document, published quarterly, provides technical information about products that have been validated as conforming to the following computer security FIPS: FIPS 46-2, Data Encryption Standard; FIPS 113, Computer Data Authentication; and FIPS 171, Key Management Using ANSI X9.17. It also identifies the COBOL, FORTRAN, Pascal, C, MUMPS, and Ada programming language processors with current validation certificates and the SQL language processors with registered test reports. Also included are Graphics, NIST POSIX Testing Laboratories and Validated Products, Product Data - IGES, and OSI. NISTIR 5576 COMPUTER SYSTEMS LABORATORY ANNUAL REPORT 1994 AUTHORS = By Elizabeth B. Lennon, Shirley M. Radack and Ramona Roach DATE = February 1995 This publication describes the computer and related telecommunications activities of NIST's Computer Systems Laboratory for 1994. NISTIR 5570 AN ASSESSMENT OF THE DOD GOAL SECURITY ARCHITECTURE (DGSA) FOR NON-MILITARY USE AUTHORS = By Arthur E. Oldehoeft DATE = November 1994 This study assesses the potential of the DGSA as a model and framework for the development of non-military computer and information security architectures. NIST GCR 94-654 FEDERAL CERTIFICATION AUTHORITY LIABILITY AND POLICY AUTHORS = By Michael S. Baum DATE = June 1994 This report identifies technical, legal, and policy issues affecting a certificate-based public key cryptographic infrastructure utilizing digital signatures supported by "trusted entities." NISTIR 5424 A STUDY OF FEDERAL AGENCY NEEDS FOR INFORMATION TECHNOLOGY SECURITY AUTHORS = By Dennis M. Gilbert DATE = May 1994 This report presents the results of a NIST study to determine and document what federal agencies need to meet their information technology security requirements. NISTIR 5283 SECURITY OF SQL-BASED IMPLEMENTATIONS OF PRODUCT DATA EXCHANGE USING STEP AUTHORS = By Lawrence E. Bassham and W. Timothy Polk DATE = October 1993 This report examines the security implications of the versions of the SQL standard as used to implement the Standard for the Exchange of Product Model Data (STEP), an emerging international standard. NIST SPEC PUB 800-8 SECURITY ISSUES IN THE DATABASE LANGUAGE SQL AUTHORS = By W. Timothy Polk and Lawrence E. Bassham DATE = August 1993 The Database Language SQL is a standard interface for accessing and manipulating relational databases. This document examines the security functionality that might be required of relational database management systems (DBMS) and compares these functions with the requirements and options of the SQL specifications. NISTIR 4976 ASSESSING FEDERAL AND COMMERCIAL INFORMATION SECURITY NEEDS AUTHORS = By David F. Ferraiolo, Dennis M. Gilbert, and Nickilyn Lynch DATE = November 1992 This report presents the results of a NIST study to assess the current and future information technology (IT) security needs of the commercial, civil, and military sectors. NBS SPEC PUB 500-158 ACCURACY, INTEGRITY, AND SECURITY IN COMPUTERIZED VOTE-TALLYING AUTHORS = By Roy G. Saltman DATE = August 1988 This study surveys some events concerning computerized vote-tallying and reviews current problems. The report recommends that accepted practices of internal control be applied to vote-tallying, including the use of software for integrity and logical correctness; dedicated software use and dedicated operation; improved design and certification of vote-tallying systems that do not use ballots; and improved pre-election testing and partial manual recounting of ballots. TELECOMMUNICATIONS NIST SPEC PUB 800-13 TELECOMMUNICATIONS SECURITY GUIDELINES FOR TELECOMMUNICATIONS MANAGEMENT NETWORK AUTHORS = By John Kimmins, Charles Dinkel, and Dale Walters DATE = October 1995 This document gives guidance on enhancing the security of the Public Switched Network (PSN) which provides critical commercial telecommunications services and National Security and Emergency Preparedness (NSEP). The guideline focuses on two specific components of a Telecommunications Management Network (TMN), Network Elements (Nes) and Mediation Devices (Mds), with emphasis on the security features need to protect the operations, administration, maintenance, and provisioning of these components. NIST SPEC PUB 800-11 THE IMPACT OF THE FCC's OPEN NETWORK ARCHITECTURE ON NS/EP TELECOMMUNICATIONS SECURITY AUTHORS = By Karen Olsen and John Tebbutt DATE = February 1995 This report provides an overview of the Federal Communications Commission's Open Network Architecture (ONA), describes National Security and Emergency Preparedness (NS/EP) telecommunications security concerns, and details NS/EP telecommunications security concerns that the FCC's ONA requirement introduces into the Public Switched Network (PSN). NIST GCR 93-635 PRIVATE BRANCH EXCHANGE (PBX) SECURITY GUIDELINES DATE = September 1993 This document presents the basic concepts of PBX security. It describes a telephone switch system, hardware and software assets, specific security threats, and the functions of the PBX administrator. An example of a security policy and some controls needed to secure the PBX environment are also given. NIST SPEC PUB 500-189 SECURITY IN ISDN AUTHORS = By William E. Burr DATE = September 1991 This document discusses the standards needed to implement user security in Integrated Services Digital Network (ISDN) technology. The publication provides a broad discussion of user security needs and suggests possible solutions. FEDERAL INFORMATION PROCESSING STANDARDS Federal Information Processing Standards Publications (FIPS PUBS) are developed by the Computer Systems Laboratory (CSL) and issued under the provisions of the Federal Property and Administrative Services Act of 1949, as amended by the Computer Security Act of 1987 (P.L. 100-235). FIPS PUBS are sold by the National Technical Information Service (NTIS), U.S. Department of Commerce. A list of current FIPS covering all CSL program areas is available from: Standards Processing Coordinator, Computer Systems Laboratory Building 820, Room 562, National Institute of Standards and Technology Gaithersburg, MD 20899-0001 Telephone: (30l) 975-2817, Fax: (301) 948-6213, E-Mail Address: barbara.blickenstaff.nist.gov ACCESS CONTROL FIPS PUB 48 GUIDELINES ON EVALUATION OF TECHNIQUES FOR AUTOMATED PERSONAL IDENTIFICATION DATE = April 1977 This guideline discusses the performance of personal identification devices, how to evaluate them and considerations for their use within the context of computer systems security. FIPS PUB 83 GUIDELINE ON USER AUTHENTICATION TECHNIQUES FOR COMPUTER NETWORK ACCESS CONTROL DATE = September 1980 This document provides guidance in the selection and implementation of techniques for authenticating the users of remote terminals in order to safeguard against unauthorized access to computers and computer networks. Describes use of passwords, identification tokens, verification by means of personal attributes, identification of remote devices, role of encryption in network access control, and computerized authorization techniques. FIPS PUB 112 STANDARD ON PASSWORD USAGE DATE = May 1985 This standard defines ten factors to be considered in the design, implementation, and use of access control systems that are based on passwords. It specifies minimum security criteria for such systems and provides guidance for selecting additional security criteria for password systems which must meet higher security requirements. FIPS PUB 181 AUTOMATED PASSWORD GENERATOR (APG) DATE = October 1993 This publication specifies a standard to be used by federal organizations that require computer generated pronounceable passwords to authenticate the personal identity of an automated data processing (ADP) system user, and to authorize access to system resources. The standard describes an automated password generation algorithm that randomly creates simple pronounceable syllables as passwords. The password generator accepts input from a random number generator based on the Data Encryption Standard (DES) cryptographic algorithm defined in FIPS PUB 46-2. FIPS PUB 190 GUIDELINE FOR THE USE OF ADVANCED AUTHENTICATION TECHNOLOGY ALTERNATIVES DATE = September 1994 This guideline describes the primary alternative methods for verifying the identities of computer system users, and provides recommendations to federal agencies and departments for the acquisition and use of technology which supports these methods. CRYPTOGRAPHY FIPS PUB 46-2 DATA ENCRYPTION STANDARD DATE = December 1993 (Reaffirmed until 1998) This standard reaffirms the Data Encryption Algorithm (DEA) until 1998 and allows for implementation of the DEA in software, firmware or hardware. The DEA is a mathematical algorithm for encrypting and decrypting binary-coded information. FIPS PUB 74 GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD DATE = April 1981 This document provides guidance for the use of cryptographic techniques when such techniques are required to protect sensitive or valuable computer data. For use in conjunction with FIPS PUB 46-2 and FIPS PUB 81. FIPS PUB 81 DES MODES OF OPERATION DATE = December 1980 This standard defines four modes of operation for the Data Encryption Standard which may be used in a wide variety of applications. The modes specify how data will be encrypted (cryptographically protected) and decrypted (returned to original form). The modes included in this standard are the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. FIPS PUB 113 STANDARD ON COMPUTER DATA AUTHENTICATION DATE = May 1985 This standard specifies a Data Authentication Algorithm (DAA) which, when applied to computer data, automatically and accurately detects unauthorized modifications, both intentional and accidental. Based on the Data Encryption Standard (DES), this standard is compatible with the requirements adopted by the Department of the Treasury and the banking community to protect electronic fund transfer transactions. FIPS PUB 185 ESCROWED ENCRYPTION STANDARD (EES) DATE = February 1994 This standard specifies a technology developed by the federal government to provide strong encryption protection for unclassified information and to provide that the keys used in the encryption and decryption processes are escrowed. FIPS PUB 139 INTEROPERABILITY AND SECURITY REQUIREMENTS FOR USE OF THE DATA ENCRYPTION STANDARD IN THE PHYSICAL LAYER OF DATA COMMUNICATIONS DATE = August 1983 This standard facilitates the interoperation of government data communication facilities, systems, and data that require cryptographic protection using the Data Encryption Standard (DES) algorithm. The standard specifies interoperability and security-related requirements using encryption at the Physical Layer of the ISO Open Systems Interconnection (OSI) Reference Model (International Standard 7498) in the telecommunications systems conveying ADP or narrative text information. FIPS PUB 140-1 SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES DATE = January 1994 This standard provides specifications for cryptographic modules which can be used within computer and telecommunications systems to protect unclassified information in a variety of different applications. FIPS PUB 141 INTEROPERABILITY AND SECURITY REQUIREMENTS FOR USE OF THE DATA ENCRYPTION STANDARD WITH CCITT GROUP 3 FACSIMILE EQUIPMENT DATE = April 1985 This standard specifies interoperability and security-related requirements for use of encryption with International Telegraph and Telephone Consultative Committee (CCITT), Group 3 type facsimile equipment conveying Automatic Data Processing (ADP) and/or narrative text information. FIPS PUB 171 KEY MANAGEMENT USING ANSI X9.17 DATE = April 1992 This standard specifies a selection of options for the automated distribution of keying material by the federal government when using the protocols of ANSI X9.17. The standard defines procedures for the manual and automated management of keying materials and contains a number of options. The selected options will allow the development of cost-effective systems which will increase the likelihood of interoperability. FIPS PUB 180-1 SECURE HASH STANDARD DATE = April 1995 This standard specifies a Secure Hash Algorithm (SHA) which can be used to generate a condensed representation of a message called a message digest. The SHA is required for use with the Digital Signature Algorithm (DSA) as specified in the Digital Signature Standard (DSS) and whenever a secure hash algorithm is required for federal applications. The SHA is used by both the transmitter and intended receiver of a message in computing and verifying a digital signature. FIPS PUB 186 DIGITAL SIGNATURE STANDARD (DSS) DATE = May 1994 This standard specifies a Digital Signature Algorithm (DSA) appropriate for applications requiring a digital rather than a written signature. The DSA digital signature is a pair of large numbers represented in a computer as strings of binary digits. The digital signature is computed using a set of rules (i.e., the DSA) and a set of parameters such that the identity of the signatory and integrity of the data can be verified. The DSA provides the capability to generate and verify signatures. GENERAL COMPUTER SECURITY FIPS PUB 31 GUIDELINES FOR ADP PHYSICAL SECURITY AND RISK MANAGEMENT DATE = June 1974 This document provides guidance to federal organizations in developing physical security and risk management programs for their ADP facilities. Covers security analysis, natural disasters, failure of supporting utilities, system reliability, procedural measures and controls, protection of off-site facilities, contingency plans security awareness, and security audit. Can be used as a checklist for planning and evaluating security of computer systems. FIPS PUB 41 COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE PRIVACY ACT OF 1974 DATE = May 1975 This publication provides guidance in the selection of technical and related procedural methods for protecting personal data in automated information systems. Discusses categories of risks and the related safeguards for physical security, information management practices, and system controls to improve system security. FIPS PUB 73 GUIDELINES FOR SECURITY OF COMPUTER APPLICATIONS DATE = June 1980 This guideline describes the different security objectives for a computer application, explains the control measures that can be used, and identifies the decisions that should be made at each stage in the life cycle of a sensitive computer application. For use in planning, developing and operating computer systems which require protection. Fundamental security controls such as data validation, user identity verification, authorization, journaling, variance detection, and encryption are discussed. FIPS PUB 88 GUIDELINE ON INTEGRITY ASSURANCE AND CONTROL IN DATABASE ADMINISTRATION DATE = August 1981 This guideline provides explicit advice on achieving database integrity and security control. Identifies integrity and security problems and discusses procedures and methods which have proven effective in addressing these problems. Provides an explicit, step-by-step procedure for examining and verifying the accuracy and completeness of a database. FIPS PUB 94 GUIDELINE ON ELECTRICAL POWER FOR ADP INSTALLATIONS DATE = September 1983 This guideline provides information on factors in the electrical environment that affect the operation of ADP systems. Describes the fundamentals of power, grounding, life-safety, static electricity, and lightning protection requirements, and provides a checklist for evaluating ADP sites. FIPS PUB 102 GUIDELINE FOR COMPUTER SECURITY CERTIFICATION AND ACCREDITATION DATE = September 1983 This guideline describes how to establish and carry out a certification and accreditation program for computer security. Certification consists of a technical evaluation of a sensitive system to see how well it meets its security requirements. Accreditation is the official management authorization for the operation of the system and is based on the certification process. FIPS PUB 188 STANDARD SECURITY LABEL FOR INFORMATION TRANSFER DATE = September 1994 This standard defines a security label syntax for information exchanged over data networks and provides label encodings for use at the Application and Network Layers of the Open Systems Interconnection (OSI) Reference Model. Security labels convey information used by protocol entities to determine how to handle data communicated between open systems. Information on a security label can be used to control access, specify protective measures, and determine additional handling restrictions required by a communications security policy. FIPS PUB 191 GUIDELINE FOR THE ANALYSIS OF LOCAL AREA NETWORK SECURITY DATE = November 1994 This guideline can be used as a tool to help improve the security of a local area network (LAN). A LAN security architecture is described that discusses threats and vulnerabilities that should be examined, as well as security services and mechanisms that should be explored. FIPS PUB 87 GUIDELINES FOR ADP CONTINGENCY PLANNING DATE = March 1981 This guideline describes what should be considered when developing a contingency plan for an ADP facility. Provides a suggested structure and format which may be used as a starting point from which to design a plan to fit each specific operation. PUBLICATION PRICE LIST PUBLICATION ORDERING NUMBER PRICE SPEC PUB 500-61 PB80-221211 $17.00 SPEC PUB 500-120 PB85-161040 $19.00 SPEC PUB 500-133 PB86-129954 $35.00 SPEC PUB 500-134 PB86-154820 $17.00 SPEC PUB 500-153 PB88-217450 $35.00 SPEC PUB 500-156 PB88-223441 $19.00 SPEC PUB 500-157 PB89-129514 $19.00 SPEC PUB 500-158 PB89-114136 $28.00 SPEC PUB 500-160 PB89-168009 $28.00 SPEC PUB 500-166 PB90-115601 $17.50 SPEC PUB 500-168 PB90-148123 $28.00 SPEC PUB 500-169 PB90-148750 $17.50 SPEC PUB 500-170 PB90-145095 $17.50 SPEC PUB 500-171 PB90-147489 $17.00 SPEC PUB 500-172 SN003-003-02975-1 $2.50 SPEC PUB 500-174 PB90-148784 $17.00 SPEC PUB 500-189 SN003-003-03112-7 $4.25 NIST GCR 93-635 PB94-100880 $19.50 NIST GCR 94-654 PB94-191202 $61.00 SPEC PUB 800-2 PB91-187864 $27.00 SPEC PUB 800-3 PB92-123140 $17.00 SPEC PUB 800-4 SN003-003-03147-0 $6.00 SPEC PUB 800-5 PB93-152049 $17.50 SPEC PUB 800-6 SN003-003-03187-9 $3.25 SPEC PUB 800-7 SN003-003-03276 $19.00 SPEC PUB 800-8 SN003-003-03225 $3.25 SPEC PUB 800-9 SN003-003-03243-2 $4.50 SPEC PUB 800-10 PB95-182275 $19.50 SPEC PUB 800-11 SN003-003-03318-9 $3.25 SPEC PUB 800-12 SN003-003-03374-0 $18.00 SPEC PUB 800-13 SN003-003-03376-6* SN Numbers - Stocked by GPO PB Numbers - Stocked by NTIS *Order number and price not available at time of printing PUBLICATION ORDERING NUMBER PRICE NBSIR 86-3386 PB86-247897 $19.00 NISTIR 4362 PB90-247446 $35.00 NISTIR 4545 PB91-187740 $17.00 NISTIR 4614 PB91-216671 $26.00 NISTIR 4734 PB92-172030 $19.00 NISTIR 4749 PB92-148261 $19.00 NISTIR 4774 PB92-172022 $17.00 NISTIR 4792 PB92-172816 $26.00 NISTIR 4934 PB93-120731 $17.50 NISTIR 4939 PB93-120699 $17.50 NISTIR 4976 PB93-138956 $17.50 NISTIR 4983 PB93-151579 $36.50 NISTIR 5153 PB93-185999 $17.50 NISTIR 5232 PB93-228682 $19.50 NISTIR 5234 PB94-135001 $27.00 NISTIR 5247 PB94-101854 $27.00 NISTIR 5283 PB94-139649 $17.50 NISTIR 5308 PB94-134897 $17.50 NISTIR 5325 PB94-164373 $17.50 NISTIR 5386 PB94-162583 $19.50 NISTIR 5424 PB94-193653 $27.00 NISTIR 5468 PB94-209459 $27.00 NISTIR 5472 PB94-215746 $19.00 NISTIR 5495 PB95-130985 $27.00 NISTIR 5540 PB95-171955 $19.50 NISTIR 5731 PB995-937304 $36.50** SN Numbers - Stocked by GPO PB Numbers - Stocked by NTIS *Price not available at time of publication. **Annual subscription (four issues) available from NTIS for $146.00; call (703) 487-4630. PUBLICATION ORDERING NUMBER PRICE FIPS PUB 31 FIPSPUB 31 $19.50 FIPS PUB 41 FIPSPUB 41 $9.00 FIPS PUB 46-2 FIPSPUB 46-2 $20.50 FIPS PUB 48 FIPSPUB 48 $9.00 FIPS PUB 73 FIPSPUB 73 $19.50 FIPS PUB 74 FIPSPUB 74 $17.50 FIPS PUB 81 FIPSPUB 81 $17.50 FIPS PUB 83 FIPSPUB 83 $17.50 FIPS PUB 87 FIPSPUB 87 $17.50 FIPS PUB 88 FIPSPUB 88 $19.50 FIPS PUB 94 FIPSPUB 94 $27.00 FIPS PUB 102 FIPSPUB 102 $19.50 FIPS PUB 112 FIPSPUB 112 $19.50 FIPS PUB 113 FIPSPUB 113 $17.50 FIPS PUB 139 FIPSPUB 139 $12.50 FIPS PUB 140-1 FIPSPUB 140-1 $22.50 FIPS PUB 141 FIPSPUB 141 $12.50 FIPS PUB 171 FIPSPUB 171 $62.00 FIPS PUB 180-1 FIPSPUB 180-1 $20.50 FIPS PUB 181 FIPSPUB 181 $22.50 FIPS PUB 185 FIPSPUB 185 $17.50 FIPS PUB 186 FIPSPUB 186 $20.50 FIPS PUB 188 FIPSPUB 188 $20.50 FIPS PUB 190 FIPSPUB 190 $20.50 FIPS PUB 191 FIPSPUB 191 $22.50 FIPS available from NTIS