The Computer Security Division (CSD)
The Computer Security Division Responds to the Federal Information Security Management Act of 2002
The E-Government Act [Public Law 107-347] passed by the 107th Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), included duties and responsibilities for the Computer Security Division in Section 303 “National Institute of Standards and Technology.” Work to date (for 2013-2014) includes:
- Provide new and/or updated standards, guidelines, specifications, and in-depth discussion of a single topic of significant interest to the information systems community –
- Issued two final Federal Information Processing Standards (FIPS): FIPS 186-4, Digital Signature Standard (DSS), which specifies a suite of algorithms that can be used to generate digital signatures, and FIPS 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, which specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. (CSRC FIPS page)
- Issued 25 draft and final NIST Special Publications (SP) that provide management, operational, and technical security guidelines in areas such as personal identity verification, cryptographic key generation, cryptographic key management systems, random bit generators, transport layer security, mobile devices and mobile device forensics, hardware-rooted security in mobile devices, malware incident prevention and handling for desktops and laptops, industrial control systems security, e-authentication, security and privacy controls for federal information systems and organizations, patch management technologies, attribute based access control, and supply chain risk management practices. (CSRC SP page)
- Issued 13 draft and final NIST Interagency or Internal Reports (NISTIR) on a variety of topics, including cryptographic key management issues and challenges in cloud services, cybersecurity in cyber-physical systems, the SHA-3 cryptographic hash algorithm competition, combinatorial coverage measurement, credential reliability and revocation model for federated identities, security automation, reference certificate policy, trusted geolocation in the cloud, and a glossary of key information security terms. (CSRC NISTIR page)
- Issued 12 ITL Security Bulletins
which are supplemental discussions from the FIPS, SPs, and NISTIRs standards/guidelines discussing the following topics: NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Supplemental ITL Bulletin for Sept. 2013), ITL Publishes Guidance on Preventing and Handling Malware Incidents (Sept. 2013),
ITL Publishes Guidance on Enterprise Patch Management Technologies (Aug. 2013), ITL Issues Guidelines for Managing the Security of Mobile Devices (July 2013), ITL Updates Glossary Of Key Information Security Terms (June 2013), ITL Publishes Security And Privacy Controls For Federal Agencies (May 2013),
Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements (April 2013), NIST to Develop a Cybersecurity Framework to Protect Critical Infrastructure (Mar. 2013), Managing Identity Requirements for Remote Users of Information Systems to Protect System Security and Information Privacy (Jan. 2013),
Generating Secure Cryptographic Keys: A Critical Component of Cryptographic Key Management and the Protection of Sensitive Information (Dec. 2012), Practices for Managing Supply Chain Risks to Protect Federal Information Systems (Nov. 2012), Conducting Information Security-Related Risk Assessments: Updated Guidelines for Comprehensive Risk Management Programs (Oct. 2012) (CSRC ITL Bulletin page).
- Provide an updated guidance to secure set up of recursive DNS service –
Updated Special Publication 800-81-2, Secure Domain Name System (DNS) Deployment Guide adds two new sections – one to provide guidance on secure set up of recursive DNS service and the other for securely configuring validating resolvers. It also incorporates knowledge gained from DNSSEC deployment experience to provide some updated guidance for DNS Administrators on cryptographic algorithm variables, configuration and operations (issued Sept. 2013).
- Performed research and conducted outreach on standards, practices, and technologies to enable prompt and effective computer security incident handling and coordination –
- Collaborated with ODNI, CNSS, and DOD to establish common foundation for information security –
Continued the successful collaboration with the Office of the Director of National Intelligence (ODNI), the Committee on National Security Systems (CNSS), and the Department of Defense (DOD) to establish a common foundation for information security across the Federal Government, including a structured, yet flexible approach for managing information security risk across an organization. In 2013, this collaboration produced updated guidelines for selecting and specifying security controls, and an updated catalog of security and privacy controls for federal information systems and organizations.
- Provide assistance to Agencies and private sector –
Provided assistance to agencies and the private sector through many outreach efforts associated with the Federal Information Systems Security Educators’ Association (FISSEA), the Federal Computer Security Managers’ Forum, the National Initiative for Cybersecurity Education (NICE), and the Small Business Information Security Corner.
- Provide outreach, workshops, and briefings –
Conducted workshops, awareness briefings, and outreach to CSD customers to ensure comprehension of standards and guidelines, to share ongoing and planned activities, and to aid in scoping guidelines in a collaborative, open, and transparent manner. CSD public workshops addressed a diverse range of information security and technology topics, including cloud and mobile technologies, voting systems security, cyber physical systems, improving trust in the online marketplace, safeguarding health information, attribute based access control, supply chain risk management, improving critical infrastructure cybersecurity, and broad computer security awareness, training, and education forums and event.
- Reviewed security policies and technologies from the private sector and national security systems for federal agency use –
Reviewed security policies and technologies from the private sector and national security systems for potential federal agency use, including security configuration checklists for IT products. Additionally, NIST continued to lead, in conjunction with the Government of Canada’s Communications Security Establishment, the Cryptographic Module Validation Program (CMVP). The Common Criteria Evaluation and Validation Scheme (CCEVS) and CMVP facilitate security testing of IT products usable by the Federal Government.
- Solicit recommendations of the Information Security and Privacy Advisory Board on draft standards and guidelines –
Solicited recommendations of the Information Security and Privacy Advisory Board (ISPAB) on draft standards and guidelines, and on information security and privacy issues during quarterly meetings.
- Satisfy annual NIST reporting requirement – Produce an annual report as a NIST Special Publication (SP). The 2003--2012 Annual Reports are available via the Web (under the Annual Reports section) or upon request.