Advanced search Help
Searching for terms: EXACT: "Lee, Annabelle" in: author
Clear all search criteria
Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).
-
ITL Bulletin: Guideline for Implementing Cryptography in the Federal Government [February 2000]
This ITL bulletin summarizes NIST Special Publication (SP) 800-21, Guideline for Implementing Cryptography in the Federal Government. In today's world, both private and public sectors depend upon information technology systems to perform essential and mission-critical functions. In the current environment of increasingly open and interconnected systems and networks, network and data security are essential for the optimum use of information technology. For example, systems that carry out electronic financial transactions and electronic commerce must be protected against unauthorized access to confidential records and unauthorized modification of data. Cryptography should be considered for data that is sensitive or has a high value if it is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. Cryptographic methods provide important functionality to protect against intentional and accidental compromise and alteration of data. These methods support communications security by encrypting the communication prior to transmission and decrypting it at receipt. These methods also provide file and data security by encrypting the data prior to placement on a storage medium and decrypting it after retrieval from the storage medium. NIST SP 800-21 provides guidance to federal agencies on selecting cryptographic controls to protect sensitive unclassified information. The guideline focuses on federal standards documented in Federal Information Processing Standards (FIPS) and the cryptographic modules and algorithms that are validated against these standards. However, to provide additional information, other standards organizations (e.g., American National Standards Institute [ANSI] and International Organization for Standardization [ISO]) are briefly discussed.
Information Technology Laboratory (National Institute of Standards and Technology)
Lee, Annabelle
2000-02
-
Smart Grid Cyber Security Strategy and Requirements
"With the Smart Grid's transformation of the electric system to a two-way flow of electricity and information, the information technology (IT) and telecommunications infrastructures have become critical to the energy sector infrastructure. Therefore, the management and protection of systems and components of these infrastructures must also be addressed by an increasingly diverse energy sector. To achieve this requires that security be designed in at the architectural level. NIST has established a Smart Grid Cyber Security Coordination Task Group (CSCTG), which now has more than 200 volunteer members from the public and private sectors, academia, regulatory organizations, and federal agencies. Cyber security is being addressed in a complementary and integral process that will result in a comprehensive set of cyber security requirements. As explained more fully later in this chapter, these requirements are being developed using a high-level risk assessment process that is defined in the cyber security strategy for the Smart Grid. Cyber security requirements are implicitly recognized as critical in all of the particular priority application plans discussed in the NIST Smart Grid Framework 1.0 document that is being published concurrent with the publication of this document. Although still a work in progress, NIST is publishing this preliminary report, NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements that describes the CSCTG's overall cyber security strategy for the Smart Grid. The preliminary report distills use cases collected to date, requirements and vulnerability classes identified in other relevant cyber security assessments and scoping documents, and other information necessary for specifying and tailoring security requirements to provide adequate protection for the Smart Grid."
National Institute of Standards and Technology (U.S.)
Lee, Annabelle; Brewer, Tanya
2009-09
-
ITL Bulletin: Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2 [July 2001]
Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and identification and authentication. Adequate testing and validation of the cryptographic module against established standards is essential for security assurance. Both federal agencies and the public benefit from the use of tested and validated products. Without adequate testing, weaknesses such as poor design, weak algorithms, or incorrect implementation of the cryptographic module can result in insecure products. This ITL Bulletin summarizes the differences between FIPS 140-1 and FIPS 140-2. Information on the actual line-by-line differences between FIPS 140-1 and FIPS 140-2 may be found in the full version of this document, NIST Special Publication 800-29, located at: http://csrc.nist.gov/publications/ nistpubs/index.html.
Information Technology Laboratory (National Institute of Standards and Technology)
Lee, Annabelle; Snouffer, Stanley R.
2001-07
-
Guide to Understanding Information System Security Officer Responsibilities for Automated Information Systems
"This guideline identifies system security responsibilities for Information System Security Officers (ISSOs). It applies to computer security aspects of automated information systems (AISs) within the Department of Defense (DOD) and its contractor facilities that process classified and sensitive unclassified information. Computer security (COMPUSEC) includes controls that protect an AIS against denial of service and protects the AISs and data from unauthorized (inadvertent or intentional) disclosure, modification, and destruction. COMPUSEC includes the totality of security safeguards needed to provide an acceptable protection level for an AIS and for data handled by an AIS. 1 DOD Directive (DODD) 5200.28 defines an AIS as 'an assembly of computer hardware, software, and/or firmware configured to collect, create, communicate, compute, disseminate, process, store, and/or control data or information.' 2 This guideline is consistent with established DOD regulations and standards, as discussed in the following sections. Although this guideline emphasizes computer security, it is important to ensure that the other aspects of information systems security, as described below, are in place and operational: Physical security includes controlling access to facilities that contain classified and sensitive unclassified information. Physical security also addresses the protection of the structures that contain the computer equipment. Personnel security includes the procedures to ensure that access to classified and sensitive unclassified information is granted only after a determination has been made about a person's trustworthiness and only if a valid need-to-know exists."
National Computer Security Center (U.S.)
Lee, Annabelle; Flahavin, Ellen E.; Lane, Carol L.
1992-05-01
-
ITL Bulletin: Information Security Within the System Development Life Cycle (September 2004)
This document is the Information Technology Laboratory (ITL) Bulletin for September 2004 from the National Institute of Standards and Technology. From the introduction: "Many System Development Life Cycle (SDLC) models exist that can be used by an organization to effectively develop an information system. A traditional SDLC is a linear sequential model. This model assumes that the system will be delivered near the end of its life cycle. Another SDLC model uses prototyping, which is often used to develop an understanding of system requirements without developing a final operational system. More complex models have been developed to address the evolving complexity of advanced and large information system designs."
National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division
Lee, Annabelle; Brewer, Tanya
2004-09
-
Guideline for Implementing Cryptography in the Federal Government
In today's world, both private and public sectors depend upon information technology systems to perform essential and mission-critical functions. In the current environment of increasingly open and interconnected systems and networks, network and data security are essential for the optimum use of this information technology. For example, systems that carry out electronic financial transactions and electronic commerce must protect against unauthorized access to confidential records and unauthorized modification of data. Cryptography should be considered for data that is sensitive, has a high value, or represents a high value if it is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. Cryptographic methods provide important functionality to protect against intentional and accidental compromise and alteration of data. These methods support communications security by encrypting the communication prior to transmission and decrypting it at receipt. These methods also provide file/data security by encrypting the data prior to placement on a storage medium and decrypting it after retrieval from the storage medium. The purpose of this document is to provide guidance to Federal agencies on how to select cryptographic controls for protecting Sensitive Unclassified1 information. This document focuses on Federal standards documented in Federal Information Processing Standards Publications (FIPS PUBs) and the cryptographic modules and algorithms that are validated against these standards. However, to provide additional information, other standards organizations, (e.g., American National Standards Institute (ANSI) and International Organization for Standardization (ISO)) are briefly discussed.
National Institute of Standards and Technology (U.S.)
Lee, Annabelle
1999-11
-
Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
A government and industry working group composed of both users and vendors developed FIPS 140-1. The working group identified eleven areas of security requirements with four increasing levels of security for cryptographic modules. The security levels allow for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and health data), and a diversity of application environments (e.g., a guarded facility, an office, and a completely unprotected location). Each security level offers an increase in security over the preceding level. These four security levels allow cost-effective solutions that are appropriate for different degrees of data sensitivity and different application environments. This structure also allows great flexibility when specifying or identifying user needs. Modules may meet different levels in the security requirements areas (e.g., a module meets level 2 overall, level 3 physical securities with additional level 4 requirements). The Validated Modules list now contains modules representing all four security levels. FIPS 140-1&2 define a framework and methodology for NIST's current and future cryptographic standards. The standard provides users with: A specification of security features that are required at each of four security levels; Flexibility in choosing security requirements; A guide to ensuring the cryptographic modules incorporate necessary security features, and; The assurance that the modules are compliant with cryptography based standards.
National Institute of Standards and Technology (U.S.)
Lee, Annabelle; Snouffer, Ray; Oldehoeft, Arch
2001-06
-
Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
"In response to the second of these tasks, this guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline's objective is to facilitate provision of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or loss of availability of the information or information system. This guideline assumes that the user is familiar with Standards for Security Categorization of Federal Information and Information Systems (FIPS 199). […] This document is intended as a reference resource rather than as a tutorial. Not all of the material will be relevant to all agencies. This document includes two volumes: a basic guideline and a volume of appendixes. Users should review the guidelines provided in Volume I, then refer to only that specific material from the appendixes that applies to their own systems and applications. The provisional impact assignments contained in the appendixes are only the first step in impact assignment and subsequent risk assessment processes. The impact assignments are not intended to be used by auditors as a definitive checklist for information types and impact assignments. The basis employed in this guideline for the identification of information types is the Office of Management and Budget's Federal Enterprise Architecture Program Management Office's June 2003 publication, The Business Reference Model Version 2.0 (BRM)."
National Institute of Standards and Technology (U.S.)
Lee, Annabelle; Barker, William C.
2004-06
-
Cyber Security Research and Development - a Homeland Security Perspective
"Conduct, stimulate and enable research, development, test, evaluation, and timely transition of homeland security capabilities to federal, state, and local operational end-users. Anticipate, prevent, respond to and recover from terrorist attacks. Transfer technology and build capacity of federal, state, local operational end-users for all mission. Provide the nation with a dedicated and enduring capability."
United States. Department of Homeland Security
Lee, Annabelle
2005-08-09
1
