Advanced search Help
Clear all search criteria
The Cyber Infrastructure Collection is a partnership of The Institute for Information Infrastructure Protection (I3P) and the HSDL. It is focused on identification of information assets in the broad area of information infrastructure protection and cyber security. The I3P, founded by Dartmouth College and now at George Washington University, is a consortium of leading research institutions dedicated to strengthening the cyber infrastructure of the United States. Its effort in this partnership was sponsored by the National Institute of Standards and Technology (NIST). [Note: this collection was acquired by the HSDL in 2008 and is not actively updated.]
-
Country Reports on Terrorism 2006
"Five years after 9/11, the international community's conflict with transnational terrorists continues. Cooperative international efforts have produced genuine security improvements- particularly in securing borders and transportation, enhancing document security, disrupting terrorist financing, and restricting the movement of terrorists. The international community has also achieved significant success in dismantling terrorist organizations and disrupting their leadership. This has contributed to reduced terrorist operational capabilities and the detention or death of numerous key terrorist leaders. Working with allies and partners across the world, through coordination and information sharing, we have created a less permissive operating environment for terrorists, keeping leaders on the move or in hiding, and degrading their ability to plan and mount attacks. Canada, Australia, the United Kingdom, Saudi Arabia, Turkey, Pakistan, Afghanistan, and many other partners played major roles in this success, recognizing that international terrorism represents a threat to the whole international community."
United States. Department of State
2007-04
-
National Strategy for Aviation Security
"The security and economic prosperity of the United States depend significantly upon the secure operation of its aviation system and use of the world's airspace by the Nation, its international partners, and legitimate commercial interests. Terrorists, criminals, and hostile nation-states have long viewed aviation as a target for attack and exploitation. The tragic events of September 11, 2001 and the Heathrow plot of August 2006 are telling reminders of the threats facing aviation and the intent and capabilities of adversaries that mean to do harm to the United States and its people. In June 2006, building upon the Administration's successful efforts since 9/11, the President directed the development of a comprehensive National Strategy for Aviation Security (hereafter referred to as 'the Strategy') to protect the Nation and its interests from threats in the Air Domain. The Secretary of Homeland Security, in accordance with National Security Presidential Directive 47/Homeland Security Presidential Directive 16 (NSPD-47/HSPD-16), will coordinate the operational implementation of the Strategy, including the integration and synchronization of related Federal programs and initiatives. […] Through a collaborative interagency effort and with input from aviation stakeholders, seven supporting plans will be developed to address the specific threats and challenges identified in NSPD-47/HSPD-16. Although the plans will address different aspects of aviation security, they will be mutually linked and reinforce each other. The supporting plans are: Aviation Transportation System Security Plan, Aviation Operational Threat Response Plan, Aviation Transportation System Recovery Plan, Air Domain Surveillance and Intelligence Integration Plan, International Aviation Threat Reduction Plan, Domestic Outreach Plan, and International Outreach Plan."
United States. White House Office
2007-03-26
-
Ontology of Identity Credentials, Part 1: Background and Formulation
This two-part report from the U.S. Department of Commerce, Technology Administration, National Institute of Standards and Technology "describes an ontology of identity credentials, explicitly represented as Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. The primary motivation of this work is to support the requirements of identity credential issuers (e.g., issuers of identity cards, passports, and driver licenses) to manage information about supporting documents and issued credentials. Supporting documents are of many types and origins. They may be issued by United States (U.S.) national parties, or by international parties. Today, they are usually printed or written documents, and in some cases, the only evidence of issuance may be the hardcopy document itself. The ontology therefore provides a bridge to the future, a means to represent both identity document content and metadata (i.e., descriptive information) in a standard, electronic form to facilitate automation of identity management systems. An ontology of identity credentials can be used in many ways. It may be used to: produce faithful electronic copies of presented identity credentials and documents for archival storage and exchange, create electronic replica credentials from hardcopy source credentials, and, create abstracts of electronic credentials that are easy to share and reuse. A domain ontology can serve these roles because it is more than a data model. An ontology describes the relationships among actors, actions, and objects, and in by so doing, establishes a theory in which all use cases may be expressed. Note that it is not a goal of this work to specify or design any new kind of identity credential."
National Institute of Standards and Technology (U.S.)
MacGregor, William; Dutcher, William; Khan, Jamil
2006-10
-
Quality of Security Service : Adaptive Security [preprint version]
The premise of Quality of Security Service is that system and network management functions can be more effective if variable levels of security services and requirements can be presented to users or network tasks. In this approach, the "level of service" must be within an acceptable range, and can indicate degrees of security with respect to various aspects of assurance, mechanistic strength, administrative diligence, etc. These ranges result in additional latitude for management functions to meet overall user and system demands, as well as to balance costs and projected benefits to specific users/clients. With a broader solution space to work within the security realm, the underlying system and network management functions can adapt more gracefully to resource shortages, and thereby do a better job at maintaining requested or required levels of service in all dimensions, transforming security from a performance obstacle into an adaptive, constructive network management tool.
Keywords: security ; quality of service ; performance ; adaptive security
Naval Postgraduate School (U.S.). Center for Information Systems Security Studies and Research
Irvine, Cynthia E.; Levin, Timothy E.; Spyropoulou, Evdoxia
2005-12-01
-
Reporting Instructions for the Federal Information Security Management Act and Updated Guidance on Quarterly IT Security Reporting
MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES
This guidance provides direction to agencies on implementing FISMA and consists of the
following four attachments:
Attachment A - The information in this attachment is new and highlights the more
substantive changes introduced by FISMA from previous IT security legislation.
Attachment B - This attachment contains the FY03 FISMA reporting instructions for
agencies and Inspectors General.
Attachment C - This attachment contains directions for agencies on quarterly reporting on
IT security efforts. It includes both the continued quarterly plan of action and milestones
updates and performance measure updates.
Attachment D - This attachment contains definitions in law and policy referenced in the
guidance.
Keywords: FISMA
United States. Office of Management and Budget
2003-08-03
-
Pipeline Rupture and Subsequent Fire in Bellingham, Washington June 10, 1999: Accident Investigation Presentations [website]
This webpage includes links to six presentations which were presented at the National Transportation Safety Board meeting on October 8, 2002 in Washington, D.C. regarding the rupture and subsequent fire of a Bellingham, Washington pipeline on June 10, 1999.
United States. National Transportation Safety Board
2002-10-08
-
Global Climate Change and Transportation Infrastructure: Lessons from the New York Area
"This paper addresses two aspects of the relationship between climate change and transportation infrastructure, focusing on the results of studies conducted for the New York area [...]. First, implications of climate change as a factor influencing the current relationships between urban development and transportation management are explored both nationally and regionally for the New York area as a basis for identifying mitigation and adaptation needs and measures. Second, details of flooding and heat-related effects on surface and subsurface transportation-related infrastructure are briefly presented as a basis for lessons these familiar phenomena generate for less obvious climate change and transportation relationships. The paper concludes with observations about the means to manage these outcomes within existing and expanded institutional frameworks and technologies."
Center for Climate Change & Environmental Forecasting (U.S.)
Zimmerman, Rae
2002-10-01
-
Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
The need for random and pseudorandom numbers arises in many cryptographic applications. For example, common cryptosystems employ keys that must be generated in a random fashion. Many cryptographic protocols also require random or pseudorandom inputs at various points, e.g., for auxiliary quantities used in generating digital signatures, or for generating challenges in authentication protocols. This document discusses the randomness testing of random number and pseudorandom number generators that may be used for many purposes including cryptographic, modeling and simulation applications. The focus of this document is on those applications where randomness is required for cryptographic purposes. A set of statistical tests for randomness is described in this document. The National Institute of Standards and Technology (NIST) believes that these procedures are useful in detecting deviations of a binary sequence from randomness. However, a tester should note that apparent deviations from randomness may be due to either a poorly designed generator or to anomalies that appear in the binary sequence that is tested (i.e., a certain number of failures is expected in random sequences produced by a particular generator). It is up to the tester to determine the correct interpretation of the test results. Refer to Section 4 for a discussion of testing strategy and the interpretation of test results.
National Institute of Standards and Technology (U.S.)
Barker, Elaine B.; Soto, Juan; Rukhin, Andrew
2001-05-15
-
Data Encryption Standard (DES)
This is a publication from the U.S. Department of Commerce, National Institute of Standards and Technology that discusses "two cryptographic algorithms, the Data Encryption Standard (DES) and the Triple Data Encryption Algorithm (TDEA) which may be used by Federal organizations to protect sensitive data. "The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security to its electronic data systems. [...] Protection of data during transmission or while in storage may be necessary to maintain the confidentiality and integrity of the information represented by the data. The algorithms uniquely define the mathematical steps required to transform data into a cryptographic cipher and also to transform the cipher back to the original form. The Data Encryption Standard is being made available for use by Federal agencies within the context of a total security program consisting of physical security procedures, good information management practices, and computer system/network access controls. This revision supersedes FIPS (Federal Information Processing Standards) 46-2 in its entirety. Key words: computer security, data encryption standard, triple data encryption algorithm, Federal Information Processing Standard (FIPS); security."
National Institute of Standards and Technology (U.S.)
1999-10-25
-
Entity Authentication Using Public Key Cryptography
"This standard specifies two challenge-response protocols by which entities in a computer system may authenticate their identities to one another. These may be used during session initiation, and at any other time that entity authentication is necessary. Depending on which protocol is implemented, either one or both entities involved may be authenticated. The defined protocols are derived from an international standard for entity authentication based on public key cryptography, which uses digital signatures and random number challenges. Authentication based on public key cryptography has an advantage over many other authentication schemes because no secret information has to be shared by the entities involved in the exchange. A user (claimant) attempting to authenticate oneself must use a private key to digitally sign a random number challenge issued by the verifying entity. This random number is a time variant parameter which is unique to the authentication exchange. If the verifier can successfully verify the signed response using the claimant's public key, then the claimant has been successfully authenticated. Key words: access control, authentication, challenge-response, computer security, cryptographic modules, cryptography, Federal Information Processing Standard (FIPS), telecommunications security."
National Institute of Standards and Technology (U.S.)
1997-02-18
-
Federal Legal Landscape: A 'Legal Foundations' Study: Report 2 of 12: Report to the President's Commission on Critical Infrastructure Protection
This report represents the first effort of its kind to characterize the legal and regulatory structures of the critical infrastructures as they pertain to infrastructure assurance. The first part provides a high-level overview of the legal landscape. The report then presents the results of a two-stage survey, proceeding agency by agency and, in some cases, office by office, describing each of the relevant body's authority and jurisdiction and its current mechanisms and programs relating to infrastructure assurance. It also attempts to identify authorities or mechanisms or to merely spot infrastructure-assurance-related issues. These efforts have identified many legal and policy issues that will help drive the implementation process for the Commission's recommendations.
United States. President's Commission on Critical Infrastructure Protection
1997
-
Federal Government Model Performance: A 'Legal Foundations' Study: Report 11 of 12: Report to the President's Commission on Critical Infrastructure Protection
This report examines some of the methods available to the Federal government by which it can unilaterally change its own behavior in order to encourage the private sector, state or local governments to act consistently with infrastructure assurance objectives. Such methods include outcome-based performance measurement and adoption of best practices within government agencies and procurement requirements for vendors.
United States. President's Commission on Critical Infrastructure Protection
1997
-
Government Incentive Tools: A Study: Report to the President's Commission on Critical Infrastructure Protection
"The following sections provide information related to enticing private sector investment into infrastructure protection. […] For each of the foregoing, a definition is provided. This is followed by a brief description of some of the pros and cons of utilizing the specific mechanism to induce investment into infrastructure protection initiatives. Examples of actual implementations of each mechanism are then included to illustrate practical applications as used by governments to promote specific activities. None of the examples provided herein are intended to serve as a vehicle for the PCCIP recommendations, but are intended rather to demonstrate how each mechanism can be utilized. Additional governmental mechanisms for inducing investment not addressed herein include the provision of specialized government services; governmental advisory services and counseling; dissemination of technical information; training; and tax exempt bonds."
United States. President's Commission on Critical Infrastructure Protection
1997
-
Legal Foundations: Studies and Conclusions: Report 1 of 12: Report to the President's Commission on Critical Infrastructure Protection
"Executive Order 13010 established the President's Commission on Critical Infrastructure Protection (PCCIP) and tasked it with assessing the vulnerabilities of, and threats to, eight named critical infrastructures and developing a national strategy for protecting those infrastructures from physical and cyber threats. The Executive Order also required that the PCCIP consider the legal and policy issues raised by efforts to protect the critical infrastructures and propose statutory and regulatory changes necessary to effect any subsequent PCCIP recommendations. To respond to the legal challenges posed by efforts to protect critical infrastructures, the PCCIP undertook a variety of activities to formulate options and to facilitate eventual implementation of PCCIP recommendations by the Federal government and the private sector. The PCCIP recognized that the process of infrastructure assurance would require cultural and legal change over time. Thus, these activities were undertaken with the expectation that many would continue past the life of the PCCIP itself. The Legal Foundations series of reports attempts to identify and describe many of the legal issues associated with the process of infrastructure assurance. The reports were used by the PCCIP to inform its deliberations. […] Legal Foundations: Studies and Conclusions is the overall summary report. It describes the other reports, the methodologies used by the researchers to prepare them, and summarizes the possible approaches and conclusions that were presented to the PCCIP for its consideration. The series has been sequenced to allow interested readers to study in detail a specific area of interest. However, to fully appreciate the scope of the topics studied and their potential interaction, a review of the entire series is recommended."
United States. President's Commission on Critical Infrastructure Protection
1997
-
Telecommunications Security Guidelines for Telecommunications Management Network
"The Public Switched Network (PSN) provides critical commercial telecommunications services and National Security and Emergency Preparedness (NS/EP) telecommunications. Service providers, equipment manufacturers, users, and the Federal Government are concerned that vulnerabilities in the PSN could be exploited and result in disruptions or degradation of service. To address these threats, the National Institute of Standards and Technology (NIST) is collaborating with Bellcore to investigate the vulnerabilities and related security issues that result from the use of open systems architectures in the telecommunications industry. Security features required to counter the threats are identified. A series of Telecommunication Security Guidelines (TSGs) that address a hierarchy of telecommunication architectures of increasing complexity may be produced. This first guideline focuses on two specific components of a Telecommunications Management Network (TMN)-Network Elements (NEs) and Mediation Devices (MDs)-with emphasis on the security features needed to protect the Operations, Administration, Maintenance, and Provisioning (OAM&P) of these components. This TSG is intended to provide a security baseline for NEs and MDs that is based on commercial security needs. In addition, some NS/EP security requirements will be integrated into the baseline to address specific network security needs. The guideline should assist telecommunications vendors in developing systems and service providers in implementing systems with appropriate security for integration into the PSN. It can also be used by a government agency or a commercial organization to formulate a specific security policy. It does not stipulate regulatory requirements or mandated standards of the National Institute of Standards and Technology."
National Institute of Standards and Technology (U.S.)
Kimmins, John; Dinkel, Charles; Walters, Dale
1995-10
-
Good Security Practices for Electronic Commerce, Including Electronic Data Interchange
Electronic commerce (EC) is the use of documents in electronic form, rather than paper, for carrying out functions of business or government that require interchange of information, obligations, or monetary value between organizations. Electronic data interchange (EDI) is the computer-to-computer transmission of strictly formatted messages that represent documents; ED1 is an essential component of EC. With EC, human participation in routine transaction processing is limited or non-existent. Transactions are processed and decisions are made more rapidly, leaving much less time to detect and correct errors. This report presents security procedures and techniques (which encompass internal controls and checks) that constitute good practices in the design, development, testing and operation of EC systems. Principles of risk management and definition of parameters for quantitative risk assessments are provided. The content of the trading partner agreement is discussed, and the components of EC, including the network(s) connecting the partners, are described. Some security techniques considered include audit trails, contingency planning, use of acknowledgments, electronic document management, activities of supporting networks, user access controls to systems and networks, and cryptographic techniques for authentication and confidentiality.
National Institute of Standards and Technology (U.S.)
1993-12
-
Establishing a Computer Security Incident Response Capability (CSIRC)
Government agencies and other organizations have begun to augment their computer security efforts because of increased threats to computer security. Incidents involving these threats, including computer viruses, malicious user activity, and vulnerabilities associated with high technology, require a skilled and rapid response before they can cause significant damage. These increased computer security efforts, described here as Computer Security Incident Response Capabilities (CSIRCs), have as a primary focus the goal of reacting quickly and efficiently to computer security incidents. CSIRC efforts provide agencies with a centralized and cost-effective approach to handling computer security incidents so that future problems can be efficiently resolved and prevented. This publication provides guidance for those interested in establishing a CSIRC. It describes why traditional computer security efforts may not be sufficient in light of more recent threats. This guide discusses some of the considerations in establishing a CSIRC as well as the organizational, technical, and legal issues connected with a CSIRC operation. Chapter one of this guide serves as an introduction. Chapter two presents an overview of a CSIRC, including reasons for CSIRC activity, the CSIRC concept, its goals, components, and interaction with existing agency computer security efforts. Chapter three deals with issues and factors associated with establishing an agency CSIRC. Chapter four describes some of the issues associated with operating and maintaining a CSIRC. The appendices contain an annotated bibliography for further reading on computer security and incident handling and information on FIRST, the Forum of Incident Response and Security Teams.
National Institute of Standards and Technology (U.S.)
Wack, John P.
1991-11
-
Password Usage
This document specifies basic security criteria for two different uses of passwords in an ADP system, (I) personal identity authentication and (2) data access authorization. It establishes the basic criteria for the design, implementation and use of a password system in those systems where passwords are used. It identifies fundamental ADP management functions pertaining to passwords and specifies some user actions required to satisfy these functions. In addition, it specifies several technical features which may be implemented in an ADP system in order to support a password system. An implementation schedule is established for compliance with the standard. Numerous guidelines are provided in the Appendices for managers and users seeking to comply with the standard.
United States. Department of Commerce
1985-05-30
-
Guidelines for Security of Computer Applications
Security decisions should be an integral part of the entire planning, development, and operation of a computer application. This guideline describes the technical and managerial decisions that should be made in order to assure that adequate controls are included in new and existing computer applications to protect them from natural and human-made hazards and to assure that critical functions are performed correctly and with no harmful side effects. The multifaceted nature of computer security is described, and differences in security objectives, sensitivity levels, and vulnerabilities that must be considered are identified. Fundamental security controls such as data validation, user identity verification, authorization, journaling, variance detection, and encryption are discussed as well as security-related decisions that should be made at each stage in the life cycle of a computer application. These include questions about security feasibility and risk assessment that should be asked during initial planning, decisions that should be made during the design, programming and testing phases, controls that should be enforced during the development process, and security provisions that should be enforced during the day-to-day operation of the system.
United States. Department of Commerce
1980-06-30
-
Computer Security Threat Monitoring and Surveillance
In computer installations in general, security audit trails, if taken, are rarely complete and almost never geared to the needs of the security officers whose responsibility it is to protect ADP assets. The balance of this report outlines the considerations and general design of a system, which provides an initial set of tools to computer system security officers for use in their jobs. The discussion does not suggest the elimination of any existing security audit data collection and distribution. Rather it suggests augmenting any such schemes with information for the security personnel directly involved.
National Institute of Standards and Technology (U.S.)
1980-04-15
-
National Vulnerability Database [website]
"A Comprehensive Cyber Vulnerability Resource, the National Vulnerability Database (NVD) is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. It is based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard."
United States. Department of Homeland Security
1