INSTITUTE FOR COMPUTER SCIENCES AND TECHNOLOGY
NATIONAL BUREAU OF STANDARDS
GAITHERSBURG, MARYLAND 20899
The Institute for Computer Sciences and Technology is a center of
technical expertise in information technology. While ICST focuses
primarily on helping the Federal government make effective use of
computers and information technology, ICST products, services, and
technical support are used by the private sector and all levels of
government as well.
ICST's major activities are:
o determining requirements for and participating in the
development of national and international voluntary industry
standards for computer products and services;
o developing testing methodologies to support the development
and implementation of standards;
o developing guidelines, technology forecasts, and other
products to aid in the effective management and application of
computers.
o disseminating and exchanging information with Federal, State
and local governments, industry, professional, and research
organizations on computer use and standards needs;
o providing technical support for the development of government
policies in information technology;
o providing direct technical assistance to Federal agencies on a
cost reimbursable basis;
o carrying out applied research and development, often in
cooperation with other government agencies and with industry.
COMPUTER SECURITY ACTIVITIES
Computer security is a critical component of the overall management of
computers. Losses of confidentiality, integrity, and availability of
computer data and processing resources can result from both accidental
and intentional events. Working with users and industry to determine
their requirements for computer security guidance and standards, ICST
identifies and develops cost-effective methods to protect computers and
data against all types of losses. These methods include both automated
techniques that are integrated into computers and terminals as well as
sound management practices. ICST products include guidance, standards,
technical reports, conferences, teleconferences, workshops, advice, and
technical support activities.
HOW TO ORDER PUBLICATIONS
These publications are available through the Government Printing Office
(GPO) and the National Technical Information Service (NTIS). The
source and price for each publication are indicated. Orders for
publications should include title of publication, NBS publication
number (Spec. Pub. 000, Tech. Note 000, etc.) and NTIS or GPO number.
Your may order at the price listed; however, prices are subject
to change without notice.
Submit payment in the form of postal money order, express money order
or check made out to the Superintendent of Documents for GPO-stocked
documents or to the National Technical Information Service for NTIS-
stocked documents.
Mailing addresses are:
Superintendent of Documents
U.S. Government Printing Office
Washington, DC 20402
National Technical Information SErvice
5285 Port Royal Road
Springfield, VA 22161
Telephone numbers for information are:
GPO Order Desk (202) 783-3238
NTIS Orders (703) 487-4780
NTIS Information (703) 487-4600 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (FIPS)
Federal Information Processing Standards Publications (FIPS PUBS) are
developed by the Institute for Computer Sciences and Technology (ICST)
and issued under the provisions of the Federal Property and
Administrative Services Act of 1949, as amended; Public Law 89-306 (79
Stat. 1127); Executive Order 11717 (38 FR 12315); and Part 6 of Title
15 of the Code of Federal Regulations (CFR).
FIPS PUBS are sold by the National Technical Information Service
(NTIS), U.S. Department of Commerce. A list of current FIPS covering
all ICST program areas is available from:
Standards Processing Coordinator (ADP)
Institute for Computer Sciences and Technology
Technology Building, B-64
National Bureau of Standards
Gaithersburg, MD 20899
Phone: (30l) 975-2817
FIPS PUB 31 GUIDELINES FOR ADP PHYSICAL SECURITY AND RISK
MANAGEMENT
June 1974
Provides guidance to Federal organizations in
developing physical security and risk management
programs for their ADP facilities. Covers security
analysis, natural disasters, failure of supporting
utilities, system reliability, procedural measures
and controls, protection of off-site facilities,
contingency plans security awareness, and security
audit. Can be used as a checklist for planning and
evaluating security of computer systems.
FIPS PUB 39 GLOSSARY FOR COMPUTER SYSTEMS SECURITY
February 1974
A reference document containing approximately 170
terms and definitions pertaining to privacy and
computer security.
FIPS PUB 41 COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE
PRIVACY ACT OF 1974
May 1975
Provides guidance in the selection of technical and
related procedural methods for protecting personal
data in automated information systems. Discusses
categories of risks and the related safeguards for
physical security, information management
practices, and system controls to improve system
security.FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.)
FIPS PUB 46 DATA ENCRYPTION STANDARD
January 1977
Specifies an algorithm to be implemented in
electronic hardware devices and used for the
cryptographic protection of sensitive, but
unclassified, computer data. The algorithm
uniquely defines the mathematical steps required to
transform computer data into a cryptographic cipher
and the steps required to transform the cipher back
to its original form.
FIPS PUB 48 GUIDELINES ON EVALUATION OF TECHNIQUES FOR
AUTOMATED PERSONAL IDENTIFICATION
April 1977
Discusses the performance of personal
identification devices, how to evaluate them and
considerations for their use within the context of
computer system security.
FIPS PUB 65 GUIDELINE FOR AUTOMATIC DATA PROCESSING RISK
ANALYSIS
August 1979
Presents a technique for conducting a risk analysis
of an ADP facility and related assets. Provides
guidance on collecting, quantifying, and analyzing
data related to the frequency of caused by adverse
events. This guideline describes the
characteristics and attributes of a computer system
that must be known for a risk analysis and gives an
example of the risk analysis process.
FIPS PUB 73 GUIDELINES FOR SECURITY OF COMPUTER APPLICATIONS
June 1980
Describes the different security objectives for a
computer application, explains the control measures
that can be used, and identifies the decisions that
should be made at each stage in the life cycle of a
sensitive computer application. For use in
planning, developing and operating computer systems
which require protection. Fundamental security
controls such a data validation, user identity
verification, authorization, journalling, variance
detection, and encryption are discussed.
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.)
FIPS PUB 74 GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA
ENCRYPTION STANDARD
April 1981
Provides guidance for the use of cryptographic
techniques when such techniques are required to
protect sensitive or valuable computer data. For
use in conjunction with FIPS PUB 46 and FIPS PUB
81.
FIPS PUB 81 DES MODES OF OPERATION
December 1980
Defines four modes of operation for the Data
Encryption Standard which may be used in a wide
variety of applications. The modes specify how
data will be encrypted (cryptographically
occurrence and the damage protected) and decrypted
(returned to original form). The modes included in
this standard are the Electronic Codebook (ECB)
mode, the Cipher Block Chaining (CBC) mode, the
Cipher Feedback (CFB) mode, and the Output Feedback
(OFB) mode.
FIPS PUB 83 GUIDELINE ON USER AUTHENTICATION TECHNIQUES FOR
COMPUTER NETWORK ACCESS CONTROL
September 1980
Provides guidance in the selection and
implementation of techniques for authenticating the
users of remote terminals in order to safeguard
against unauthorized access to computers and
computer networks. Describes use of passwords,
identification tokens, verification by means of
personal attributes, identification of remote
devices, role of encryption in network access
control, and computerized authorization techniques.
FIPS PUB 87 GUIDELINES FOR ADP CONTINGENCY PLANNING
March 1981
Describes what should be considered when developing
a contingency plan for an ADP facility. Provides a
suggested structure and format which may be used as
a starting point from which to design a plan to fit
each specific operation.
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.)
FIPS PUB 88 GUIDELINE ON INTEGRITY ASSURANCE AND CONTROL IN
DATABASE APPLICATIONS
August 1981
Provides explicit advice on achieving database
integrity and security control. Identifies
integrity and security problems and discusses
procedures and methods which have proven effective
in addressing these problems. Provides an
explicit, step-by-step procedure for examining and
verifying the accuracy and completeness of a
database.
FIPS PUB 94 GUIDELINE ON ELECTRICAL POWER FOR ADP INSTALLATIONS
September 1982
Provides information on factors in the electrical
environment that affect the operation of ADP
systems. Describes the fundamentals of power,
grounding, life-safety, static electricity, and
lightning protection requirements, and provides a
checklist for evaluating ADP sites.
FIPS PUB 102 GUIDELINE FOR COMPUTER SECURITY CERTIFICATION AND
ACCREDITATION
September 1983
Describes how to establish and how to carry out a
certification and accreditation program for
computer security. Certification consists of a
technical evaluation of a sensitive system to see
how well it meets its security requirements.
Accreditation is the official management
authorization for the operation of the system and
is based on the certification process.
FIPS PUB 112 STANDARD ON PASSWORD USAGE
May 1985
This standard defines ten factors to be considered
in the design, implementation and use of access
control systems that are based on passwords. It
specifies minimum security criteria for such
systems and provides guidance for selecting
additional security criteria for password systems
which must meet higher security requirements.
FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (cont.)
FIPS PUB 113 STANDARD ON COMPUTER DATA AUTHENTICATION
May 1985
This standard specifies a Data Authentication
Algorithm (DAA) which, when applied to computer
data, automatically and accurately detects
unauthorized modifications, both intentional and
accidental. Based on the Data Encryption Standard
(DES), this standard is compatible with
requirements adopted by the Department of Treasury
and the banking community to protect electronic
fund transfer transactions.
SPECIAL PUBLICATIONS AND OTHER REPORTS
These publications present the results of ICST studies, investigations,
and research on computer security and risk management issues.
Publications are sold by either the Government Printing Office or the
National Technical Information Service as noted for each entry.
SPECIAL PUBLICATIONS
NBS SPEC PUB
500-137 SECURITY FOR DIAL-UP LINES
By Eugene F. Troy
May 1986
Ways to protect computers from intruders via dial-
up telephone lines are discussed in this guide.
Highlighted are hardware devices which can be
fitted to computers or used with their dial-up
terminals to provide communications protection for
non-classified computer systems. Six different
types of hardware devices and the ways that they
can be used to protect dial-up computer
communications are described. Also discussed are
techniques that can be added to computer operating
systems or incorporated into system management or
administrative procedures. SPECIAL PUBLICATIONS (Cont.)
NBS SPEC PUB
500-134 GUIDE ON SELECTING ADP BACKUP PROCESS ALTERNATIVES
By Irene Isaac
November 1985
Discusses the selection of ADP backup processing
support in advance of events that cause the loss of
data processing capability. Emphasis is placed on
management support at all levels of the
organization for planning, funding, and testing of
an alternate processing strategy. The alternative
processing methods and criteria for selecting the
most suitable method are presented, and a checklist
for evaluating the suitability of alternatives is
provided.
NBS SPEC PUB
500-133 TECHNOLOGY ASSESSMENT; METHODS FOR MEASURING THE
LEVEL OF COMPUTER SECURITY
By William Neugent, John Gilligan, Lance Hoffman,
and Zella G. Ruthberg
October 1985
The document covers methods for measuring the level
of computer security, i.e. technical tools or
processes which can be used to help establish
positive indications of security adequacy in
computer applications, systems, and installations.
The report addresses individual techniques and
approaches, as well as broader methodologies which
permit the formulation of a composite measure of
security that uses the results of these individual
techniques and approaches.
NBS SPEC PUB
500-121 GUIDANCE ON PLANNING AND IMPLEMENTING COMPUTER
SYSTEMS RELIABILITY
By Lynne S. Rosenthal
January 1985
This report presents guidance to managers and
planners on the basic concepts of computer system
reliability and on the implementation of a
management program to improve system reliability.
Topics covered include techniques for quantifying
and evaluating data to measure system reliability,
designing systems for reliability, and recovery of
a computer system after it has failed or produced
erroneous output. An appendix contains references
and a list of selected readings. SPECIAL PUBLICATIONS (Cont.)
NBS SPEC PUB
500-120 SECURITY OF PERSONAL COMPUTER SYSTEMS - A
MANAGEMENT GUIDE
By Dennis D. Steinauer
This publication provides practical advice on the
following issues: physical and environmental
protection system and data access control;
integrity of software and data; backup and
contingency planning; auditability; communications
protection. References to additional information,
a self-audit checklist, and a guide to security
products for personal computers are included in the
appendices.
NBS SPEC PUB
500-109 OVERVIEW OF COMPUTER SECURITY CERTIFICATION AND
ACCREDITATION
By Zella G. Ruthberg and William Neugent
April 1984
This publication is a summary of and a guide to
FIPS PUB 102, Guideline to Computer Security
Certification and Accreditation. It is oriented
toward the needs of ADP policy managers,
information resource managers, ADP technical
managers, and ADP staff in understanding the
certification and accreditation process.
NBS SPEC PUB
500-85 EXECUTIVE GUIDE TO ADP CONTINGENCY PLANNING
By James K. Shaw and Stuart W. Katzke
July 1981
This document provides, in the form of questions
and answers, the background, and basic essential
information required to understand the
developmental process for automatic data processing
(ADP) contingency plans. The primary intended
audience consists of executives and managers who
depend on ADP resources and services, yet may not
be directly responsible for the daily management or
supervision of data processing activities or
facilities. SPECIAL PUBLICATIONS (Cont.)
NBS SPEC PUB
500-67 THE SRI HIERARCHICAL DEVELOPMENT METHODOLOGY (HDM)
AND ITS APPLICATION TO THE DEVELOPMENT OF SECURE
SOFTWARE
By Karl N. Levitt, Peter Neumann, and Lawrence
Robinson
October 1980
Describes the SRI Hierarchical Development
Methodology for designing large software systems
such as operating systems and data management
systems that must meet stringent security
requirements.
NBS SPEC PUB
500-61 MAINTENANCE TESTING FOR THE DATA ENCRYPTION
STANDARD
By Jason Gait
August 1980
Describes four tests that can be used by
manufacturers and users to check the operation of
data encryption devices. These tests are simple,
efficient, and independent of the implementation of
the Data Encryption Standard (FIPS 46).
NBS SPEC PUB
500-57 AUDIT AND EVALUATION OF COMPUTER SECURITY II:
SYSTEM VULNERABILITIES AND CONTROLS
Edited by Zella G. Ruthberg
April 1980
Proceedings of the second NBS/GAO workshop to
develop improved computer security audit
procedures. Covers eight sessions: three sessions
on managerial and organizational vulnerabilities
and controls and five technical sessions on
terminals and remote peripherals, communication
components, operating systems, applications and
non-integrated data files, and data base management
systems.
NBS SPEC PUB
500-54 A KEY NOTARIZATION SYSTEM FOR COMPUTER NETWORKS
By Miles E. Smid
October 1979
Describes a system for key notarization, which can
be used with an encryption device, to improve data
security in computer networks. The key
notarization system can be used to communicate
securely between two users, communicate via
encrypted mail, protect personal files, and provide
a digital signature capability.
SPECIAL PUBLICATIONS (Cont.)
NBS SPEC PUB
500-50 COMPUTERS, PERSONNEL ADMINISTRATION, AND CITIZEN
RIGHTS
By Alan F. Westin
July 1979
Reports on the impact of computers on citizen
rights in the field of personnel record keeping.
This study traces the changing patterns of
employment and personnel administration and
examines the trends in computer use in personnel
administration. It recommends policy actions to
guide the management of personnel systems that
respect citizen rights.
NBS SPEC PUB
500-33 CONSIDERATIONS IN THE SELECTION OF SECURITY
MEASURES OF AUTOMATIC DATA PROCESSING SYSTEMS
By Michel J. Orceyre and Robert H. Cortney, Jr.
Edited by Gloria R. Bolotsky
Details methods and techniques for protecting data
processed by computer and transmitted via
telecommunications lines. This report identifies
the controls that can be instituted to protect ADP
systems when risks and potential losses have been
identified.
NBS SPEC PUB
500-27 COMPUTER SECURITY AND THE DATA ENCRYPTION STANDARD
Edited by Dennis Branstad
February 1978
Includes papers and summaries of presentations made
at a l978 conference on computer security. Subject
areas are physical security, risk assessment,
software security, computer network security,
applications and implementation of the Data
Encryption Standard.
NBS SPEC PUB
500-25 AN ANALYSIS OF COMPUTER SECURITY SAFEGUARDS FOR
DETECTING AND PREVENTING INTENTIONAL COMPUTER
MISUSE
By Brian Ruder and J. D. Madden
January 1978
Analyzes 88 computer safeguard techniques that
could be applied to recorded actual computer misuse
cases. Presents a model for use in classifying and
evaluating safeguards as mechanisms for detecting
and preventing misuse. SPECIAL PUBLICATIONS (Cont.)
NBS SPEC PUB
500-24 PERFORMANCE ASSURANCE AND DATA INTEGRITY PRACTICES
By Robert L. Patrick
January 1978
Details practices and methods that have been
successful in preventing or reducing computer
system failures caused by programming and data
errors. The methods described cover large data
processing applications, scientific computing
applications, programming techniques and systems
design.
NBS SPEC PUB
500-21 DESIGN ALTERNATIVES FOR COMPUTER NETWORK SECURITY
(VOL. 1) THE NETWORK SECURITY CENTER: A SYSTEM
LEVEL APPROACH TO COMPUTER NETWORK SECURITY (VOL.
2)
By Gerald D. Cole and Frank Heinrich
January 1978
This two-volume study covers network security
requirements and design and implementation
requirements of a special computer dedicated to
network security. The approach utilizes a
dedicated minicomputer to check authentication of
network users, and, to some extent, to check
authorization. The study focuses on use of the
Data Encryption Standard to protect network data
and recommends procedures for generating,
distributing and protecting encryption keys.
NBS SPEC PUB
500-20 VALIDATING THE CORRECTNESS OF HARDWARE
IMPLEMENTATIONS OF THE NBS DATA ENCRYPTION STANDARD
By Jason Gait
November 1977
Describes the design and operation of the NBS
testbed that is used for the validation of hardware
implementations of the Data Encryption Standard
(DES). This report provides the full specification
of the DES algorithm, a complete listing of the DES
test set and a detailed description of the
interface to the testbed.
SPECIAL PUBLICATIONS (Cont.)
NBS SPEC PUB
500-19 AUDIT AND EVALUATION OF COMPUTER SECURITY
Edited by Zella Ruthberg and Robert McKenzie
October 1977
Reports on the recommendations of audit and
computer experts to improve computer security audit
procedures. Subjects covered include audit
standards, administrative and physical controls,
program and data integrity, and audit tools and
techniques.
NBS SPEC PUB
500-10 A DATA BASE MANAGEMENT APPROACH TO PRIVACY ACT
COMPLIANCE
By Elizabeth Fong
June 1977
Discusses how commercially available data base
management systems can be used to implement Privacy
Act requirements for the handling of personal data.
NBS SPEC PUB
500-9 THE USE OF PASSWORDS FOR CONTROLLED ACCESS TO
COMPUTER RESOURCES
By Helen Wood
May 1977
Describes the need for and uses of passwords.
Password schemes are categorized according to
selection technique, lifetime, physical
characteristics and information content. Password
protection and cost considerations are discussed.
A glossary and annotated bibliography are included.
NBS SPEC PUB
500-2 ACCESSING INDIVIDUAL RECORDS FROM PERSONAL DATA
FILES USING NONUNIQUE IDENTIFIERS
By Gwendolyn B. Moore, John L. Kuhns, Jeffrey L.
Treffzs and Christine A. Montgomery
February 1977
Analyzes methodologies for retrieving personal
information using nonunique identifiers such as
name, address, etc. This study presents
statistical data for judging the accuracy and
efficiency of various methods.
OTHER REPORTS
NBSIR 86-3386 WORK PRIORITY SCHEME FOR EDP AUDIT AND COMPUTER
SECURITY REVIEW
By Zella Ruthberg and Bonnie Fisher
August 1986
This publication describes a methodology for
prioritizing the work performed EDP auditors and
computer security reviewers. Developed at an
invitational workshop attended by government and
private sector experts, the work plan enables users
to evaluate computer systems for both EDP audit and
security review functions and to develop a
measurement of the risk of the systems. Based on
this measure of risk, the auditor can then
determine where to spend review time.
SUBJECT INDEX
Contingency Planning Physical
Security
FIPS PUB 87 FIPS PUB
31
SPEC PUB 500-85
Power,
Grounding, and Life
Database Security Safety
FIPS PUB 88 FIPS PUB
94
Encryption Privacy
FIPS PUB 46 FIPS PUB
41
FIPS PUB 74 SPEC PUB
500-10
FIPS PUB 81 SPEC PUB
500-50
FIPS PUB 113
SPEC PUB 500-20
SPEC PUB 500-27 Risk
Management
SPEC PUB 500-54
SPEC PUB 500-61 FIPS PUB
31
FIPS PUB
65
Evaluation of Computer Security
Software and
Operating Systems
FIPS PUB 102
SPEC PUB
500-19
SPEC PUB 500-
2
SPEC PUB
500-57
SPEC PUB 500-
24
SPEC PUB
500-109
SPEC PUB 500-
25
SPEC PUB
500-133
SPEC PUB 500-
67
NBSIR
86-3386
SPEC PUB 500-
121
SPEC PUB 500-
134
General
Computer
Security
FIPS PUB
39
User
Authenticat-
ion
FIPS PUB
73
FIPS PUB
112
FIPS PUB 48
SPEC PUB
500-24
FIPS PUB 83
SPEC PUB
500-25
SPEC PUB 500-
9
SPEC PUB
500-33
SPEC PUB
500-120
SPEC PUB
500-137
Network
Security
SPEC PUB
500-21
SPEC PUB 500-33
SPEC PUB 500-54
PRICE LIST
PUBLICATION ORDERING NUMBER
PRICE
FIPS PUB 31
$11.95
FIPS PUB 39 $
9.95
FIPS PUB 41 $
9.95
FIPS PUB 46 $
9.95
FIPS PUB 48 $
9.95
FIPS PUB 65 $
9.95
FIPS PUB 73
$11.95
FIPS PUB 74 $
9.95
FIPS PUB 81 $
9.95
FIPS PUB 83 $
9.95
FIPS PUB 87 $
9.95
FIPS PUB 88
$11.95
FIPS PUB 94
$16.95
FIPS PUB 102
$11.95
FIPS PUB 112
$11.95
FIPS PUB 113 $
9.95
