NIST on crypto keys, in IT life cycle security

The National Institute of Standards and Technology has released
a draft version of guidelines for managing cryptographic keys and a
final version of guidance for managing security in the information
technology system life cycle.


NIST released a draft of Special Publication 800-57, titled
'Recommendation for Key Management Part 3:
Application-Specific Key Management Guidance' for public
comment. The publication's first two parts provide guidance
and best practices for managing cryptographic keying material and
policy and security planning requirements. Part 3 focuses on using
systems' cryptographic features.


The publication incorporates some technical information
previously included in Federal Information Processing Standard 180
for secure hash algorithms. The most recent version of that
standard ' FIPS 180-3 ' removed some of that
information because officials could more quickly update it in SP
800-57.


Part 3 is intended primarily to help systems administrators and
installers secure applications using advice based on product
availability and organizational needs. It also supports decisions
about future procurements and includes information for users on the
options they can control during their normal use of applications.
The publication has recommendations for the following applications
and standards:



  • Public-key infrastructures.

  • IP Security.

  • Transport Layer Security.

  • Secure Multipurpose Internet Mail Extensions.

  • Kerberos.

  • Over-the-air rekeying of digital radios.

  • Domain Name System Security Extensions.

  • Encrypting File System.

  • Secure Shell.

  • 802.1X Port-Based Network Access Control.


For each topic, the guidance provides:

  • A brief description of the system.

  • Recommended algorithm suites and key sizes and associated
    security and compliance issues.

  • Recommendations on using the mechanism in its current form to
    protect government information.

  • Security considerations that could alter the effectiveness of
    key-management processes.

  • General recommendations for those making the buying decisions,
    systems installers, systems administrators and end users.

Comments should be e-mailed by Jan. 16, 2009, to ebarker@nist.gov with
'Comments on Draft 800-57, Part 3' in the subject line.


NIST released the second revision of SP 800-64, titled 'Security
Considerations in the System Development Life Cycle' in its
final version. That publication is intended to help agencies
integrate essential IT security steps into established system
development life cycles (SDLCs). It applies to all federal IT
systems except those related to national security.


'To be most effective, information security must be
integrated into the SDLC from system inception,' the
publication states. 'Early integration of security in the
SDLC enables agencies to maximize return on investment in their
security programs through:



  • Early identification and mitigation of security vulnerabilities
    and misconfigurations, resulting in lower cost of security control
    implementation and vulnerability mitigation.

  • Awareness of potential engineering challenges caused by
    mandatory security controls.

  • Identification of shared security services and reuse of
    security strategies and tools to reduce development cost and
    schedule while improving security posture through proven methods
    and techniques.

  • Facilitation of informed executive decision-making through
    comprehensive risk management in a timely manner.'


The guide provides descriptions of the key security roles and
responsibilities for most information system developments and
includes information about SDLC to help a person who is unfamiliar
with the process understand its relationship to information
security.

'The five-step SDLC cited in this document is an example
of one method of development and is not intended to mandate this
methodology,' the guidance states.


SP 800-64 provides insight into IT projects and initiatives that
are not as clearly defined as SDLC-based developments, including
service-oriented architectures, cross-organization projects and IT
facility developments.


NIST also released a final revision of SP 800-66, titled 'An Introductory
Resource Guide for Implementing the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule.' That
publication seeks to increase understanding of the security terms
and standards used in the HIPAA Security Rule. It also directs
readers to information in other NIST publications on topics the
rule addresses. The publication does not replace the HIPAA Security
Rule.



About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.