NIST

From The Secure Arc Wiki

Jump to: navigation, search

The following summary is taken from the NIST website, based on NIST disclaimer requirements Disclaimer:

NIST (National Institute of Standards and Technology), is a non-regulatory agency of the United States Department of Commerce. The institute's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life. The department within NIST which provide Security related resources is; CSRC (Computer Security Resource Centre) CSRC

The following information gives a brief account of relevant NIST standards. Each requirement of the standards are broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.

Contents

Standards Outline

  • FIPS (Federal Information Processing Standard)
    • FIPS 197 Advanced Encryption Standard (AES)
    • FIPS 201-1 Personal Identity Verification (PIV) of Federal Employees and Contractors
    • FIPS 200 Minimum Security Requirements for Federal Information and Information Systems
    • FIPS 199 Standards for Security Categorization of Federal Information and Information Systems
    • FIPS 198-1 DRAFT The Keyed-Hash Message Authentication Code (HMAC)
    • FIPS 198 The Keyed-Hash Message Authentication Code (HMAC)
    • FIPS 197 Advanced Encryption Standard
    • FIPS 196 Entity Authentication Using Public Key Cryptography
    • FIPS 191 Guideline for The Analysis of Local Area Network Security
    • FIPS 190 Guideline for the Use of Advanced Authentication Technology Alternatives
    • FIPS 188 Standard Security Label for Information Transfer
    • FIPS 186-3 Appendices DRAFT RSA Strong Primes - Digital Signature Standard (DSS)
    • FIPS 186-3 DRAFT Digital Signature Standard (DSS)
    • FIPS 186-2 FIPS 186-2: Digital Signature Standard (DSS)
    • FIPS 185 Escrowed Encryption Standard
    • FIPS 181 Automated Password Generator
    • FIPS 180-3 DRAFT Secure Hash Standard (SHS)
    • FIPS 180-2 Secure Hash Standard (SHS)
    • FIPS 140-3 DRAFT Security Requirements for Cryptographic Modules
    • FIPS 140-2 Security Requirements for Cryptographic Modules
    • FIPS 140-1 FIPS 140-1: Security Requirements for Cryptographic Modules
    • FIPS 113 Computer Data Authentication (no electronic version available)
  • Special Publications
    • SP 800-115 DRAFT Technical Guide to Information Security Testing
    • SP 800-114 User's Guide to Securing External Devices for Telework and Remote Access
    • SP 800-113 DRAFT Guide to SSL VPNs
    • SP 800-111 Guide to Storage Encryption Technologies for End User Devices
    • SP 800-110 DRAFT Information System Security Reference Data Model
    • SP 800-107 DRAFT Recommendation for Using Approved Hash Algorithms
    • SP 800-106 DRAFT Randomized Hashing Digital Signatures
    • SP 800-104 A Scheme for PIV Visual Card Topography
    • SP 800-103 DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
    • SP 800-101 Guidelines on Cell Phone Forensics
    • SP 800-100 Information Security Handbook: A Guide for Managers
    • SP 800-98 Guidelines for Securing Radio Frequency Identification (RFID) Systems
    • SP 800-97 Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
    • SP 800-96 PIV Card to Reader Interoperability Guidelines
    • SP 800-95 Guide to Secure Web Services
    • SP 800-94 Guide to Intrusion Detection and Prevention Systems (IDPS)
    • SP 800-92 Guide to Computer Security Log Management
    • SP 800-90 Recommendation for Random Number Generation Using Deterministic Random Bit Generators
    • SP 800-89 Recommendation for Obtaining Assurances for Digital Signature Applications
    • SP 800-88 Guidelines for Media Sanitization
    • SP 800-87 Codes for the Identification of Federal and Federally Assisted Organizations
    • SP 800-86 Guide to Integrating Forensic Techniques into Incident Response
    • SP 800-85 B PIV Data Model Test Guidelines
    • SP 800-85 A PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance)
    • SP 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
    • SP 800-83 Guide to Malware Incident Prevention and Handling
    • SP 800-82 DRAFT Guide to Industrial Control Systems (ICS) Security
    • SP 800-81 Secure Domain Name System (DNS) Deployment Guide
    • SP 800-80 DRAFT Guide for Developing Performance Metrics for Information Security
    • SP 800-79 Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations
    • SP 800-78 -1 Cryptographic Algorithms and Key Sizes for Personal Identity Verification
    • SP 800-77 Guide to IPsec VPNs
    • SP 800-76 -1 Biometric Data Specification for Personal Identity Verification
    • SP 800-73 -2 DRAFT Interfaces for Personal Identity Verification (4 parts):
      • 1- End-Point PIV Card Application Namespace, Data Model and Representation
      • 2- End-Point PIV Card Application Interface
      • 3- End-Point PIV Client Application Programming Interface
      • 4- The PIV Transitional Data Model and Interfaces
    • SP 800-73 -1 Interfaces for Personal Identity Verification
    • SP 800-72 Guidelines on PDA Forensics
    • SP 800-70 Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developer
    • SP 800-69 Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
    • SP 800-68 Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
    • SP 800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
    • SP 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
    • SP 800-65 Integrating IT Security into the Capital Planning and Investment Control Process
    • SP 800-64 Rev.1 Security Considerations in the Information System Development Life Cycle
    • SP 800-63 Version 1.0.2 Electronic Authentication Guideline
    • SP 800-61 Rev. 1 DRAFT Computer Security Incident Handling Guide
    • SP 800-61 Computer Security Incident Handling Guide
    • SP 800-60 Rev. 1 DRAFT Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide for Mapping Types of Information and Information Systems to Security Categories Volume 2: Appendices
    • SP 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories
    • SP 800-59 Guideline for Identifying an Information System as a National Security System
    • SP 800-58 Security Considerations for Voice Over IP Systems
    • SP 800-57 Recommendation for Key Management
    • SP 800-56 A Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
    • SP 800-55 Rev. 1 DRAFT Performance Measurement Guide for Information Security
    • SP 800-55 Security Metrics Guide for Information Technology Systems
    • SP 800-54 Border Gateway Protocol Security
    • SP 800-53 Rev. 2 Recommended Security Controls for Federal Information Systems
    • SP 800-53 Rev.1 Recommended Security Controls for Federal Information Systems
    • SP 800-53 A DRAFT Guide for Assessing the Security Controls in Federal Information Systems
    • SP 800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
    • SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme
    • SP 800-50 Building an Information Technology Security Awareness and Training Program
    • SP 800-49 Federal S/MIME V3 Client Profile
    • SP 800-48 Rev. 1 DRAFT Wireless Network Security for IEEE 802.11a/b/g and Bluetooth
    • SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
    • SP 800-47 Security Guide for Interconnecting Information Technology Systems
    • SP 800-46 Security for Telecommuting and Broadband Communications
    • SP 800-45 Version 2 Guidelines on Electronic Mail Security
    • SP 800-44 Version 2 Guidelines on Securing Public Web Servers
    • SP 800-43 Systems Administration Guidance for Windows 2000 Professional System
    • SP 800-42 Guideline on Network Security Testing
    • SP 800-41 Guidelines on Firewalls and Firewall Policy
    • SP 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program
    • SP 800-39 DRAFT Managing Risk from Information Systems: An Organizational Perspective
    • SP 800-38 A Recommendation for Block Cipher Modes of Operation - Methods and Techniques
    • SP 800-38 B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
    • SP 800-38 C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality
    • SP 800-38 D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
    • SP 800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
    • SP 800-36 Guide to Selecting Information Technology Security Products
    • SP 800-35 Guide to Information Technology Security Services
    • SP 800-34 Contingency Planning Guide for Information Technology Systems
    • SP 800-33 Underlying Technical Models for Information Technology Security
    • SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure
    • SP 800-30 Risk Management Guide for Information Technology Systems
    • SP 800-29 A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
    • SP 800-28 Version 2 DRAFT Guidelines on Active Content and Mobile Code
    • SP 800-28 Guidelines on Active Content and Mobile Code
    • SP 800-27 Rev. A Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
    • SP 800-25 Federal Agency Use of Public Key Technology for Digital Signatures and Authentication
    • SP 800-24 PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
    • SP 800-23 Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
    • SP 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
    • SP 800-21 2nd edition Guideline for Implementing Cryptography in the Federal Government
    • SP 800-20 Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS): Requirements and Procedures
    • SP 800-19 Mobile Agent Security
    • SP 800-18 Rev.1 Guide for Developing Security Plans for Federal Information Systems
    • SP 800-17 Modes of Operation Validation System (MOVS): Requirements and Procedures
    • SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model
    • SP 800-15 Version 1 MISPC Minimum Interoperability Specification for PKI Components
    • SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
    • SP 800-13 Telecommunications Security Guidelines for Telecommunications Management Network
    • SP 800-12 An Introduction to Computer Security: The NIST Handbook


Standard Practice

The NIST standards suggest an approach to managing various technical aspects of a security operation within an organisation. These practices will map directly into the Security Principles.

Licensing and Documentation

The license associated with the NIST standards does not permit public distribution or reproduction, however they can be downloaded for personal or business use directly from the NIST CSRC website.

A high-level outline has been taken from Wikipedia.

Navigation

Personal tools