NIST revises IT security guides
The National Institute of Standards and Technology has released
final revisions to three of its 800 series of special publications
on information technology security.
NIST calls SP 800-79-1, titled 'Guidelines
for the Accreditation of Personal Identity Verification Card
Issuers,' a substantial improvement over the original
version.
PIV cards can be used across agencies for physical and logical
access. They incorporate a common set of identity proofing and
issuing standards, as well as other technologies. Each agency will
be responsible for certifying and accrediting the issuer of its
cards. Certification is the process of assessing the reliability,
availability and capabilities of the issuer's personnel,
equipment, finances and support infrastructure. A designated
authority within an agency performs accreditation ' the
management decision to authorize operation.
The agency also released SP 800-53A, an addendum to the
'Guide for Assessing the Security Controls in Federal
Information Systems.' The publication provides comprehensive
assessment procedures for the security controls spelled out in SP
800-53 and important guidance for agencies in building effective
security assessment plans.
NIST is charged under the Federal Information Security
Management Act (FISMA) with developing standards and guidance for
implementing IT security programs. SP 800-53 is part of a series of
documents developed for selecting the proper level and types of
security controls. The core of the series is Federal Information
Processing Standard 200, which establishes minimum security
requirements under FISMA. Once those requirements have been met,
agencies choose the appropriate set of controls from NIST SP
800-53, 'Recommended Security Controls for Federal
Information Systems.' SP 800-53A is an addendum that defines
the framework for conducting mandatory assessments of security
controls required under FISMA.
Appendix J of SP 800-53A describes supplemental assessment cases
that agencies can use in that process. An interagency task force is
developing the assessment cases as part of the Assessment Case
Development Project, and NIST officials expect to post them on theagency's Web site in late July.
NIST has also updated SP 800-67 Version 1.1, titled
'Recommendation for the Triple Data Encryption Algorithm
Block Cipher.' SP 800-67 gives specifications for TDEA,
including its primary cryptographic engine, the Data Encryption
Algorithm. When properly deployed in a cryptographic module that
complies with FIPS 140-2, the algorithm can be used to protect
federal information categorized as sensitive but unclassified.
'This recommendation precisely defines the mathematical
steps required to cryptographically protect data using TDEA and to
subsequently process such protected data,' the publication
states. The revision modifies the list of weak keys, correcting two
of them. A note states that the actual values of the parity bits
were ignored when listing the weak and semi-weak keys.
Major changes in SP 800-79-1 regarding accreditation of PIV card
issuers (PCIs) take into account emerging business models, lessons
learned from past accreditations and directives from the Office of
Management and Budget. The most significant change is the
replacement of "Attributes" with an objective set of controls and a
methodology for assessing the capability and reliability of
issuers.
The accreditation methodology consists of:
- Deriving PCI controls from requirements in FIPS 201-1, OMB
memoranda and other documents.
- Putting the controls into the context of hierarchical concepts
such as PCI Accreditation Topics and PCI Accreditation Focus
Areas.
- Developing assessment methods for each PCI control that will
assess conformance to those underlying requirements.
- Guidance for evaluating assessments in order to make an
accreditation decision.