C S R C - Services for the Federal Agencies

Search CSRC:

CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

News & Events
   - Federal News
   - Security Events

Services For the:
   - Federal Community
   - Vendor
   - User
   - Small/Medium
     Businesses

Links & Organizations
   - Academic
   - Government
   - Professional
   - Additional Links

NIST's National
Vulnerability Database:

Of particular interest to Government Agencies
Federal organizations may be particularly interested in the following NIST security programs and services. These are grouped by: 1) security policies, standards and guidelines; 2) security validated products, 3) training and education, and 4) collaborative work and services.

Security Policies

Standards - Under its statutory responsibilities, NIST develops standards and guidelines to protect sensitive federal systems. Some of these standards, formally known as Federal Information Processing Standards (FIPS) have been made mandatory for Federal use by the Secretary of Commerce. This is particularly true for those in the area of cryptography. Examples include the Advanced Encryption Standard (FIPS 197) and the Digital Signature Standard (FIPS 186-2). Contact: Elaine Barker

Guidelines - NIST also develops guidelines in an array of technical (e.g., public key infrastructure (SP 800-25), PBX security (SP 800-24)) and security management topics (e.g., security planning, use of tested products). Contact: Tim Grance and/or Elizabeth Chew .

ITL Bulletins - ITL Bulletins are published by NIST's Information Technology Laboratory, of which the Computer Security Division is a component. Many of these bulletins address security topics, typically about six per year. Each presents an in-depth discussion of a single topic of significant interest to the information systems community. Contact: Tim Grance

Policies - NIST maintains a listing of Federal security policies applicable to sensitive systems. For example, this includes the Federal Information Security Management Act of 2002, OMB Circular A-130 & Appendix III, Security of Federal Automated Information Resources, and OMB Guidance on Implementing the Government Information Security Reform Act. Contact: Marianne Swanson

Security Validated Products

Validated Products - NIST operates security testing programs for IT products: the Cryptographic Module Validation Program (CMVP). A list of validated products is available at the CMVP page.

The Cryptographic Module Validation Program, jointly led by NIST and the Government of Canada's Communications Security Establishment, provides for the voluntary testing of cryptographic modules (both hardware and software). Testing is conducted against the security specifications detailed in Security Requirements for Cryptographic Modules. Testing is also conducted to help assure the correct implementation of specific cryptographic algorithms approved to protect sensitive information in the Federal government. Within the Federal government, use of cryptographic modules that have been validated under the CMVP has been made mandatory. Note that cryptographic modules are not typically sold directly to consumers but are integrated into commercially available products. Contact: Ray Snouffer

Training and Education

Computer Security Resource Center - This site contains information about a variety of computer security issues, products, and research of concern to Federal agencies, industry, and users. This site is operated and maintained by NIST's Computer Security Division as a service to the computer security and IT community. Contact: William Barker

Software Vulnerability & Patch Information - NIST provides an on-line searchable index of information on computer vulnerabilities known as ICAT. It provides search capability at a fine granularity and links users to vulnerability and patch information. This tool can help agencies ensure that their software is patched and protected against widely known vulnerabilities. Contact: Vincent Hu

Details at NIST - Opportunities are available at NIST for 6 to 24 month long details at NIST in the security program. Qualified individuals should contact the Computer Security Division and provide a statement of qualifications and indicate the area of work that is of interest. Generally speaking, the salary costs are borne by the sponsoring agency; however, in some cases, agency salary costs may be reimbursed by NIST. Contact: William Barker

Collaborative Work and Services

Security Research - NIST occasionally undertakes security work, primarily in the area of research, funded by other agencies. Such sponsored work is accepted by NIST when it can cost-effectively furthers the goals of NIST and the sponsoring institution. Contact: Tim Grance

Program Review for Information Security Management Assistance (PRISMA) - The NIST Program Review for Information Security Management Assistance (PRISMA) is an new capability which builds upon NIST's former Computer Security Expert Assistance (CSEAT) Team function and has been revised to include more review options and incorporate guidance contained in Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including the Federal Information Security Management Act (FISMA), NIST guidance and other proven techniques and recognized best practices in the area of information security. Contact: Elizabeth Chew

Federal Computer Security Program Managers' Forum -

The Forum is an informal group sponsored and chaired by NIST to promote the sharing of computer security information among federal agencies. The Forum discusses current issues and developments of interest to those responsible for protecting sensitive (unclassified) systems. Half-day meetings of the Forum are held bi-monthly in the Washington, DC area (often at the NIST campus in Gaithersburg, Maryland). Forum meetings typically include briefings on topics of general interest to the federal community and provide time for informal sharing of information and requests for assistance regarding the security of federal systems. The Forum also supports the Federal Agency Security Practices (FASP) website. The FASP site contains federal agency policies, procedures and practices, the Federal Chief Information Officers' Council pilot Best Security Practices (BSPs) and a Frequently-Asked-Questions (FAQ) section. The FAQ section is comprised of questions and answers on computer security related issues between the members of the Forum. Contact: Marianne Swanson

Last updated: October 26, 2006
Page created: February 23, 2001

Disclaimer Notice & Privacy Policy
Send comments or suggestions to CSRC webmaster
NIST is an Agency of the U.S. Commerce Department's Technology Administration