By William Jackson
The National Institute of Standards and Technology has released final
revisions to three of its 800 series of special publications on
information technology security.
NIST calls SP 800-79-1 , titled "Guidelines for the Accreditation of
Personal Identity Verification Card Issuers," a substantial improvement
over the original version.
PIV cards can be used across agencies for physical and logical access.
They incorporate a common set of identity proofing and issuing
standards, as well as other technologies. Each agency will be
responsible for certifying and accrediting the issuer of its cards.
Certification is the process of assessing the reliability, availability
and capabilities of the issuer's personnel, equipment, finances and
support infrastructure. A designated authority within an agency performs
accreditation -- the management decision to authorize operation.
The agency also released SP 800-53A , an addendum to the "Guide for
Assessing the Security Controls in Federal Information Systems." The
publication provides comprehensive assessment procedures for the
security controls spelled out in SP 800-53 and important guidance for
agencies in building effective security assessment plans.
NIST is charged under the Federal Information Security Management Act
(FISMA) with developing standards and guidance for implementing IT
security programs. SP 800-53 is part of a series of documents developed
for selecting the proper level and types of security controls. The core
of the series is Federal Information Processing Standard 200, which
establishes minimum security requirements under FISMA. Once those
requirements have been met, agencies choose the appropriate set of
controls from NIST SP 800-53, "Recommended Security Controls for Federal
Information Systems." SP 800-53A is an addendum that defines the
framework for conducting mandatory assessments of security controls
required under FISMA.
Appendix J of SP 800-53A describes supplemental assessment cases that
agencies can use in that process. An interagency task force is
developing the assessment cases as part of the Assessment Case
Development Project, and NIST officials expect to post them on the
agency's Web site  in late July.
NIST has also updated SP 800-67 Version 1.1, titled "Recommendation for
the Triple Data Encryption Algorithm Block Cipher." SP 800-67 gives
specifications for TDEA, including its primary cryptographic engine, the
Data Encryption Algorithm. When properly deployed in a cryptographic
module that complies with FIPS 140-2, the algorithm can be used to
protect federal information categorized as sensitive but unclassified.
"This recommendation precisely defines the mathematical steps required
to cryptographically protect data using TDEA and to subsequently process
such protected data," the publication states. The revision modifies the
list of weak keys, correcting two of them. A note states that the actual
values of the parity bits were ignored when listing the weak and
Major changes in SP 800-79-1 regarding accreditation of PIV card issuers
(PCIs) take into account emerging business models, lessons learned from
past accreditations and directives from the Office of Management and
Budget. The most significant change is the replacement of "Attributes"
with an objective set of controls and a methodology for assessing the
capability and reliability of issuers.
The accreditation methodology consists of:
* Deriving PCI controls from requirements in FIPS 201-1, OMB
memoranda and other documents.
* Putting the controls into the context of hierarchical concepts
such as PCI Accreditation Topics and PCI Accreditation Focus
* Developing assessment methods for each PCI control that will
assess conformance to those underlying requirements.
* Guidance for evaluating assessments in order to make an
Copyright 1996-2008 1105 Media, Inc. All Rights Reserved.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com