logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 190 days ago
Via: http://lists.jammed.com | Tags: isn nist revises security guides comments Discuss  






From: InfoSec News <alerts_at_private>




Date: Tue, 1 Jul 2008 01:41:36 -0500 (CDT)






http://www.gcn.com/online/vol1_no1/46561-1.html



By William Jackson

GCN.com

06/30/08 



The National Institute of Standards and Technology has released final 

revisions to three of its 800 series of special publications on 

information technology security.



NIST calls SP 800-79-1 [1], titled "Guidelines for the Accreditation of 

Personal Identity Verification Card Issuers," a substantial improvement 

over the original version.



PIV cards can be used across agencies for physical and logical access. 

They incorporate a common set of identity proofing and issuing 

standards, as well as other technologies. Each agency will be 

responsible for certifying and accrediting the issuer of its cards. 

Certification is the process of assessing the reliability, availability 

and capabilities of the issuer's personnel, equipment, finances and 

support infrastructure. A designated authority within an agency performs 

accreditation -- the management decision to authorize operation.



The agency also released SP 800-53A [2], an addendum to the "Guide for 

Assessing the Security Controls in Federal Information Systems." The 

publication provides comprehensive assessment procedures for the 

security controls spelled out in SP 800-53 and important guidance for 

agencies in building effective security assessment plans.



NIST is charged under the Federal Information Security Management Act 

(FISMA) with developing standards and guidance for implementing IT 

security programs. SP 800-53 is part of a series of documents developed 

for selecting the proper level and types of security controls. The core 

of the series is Federal Information Processing Standard 200, which 

establishes minimum security requirements under FISMA. Once those 

requirements have been met, agencies choose the appropriate set of 

controls from NIST SP 800-53, "Recommended Security Controls for Federal 

Information Systems." SP 800-53A is an addendum that defines the 

framework for conducting mandatory assessments of security controls 

required under FISMA.



Appendix J of SP 800-53A describes supplemental assessment cases that 

agencies can use in that process. An interagency task force is 

developing the assessment cases as part of the Assessment Case 

Development Project, and NIST officials expect to post them on the 

agency's Web site [3] in late July.



NIST has also updated SP 800-67 Version 1.1, titled "Recommendation for 

the Triple Data Encryption Algorithm Block Cipher." SP 800-67 gives 

specifications for TDEA, including its primary cryptographic engine, the 

Data Encryption Algorithm. When properly deployed in a cryptographic 

module that complies with FIPS 140-2, the algorithm can be used to 

protect federal information categorized as sensitive but unclassified.



"This recommendation precisely defines the mathematical steps required 

to cryptographically protect data using TDEA and to subsequently process 

such protected data," the publication states. The revision modifies the 

list of weak keys, correcting two of them. A note states that the actual 

values of the parity bits were ignored when listing the weak and 

semi-weak keys.



Major changes in SP 800-79-1 regarding accreditation of PIV card issuers 

(PCIs) take into account emerging business models, lessons learned from 

past accreditations and directives from the Office of Management and 

Budget. The most significant change is the replacement of "Attributes" 

with an objective set of controls and a methodology for assessing the 

capability and reliability of issuers.



The accreditation methodology consists of:



    * Deriving PCI controls from requirements in FIPS 201-1, OMB 

      memoranda and other documents.

    * Putting the controls into the context of hierarchical concepts 

      such as PCI Accreditation Topics and PCI Accreditation Focus 

      Areas.

    * Developing assessment methods for each PCI control that will 

      assess conformance to those underlying requirements.

    * Guidance for evaluating assessments in order to make an 

      accreditation decision.



[1] http://csrc.nist.gov/publications/nistpubs/800-79-1/SP800-79-1.pdf

[2] http://csrc.nist.gov/publications/nistpubs/800-53-Rev2/sp800-53-rev2-final.pdf

[3] http://csrc.nist.gov/sec-cert

[4] http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf



Copyright 1996-2008 1105 Media, Inc. All Rights Reserved.





_______________________________________________      

Attend Black Hat USA, August 2-7 in Las Vegas, 

the world's premier technical event for ICT security experts.

Featuring 40 hands-on training courses and 80 Briefings 

presentations with lots of new content and new tools.

Network with 4,000 delegates from 50 nations.  

Visit product displays by 30 top sponsors in 

a relaxed setting. http://www.blackhat.com



Received on Mon Jun 30 2008 - 23:41:36 PDT
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security