|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Draft Publications
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Assistance
General
Information:
- Site
Map
- List of Acronyms
- Archived Projects
&
Conferences
- Virus Information
- National Vulnerability
Database
NIST's
National
Vulnerability Database:
|
|
Federal organizations may be particularly
interested in the following NIST security programs and services. These are
grouped by: 1) security policies, standards
and guidelines; 2) security validated
products, 3) training and education,
and 4) collaborative work and
services.
Security
Policies
- Standards - Under
its statutory responsibilities, NIST develops standards and guidelines
to protect sensitive federal systems. Some of these standards, formally
known as Federal Information Processing Standards (FIPS) have been made
mandatory for Federal use by the Secretary of Commerce. This is particularly
true for those in the area of cryptography. Examples include the Advanced
Encryption Standard (FIPS 197) and the Digital
Signature Standard (FIPS 186-2). Contact: Elaine
Barker
- Guidelines
- NIST also develops guidelines in an array of technical (e.g., public
key infrastructure (SP 800-25), PBX
security (SP 800-24)) and security management topics (e.g., security
planning, use of tested products). Contact: Tim
Grance and/or Elizabeth
Chew .
- ITL Bulletins
- ITL Bulletins are published by NIST's Information Technology Laboratory,
of which the Computer Security Division is a component. Many of these
bulletins address security topics, typically about six per year. Each
presents an in-depth discussion of a single topic of significant interest
to the information systems community. Contact: Tim
Grance
- Policies - NIST maintains a listing
of Federal security policies applicable to sensitive systems. For example,
this includes the Federal Information
Security Management Act of 2002, OMB
Circular A-130 & Appendix III, Security
of Federal Automated Information Resources, and OMB
Guidance on Implementing the Government Information Security Reform
Act. Contact: Marianne
Swanson
Security
Validated Products
- Validated Products - NIST operates security testing programs
for IT products: the Cryptographic Module Validation
Program (CMVP). A list of validated products is available at the
CMVP page.
- The Cryptographic Module
Validation Program, jointly led by NIST and the Government of
Canada's Communications Security Establishment, provides for the
voluntary testing of cryptographic modules (both hardware and software).
Testing is conducted against the security specifications detailed
in Security Requirements for Cryptographic Modules. Testing is also
conducted to help assure the correct implementation of specific
cryptographic algorithms approved to protect sensitive information
in the Federal government. Within the Federal government, use of
cryptographic modules that have been validated under the CMVP has
been made mandatory. Note that cryptographic modules are not typically
sold directly to consumers but are integrated into commercially
available products. Contact: Ray
Snouffer
Training
and Education
- Computer Security Resource Center
- This site contains information about a variety of computer security
issues, products, and research of concern to Federal agencies, industry,
and users. This site is operated and maintained by NIST's Computer Security
Division as a service to the computer security and IT community. Contact:
William
Barker
- Software Vulnerability & Patch Information - NIST provides an
on-line searchable index of information on computer vulnerabilities known
as ICAT. It provides search capability
at a fine granularity and links users to vulnerability and patch information.
This tool can help agencies ensure that their software is patched and
protected against widely known vulnerabilities. Contact: Vincent
Hu
- Details at NIST - Opportunities are available at NIST for 6
to 24 month long details at NIST in the security program. Qualified
individuals should contact the Computer Security Division and provide
a statement of qualifications and indicate the area of work that is
of interest. Generally speaking, the salary costs are borne by the sponsoring
agency; however, in some cases, agency salary costs may be reimbursed
by NIST. Contact: William
Barker
Collaborative
Work and Services
- Security Research - NIST occasionally undertakes security work,
primarily in the area of research, funded by other agencies. Such sponsored
work is accepted by NIST when it can cost-effectively furthers the goals
of NIST and the sponsoring institution. Contact: Tim
Grance
- Program Review for Information
Security Management Assistance (PRISMA) - The NIST Program Review
for Information Security Management Assistance (PRISMA) is an new capability
which builds upon NIST's former Computer Security Expert Assistance
(CSEAT) Team function and has been revised to include more review options
and incorporate guidance contained in Special Publication 800-53, Recommended
Security Controls for Federal Information Systems. The PRISMA is based
upon existing federal directives including the Federal Information Security
Management Act (FISMA), NIST guidance and other proven techniques and
recognized best practices in the area of information security. Contact:
Elizabeth
Chew
- Federal Computer Security Program
Managers' Forum -
The Forum is
an informal group sponsored and chaired by NIST to promote the sharing
of computer security information among federal agencies. The Forum discusses
current issues and developments of interest to those responsible for protecting
sensitive (unclassified) systems. Half-day meetings of the Forum are held
bi-monthly in the Washington, DC area (often at the NIST campus in Gaithersburg,
Maryland). Forum meetings typically include briefings on topics of general
interest to the federal community and provide time for informal sharing
of information and requests for assistance regarding the security of federal
systems. The Forum also supports the Federal Agency Security
Practices (FASP) website. The FASP site contains federal agency policies,
procedures and practices, the Federal Chief Information Officers' Council
pilot Best Security Practices (BSPs) and a Frequently-Asked-Questions
(FAQ) section. The FAQ section is comprised of questions and answers on
computer security related issues between the members of the Forum. Contact:
Marianne
Swanson
Last updated:
October 26, 2006
Page created: February 23, 2001
|