INFORMATION TECHNOLOGY STANDARDS GUIDANCE

(ITSG)

(Part 10 of 14 parts)

SECURITY SERVICES

 

 

 

 

 

 

 

 

Version 3.1 - April 7, 1997

 

 

AREA IPSC

DISTRIBUTION STATEMENT A: Approved for public release; distribution unlimited

TABLE OF CONTENTS

3.10 Security services 3.10-

3.10.1 Introduction and overview of security services 3.10-

3.10.2 Architectures and applications 3.10-

3.10.2.1 Security models and architectures 3.10-

3.10.2.2 System development 3.10-

3.10.2.3 Database security 3.10-

3.10.2.4 Network security architecture 3.10-

3.10.2.5 Operating system security 3.10-

3.10.3 System management 3.10-

3.10.3.1 Certification and accreditation 3.10-

3.10.3.2 Security risk management 3.10-

3.10.3.3 Security management 3.10-

3.10.3.4 Security association and key management 3.10-

3.10.3.5 Security audit 3.10-

3.10.3.6 Security alarm reporting 3.10-

3.10.4 Authentication 3.10-

3.10.4.1 Personal authentication 3.10-

3.10.4.2 Network authentication 3.10-

3.10.4.3 Entity authentication 3.10-

3.10.5 Access control 3.10-

3.10.5.1 System access control 3.10-

3.10.5.2 Network access control 3.10-

3.10.6 Confidentiality 3.10-

3.10.6.1 Systems confidentiality 3.10-

3.10.6.2 Registration of cryptographic techniques 3.10-

3.10.6.3 Data encryption security 3.10-

3.10.6.4 Traffic flow confidentiality 3.10-

3.10.7 Integrity 3.10-

3.10.7.1 Systems integrity 3.10-

3.10.7.2 Data integrity techniques 3.10-

3.10.7.3 Network integrity 3.10-

3.10.8 Non-repudiation 3.10-

3.10.8.1 Systems non-repudiation 3.10-

3.10.8.2 Electronic signature 3.10-

3.10.8.3 Electronic hashing 3.10-

3.10.9 Systems availability 3.10-

3.10.9.1 Detection and notification 3.10-

3.10.9.2 Security recovery 3.10-

3.10.10 Security labeling 3.10-

3.10.10.1 User interface security labeling 3.10-

3.10.10.2 Data management security labeling 3.10-

3.10.10.3 Data interchange security labeling 3.10-

3.10.10.4 Graphics security labeling 3.10-

3.10.10.5 Data communications security labeling 3.10-

3.10.10.6 Operating system security labeling 3.10-

3.10.10.7 Distributed computing security labeling 3.10-

LIST OF TABLES

3.10-1 Security models and architectures standards 3.10-

3.10-2 System development standards 3.10-

3.10-3 Database security standards 3.10-

3.10-4 Network security architecture standards 3.10-

3.10-5 Operating system security standards 3.10-

3.10-6 Certification and accreditation standards 3.10-

3.10-7 Security risk management standards 3.10-

3.10-8 Security management standards 3.10-

3.10-9 Security association and key management standards 3.10-

3.10-10 Security audit standards 3.10-

3.10-11 Security alarm reporting standards 3.10-

3.10-12 Personal authentication standards 3.10-

3.10-13 Network authentication standards 3.10-

3.10-14 Entity authentication standards 3.10-

3.10-15 System access control standards 3.10-

3.10-16 Network access control standards 3.10-

3.10-17 Systems confidentiality standards 3.10-

3.10-18 Registration of cryptographic techniques standards 3.10-

3.10-19 Data encryption security standards 3.10-

3.10-20 Traffic flow confidentiality standards 3.10-

3.10-21 Systems integrity standards 3.10-

3.10-22 Data integrity techniques standards 3.10-

3.10-23 Network integrity standards 3.10-

3.10-24 Systems non-repudiation standards 3.10-

3.10-25 Electronic signature standards 3.10-

3.10-26 Electronic hashing standards 3.10-

3.10-27 Detection and notification standards 3.10-

3.10-28 Security recovery standards 3.10-

3.10-29 User interface security labeling standards 3.10-

3.10-30 Data management security labeling standards 3.10-

3.10-31 Data interchange security labeling standards 3.10-

3.10-32 Graphics security labeling standards 3.10-

3.10-33 Data communications security labeling standards 3.10-

3.10-34 Operating system security labeling standards 3.10-

3.10-35 Distributed computing security labeling standards 3.10-

 

Cross-Reference of Security Service BSAs to Other Parts of the ITSG

3.10.2.1 Security models and architectures 3.2.5.1
3.10.2.2 System development 3.2.5.2 3.9.7.1
3.10.2.3 Database security 3.4.2.1 3.9.7.13
3.10.2.4 Network security architecture 3.7.9.1
3.10.2.5 Operating system security 3.8.5.1
3.10.3.1 Certification and accreditation 3.2.5.4 3.9.7.10
3.10.3.2 Security risk management 3.2.5.5 3.7.9.2 3.9.7.3
3.10.3.3 Security management 3.7.9.3 3.8.5.4 3.9.7.2
3.10.3.4 Security association and key management 3.7.9.4 3.9.7.14
3.10.3.5 Security audit 3.7.9.5 3.9.7.4 3.11.5.3
3.10.3.6 Security alarm reporting 3.7.9.6 3.9.7.5 3.11.5.7
3.10.4.1 Personal authentication 3.2.5.3 3.3.8.2 3.9.7.6
3.10.4.2 Network authentication 3.7.9.7
3.10.4.3 Entity authentication 3.8.5.3 3.9.7.7 3.11.5.2
3.10.5.1 System access control 3.4.2.2 3.9.7.8 3.11.5.1
3.10.5.2 Network access control 3.7.9.8 3.9.7.9
3.10.6.1 Systems confidentiality 3.5.10.1
3.10.6.2 Registration of cryptographic techniques 3.9.7.15
3.10.6.3 Data encryption security 3.5.10.2 3.7.9.9 3.11.5.5
3.10.6.4 Traffic flow confidentiality 3.7.9.10
3.10.7.1 Systems integrity 3.4.2.4
3.10.7.2 Data integrity techniques 3.4.2.5
3.10.7.3 Network integrity 3.7.9.11
3.10.8.1 Systems non-repudiation 3.5.10.4 3.7.9.12 3.11.5.6
3.10.8.2 Electronic signature 3.5.10.5 3.7.9.13
3.10.8.3 Electronic hashing 3.5.10.6 3.7.9.14 3.8.5.2
3.10.9.1 Detection and notification 3.2.5.6 3.9.7.11
3.10.9.2 Recovery 3.2.5.7 3.9.7.12
3.10.10.1 User interface security labeling 3.3.8.1
3.10.10.2 Data management security labeling 3.4.2.3
3.10.10.3 Data interchange security labeling 3.5.10.3
3.10.10.4 Graphics security labeling 3.6.7.1
3.10.10.5 Data communications security labeling 3.7.9.15
3.10.10.6 Operating system security labeling 3.8.5.5
3.10.10.7 Distributed computing security labeling 3.11.5.4

3.10 Security services. The security services portion of the ITSG presents standards, guidelines, models, frameworks, and other documents related to the protection of information that is stored, transferred, or processed in automated systems. Use and compliance with the security standards identified in this document do not constitute authorization to process classified data. DOD policy covering the accreditation process must still be adhered to in order to obtain approval for processing of classified data.

3.10.1 Introduction and overview of security services. Security represents a cross-functional area in the ITSG. Consequently the security services identified in this part of the ITSG can be found in other parts as well. The intent of this chapter is to provide a single location where one can go to identify the standards, guidelines, etc. related to any pertinent security service area. All security-related BSAs in ITSG, Part 10 are "grounded" in the security service area; that is, the security service area is the foundation for all security BSAs. In turn, each security BSA is "cloned" into at least one other service area. The discussion and recommendations for these cloned BSAs are identical to that contained in Part 10, Security Services, and the standards tables for the cloned security BSAs are identical to the standards tables for the corresponding BSAs in Part 10. The presentation of this chapter is guided by two concerns. The first is to be consistent with the security principles and concepts of the DOD Goal Security Architecture (DGSA). Thus sections 3.10.4 through 3.10.9 correspond to the security services presented in the DGSA. The second is to provide an overview of the major security architectures, applications, and management concerns to ITSG users at all levels of expertise (sections 3.10.2 and 3.10.3).

For users of the ITSG who are not familiar with security terminology, the following references are suggested:

a. National Information Systems Security (INFOSEC) Glossary, National Security Telecommunications and Information Systems Security (NTISSI) No. 4009, 5 June 1992.

b. Glossary of Telecommunications Terms, FED-STD-1037B, 3 June 1991.

c. Dictionary of Information Systems, ANSI X3.172, 1990.

d. Security in Open Systems - Data Elements and Service Definitions, ECMA 138:1989 (based on ECMA TR46:1988).

e. Glossary of Computer Security Terms, NCSC-TG-004, version 1, 21 October 1988.


NOTE: Throughout Part 10, all tables shall have abbreviations listed under the column (Standard Type) as follows:

a. National Public Consensus = NPC
b. International Public Consensus = IPC
c. Government Public Consensus = GPC
d. Consortia Public Consensus = CPC
e. Corporate Private Non-Consensus = CPN-C

3.10.2 Architectures and applications. Standards, guidance, and frameworks that help to define security architectures and the placement of security into specific applications, are intended to provide guidance to standards developers. They do not provide implementable specifications against which conformance can be claimed.

3.10.2.1 Security models and architectures. (This BSA appears in part 2 and part 10.) Security models provide the necessary basis for the development of security-related protocols and security-related protocol elements.

3.10.2.1.1 Standards. Table 3.10-1 presents standards for security models and architectures.

TABLE 3.10-1 Security models and architectures standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

CPC

CEN/CENELEC/ITAEGV

Taxonomy of Security Standardization

ITAEGV N69 Ver 2 of 4/30/1992

Informational

(Approved)

IPC

ECMA

Security in Open Systems - Data Elements and Service Definitions

138 (1989)

Informational

(Approved)

IPC

ECMA

Security in Open Systems - A Security Framework

TR/46 (1988)

Informational

(Approved)

GPC

NIST

Guidelines for Security of Computer Applications

FIPS PUB 73:1980

Informational

(Approved)

IPC

ITU-T

Security Architecture for OSI for CCITT Applications: Security, Structure, and Applications

X.800 (1991)

Informational

(Approved)

CPC

X/Open

Security Guide (Second Edition)

G010 (2/91)

Informational

(Approved)

IPC

ITU-T

Reference Model of OSE for CCITT Applications-Data Communications Networks-OSI Model and Notation, Services Definition

X.200 (1989)

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 3: Naming and Addressing

7498-3:1989

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 4: Management Framework

7498-4:1989

Informational

(Approved)

IPC

ISO/IEC

OSI The Directory: Abstract Service Definition: (same as ITU-T X.511 (1993))

9594-3:1993 (or 1994)

Informational

(Approved)

IPC

ISO/IEC

OSI The Directory: Procedures for Distributed Operations:(same as ITU-T X.519(1993))

9594-4:1993 (or 1994)

Informational

(Approved)

IPC

ISO/IEC

OSI The Directory: Authentication Framework (same as ITU-T X.509 (1993))

9594-8:1993 (or 1994)

Informational

(Approved)

IPC

ISO

OSI Upper Layer Security Model

10745:1993

Informational

(Approved)

CPC

X/Open

Distributed Security Framework

G410 (12/94)

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

NPC

IEEE

Guide to the POSIX Open Systems Environment - A Security Framework

P1003.22: 1995

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems, Part 1: Overview

10181-1

Informational

(Draft)

IPC

ISO/IEC

Guide to Open Systems Security

TR by JTC1/SC21/N8380

Informational

(Draft)

IPC

ISO/IEC

Management Plan for Security

JTC1/SC21 SD-7

Informational

(Draft)

3.10.2.1.2 Alternative specifications. There are no alternate specifications.

3.10.2.1.3 Standards deficiencies. FIPS PUB 73 does not include information about modern security concepts.

3.10.2.1.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.2.1.5 Related standards. There are no related standards.

3.10.2.1.6 Recommendations. The DGSA, Volume 6 of the TAFIM, is the abstract and generic security architecture of the TAFIM. The DGSA provides security principles and target security capabilities to guide system security architects in creating specific security architectures consistent with the DGSA. The DGSA should be used by system security architects to develop logical and specific security architectures.

3.10.2.2 System development. (This BSA appears in part 2, part 9, and part 10.) Development of secure systems requires that security engineering be a key discipline in conjunction with other system, software, and hardware engineering activities.

3.10.2.2.1 Standards. Table 3.10-2 presents standards for system development.

TABLE 3.10-2 System development standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

Trusted Network Interpretation

NCSC-TG-005, Version 1: 1987

Mandated

(Approved)

GPC

DOD

Trusted Database Management System Interpretation of the Trusted Computer Systems Evaluation Criteria

NCSC-TG-021, Version 1: 1991

Mandated

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Security Services

DCE 1.1 Security Services: 1994

Mandated

(Approved)

GPC

DOD

FORTEZZA Cryptologic Programmers' Guide

MD40000501-1.52: 1996

Mandated

(Approved)

GPC

DOD

FORTEZZA Application Implementors' Guide

MD4002101-1.52: 1996

Mandated

(Approved)

GPC

DOD

Software Development and Documentation

MIL-STD-498

Informational

(Approved)

IPC

ISO/IEC

Software Life Cycle Processes

12207:1995

Informational

(Approved)

NPC

EIA

Trial Use Standard - Standard for Information Technology - Software Life-Cycle Processes - Software Development - Acquirer-Supplier Agreement

EIA/IEEE J-STD-016: 1995

Informational

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Rev. 1.2.2

DCE Rev. 1.2.2:1996

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

GPC

NIST

Guidelines for Security of Computer Applications

FIPS PUB 83:1980

Informational

(Approved)

IPC

ISO/IEC

OSI The Directory: Abstract Service Definition: (same as ITU-T X.511 (1993))

9594-3:1993 (or 1994)

Informational

(Approved)

IPC

ISO/IEC

OSI The Directory: Procedures for Distributed Operations:(same as ITU-T X.519(1993))

9594-4:1993 (or 1994)

Informational

(Approved)

IPC

ISO/IEC

OSI The Directory: Authentication Framework (same as ITU-T X.509 (1993))

9594-8:1993 (or 1994)

Informational

(Approved)

CPC

X/Open

Generic Security Service API (GSS-API) Base

C441 (12/95)

Informational

(Approved)

NPC

IEEE

POSIX, Part 1: System API - Amendment n: Protection, Audit, and Control Interfaces (C Language), Draft 15

P1003.1e: 1995

Legacy

(Draft)

NPC

IEEE

POSIX Part 2: Shell and Utilities - Amendment n: Protection and Control Utilities, Draft 15

P1003.2c: 1995

Emerging

(Draft)

CPC

IETF

Generic Security Service - Application Program Interface, Version 2

RFC 2078: 1997

Emerging

(Draft)

CPC

IETF

Independent Data Unit Protection Generic Security Application Program Interface (IDUP-GSS-API)

draft-ietf-cat-idup-gss-06.txt, 26 November 1996

Emerging

(Draft)

NPC

IEEE

Standard for Information Technology - Software Life Cycle Processes

IEEE/EIA 12207US-date

Informational

(Draft)

NPC

IEEE

Guide for Information Technology - Software Life Cycle Processes - Life Cycle Data

IEEE/EIA 12207.1US-date

Informational

(Draft)

NPC

IEEE

Guide for Information Technology - Software Life Cycle Processes - Implementation Considerations

IEEE/EIA 12207.2US-date

Informational

(Draft)

3.10.2.2.2 Alternative specifications. There are no alternative specifications.

3.10.2.2.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.2.2.4 Portability caveats. There are no portability caveats.

3.10.2.2.5 Related standards. DOD Directive 5200.28 "Security Requirements for Automated Information Systems (AISs)," provides the DOD-wide program for AIS security. It provides mandatory, minimum AIS security requirements for systems processing classified, sensitive but unclassified, and unclassified information. For intelligence systems, Director, Central Intelligence Directive (DCID) 1/16, "Security Policy for Uniform Protection of Intelligence Processed in Automated Information Systems and Networks," and "Security Manual for Uniform Protection of Intelligence Information Processed in Automated Information Systems and Networks," should be used in conjunction with DOD 5200.28-STD. The following guidelines also are for use with DOD 5200.28-STD:

a. NCSC-TG-006, Version 1, 28 March 1988, A Guide to Understanding Configuration Management in Trusted Systems

b. NCSC-TG-007, Version 1, 2 October 1988, A Guide to Understanding Design Documentation in Trusted Systems

c. NCSC-TG-008, Version 1, 15 December 1988, A Guide to Understanding Trusted Distribution in Trusted Systems

d. NCSC-TG-018, Version 1, July 1992, A Guide to Understanding Object Reuse in Trusted Systems

e. NCSC-TG-023, Version 1, July 1993, A Guide to Understanding Security Testing and Test Documentation in Trusted Systems

3.10.2.2.6 Recommendations. The standards listed as mandated are recommended.

MIL-STD-498 merges and supersedes DOD-STD-2167A and DOD-STD-7935A and has been approved for use by DOD with a waiver. Requirements for usage waivers are determined by each Service or Agency. MIL-STD-498 contains requirements for security and privacy for software development and documentation. EIA/IEEE J-STD-016: 1995 (formerly IEEE 1498/EIA IS 640) is based on MIL-STD-498 and was issued 30 September 1995 as a joint EIA/IEEE trial use standard. It is anticipated that J-STD-016 will be upgraded from trial use to full use and issued as an ANSI standard in 1997. It is also anticipated that IEEE/EIA 12207US, the U.S. adaptation of ISO/IEC 12207, will be sent to ANSI as a joint standard. IEEE/EIA 12207US will consist of a base standard (12207.0US) and two guides (12207.1US and 12207.2US). The base standard will contain ISO/IEC 12207 and is expected to be approved prior to July 1997. The guide IEEE/EIA 12207.1US, Guide for Information Technology - Software Life Cycle Processes - Life Cycle Data, will contain the contents lists of the product descriptions from EIA/IEEE J-STD-016. The guide IEEE/EIA 12207.2US will provide guidance for: software reuse, software process management indicator categories for problem reporting, software/system architecture, development strategies, tailoring and build planning, software product evaluations, alternate means of compliance for joint reviews, configuration management, and acquirer-supplier interaction. The two guides are expected to be final by September 1997. The long range goal is migration to full use of IEEE/EIA 12207US; however, EIA/IEEE J-STD-016 can be used for transition from MIL-STD-498, subject to Agency/Service approval, until organizational processes for IEEE/EIA 12207US are in place.

If FORTEZZA services are used, the following two guidelines should be consulted:

a. MD4002101-1.52, 3/5/96, FORTEZZA Application Implementors' Guide

b. MD4000502-1.52, 1/30/96, FORTEZZA Cryptologic Programmers' Guide, Revision 1.52

3.10.2.3 Database security. (This BSA appears in part 4, part 9, and part 10.) Database security standards provide protection for stored data from unauthorized access, modification, and denial of service.

3.10.2.3.1 Standards. Table 3.10-3 presents standards for database security.

TABLE 3.10-3 Database security standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Trusted Database Management System Interpretation of the Trusted Computer Systems Evaluation Criteria

NCSC-TG-021, Version 1: 1991

Mandated

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

GPC

NIST

Database Language SQL (Adopts ANSI X3.135-1992 (same as ISO 9075:1992))

FIPS PUB 127-2:1993

Informational

(Approved)

GPC

NIST

Information Resource Dictionary System (IRDS) (adopts ANSI X3.138-1988 and X3.138A-1991)

FIPS PUB 156:1989

Informational

(Approved)

NPC

ANSI

Database Language SQL

X3.135-1992

Informational

(Approved)

IPC

ISO

Database Language SQL (same as ANSI X3.135-1992)

9075:1992

Informational

(Approved)

IPC

ISO/IEC

Information Resource Dictionary System (IRDS) Framework

10027:1990

Informational

(Approved)

IPC

ISO/IEC

OSI Service Definition for the Commitment, Concurrency, and Recovery (CCR) Service Element

9804:1990

Informational

(Approved)

IPC

ISO/IEC

OSI Protocol Specification for the Commitment, Concurrency, and Recovery (CCR) Service Element

9805:1990

Informational

(Approved)

NPC

ANSI

Information Resource Dictionary System (IRDS)

X3.138-1988

Informational

(Approved)

IPC

ISO/IEC

Information Resource Dictionary System (IRDS) Services Interface Amendment 1: C Language Binding

10728 AMD 1:1994

Informational

(Draft)

3.10.2.3.2 Alternative specifications. There are no alternative specifications.

3.10.2.3.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.2.3.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.2.3.5 Related standards. DOD 5200.28-STD, 26 December 1995, DOD Trusted Computer Systems Evaluation Criteria, is related to NCSC-TG-021. The following specifications are related to DOD 5200.28-STD:

a. NCSC-TG-018, Version 1, July 1992, A Guide to Understanding Object Reuse in Trusted Systems

b. NCSC-TG-025, Version 2, September 1991, A Guide to Understanding Data Remnants in Automated Information Systems

3.10.2.3.6 Recommendations. The mandated standard is recommended.

3.10.2.4 Network security architecture. (This BSA appears in both part 7 and part 10.) OSI security architecture defines the general security-related architectural elements, provides a general description of security services and related mechanisms, and defines the positions within the OSI Reference Model at which the services and mechanisms may be provided. Open systems security frameworks address data elements and sequences of operations that are used to obtain security services.

Note: The security architecture and framework standards are intended to provide guidance and background information to developers. In general, these standards do not provide implementable specifications against which conformance can be claimed.

3.10.2.4.1 Standards. Table 3.10-4 presents standards for network security architecture.

TABLE 3.10-4 Network security architecture standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

Trusted Network Interpretation

NCSC-TG-005, Version 1: 1987

Mandated

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems - Part 2: Authentication Framework

10181-2:1996

Informational

(Approved)

IPC

ISO

OSI Upper Layer Security Model

10745:1993

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 1: Overview, Models, and Notation

11586-1:1994

Informational

(Approved)

IPC

ISO/IEC

Lower Layer Security Model

TR 13594:1995

Informational

(Approved)

CPC

IETF

Security Architecture for the Internet Protocol

RFC 1825: 1995

Emerging

(Draft)

CPC

IETF

Security Architecture for the Internet Protocol

draft-ietf-ipssec-arch-sec-01.txt, 10 November 1996

Informational

(Draft)

NPC

IEEE

Standard for Interoperable LAN Security - Part A: The Model

802.10a: 1989

Emerging

(Draft)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems, Part 1: Overview

10181-1

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 3: Access Control

10181-3

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 4: Non-Repudiation (same as ITU-TS X.813)

10181-4

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 5: Confidentiality

10181-5

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 6: Integrity (same as ITU-TS X.815)

10181-6

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems, Part 7: Security Audit Framework

10181-7

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems Part 8: Key Management

10181-8

Informational

(Draft)

3.10.2.4.2 Alternative specifications. There are no alternative specifications.

3.10.2.4.3 Standards deficiencies. The Upper Layer Security Model (ISO 10745) primarily addresses FTAM requirements and does not deal with Directory, Transaction Processing, and X.400.

3.10.2.4.4 Portability caveats. Portability problems related to the existing specifications are unknown.

3.10.2.4.5 Related standards. NCSC-TG-011, Version 1, 1 August 1990, Trusted Network Interpretation Environments Guideline - Guidance for Applying the Trusted Network Interpretation is a guideline supporting the TCSEC.

3.10.2.4.6 Recommendations. The standards listed as mandated are recommended. Implementations involving security services should require conformance to the security principles and concepts of the DGSA (TAFIM, Volume 6) and supporting standards. RFC 1825 is an emerging standard that provides the current view of how to implement security functions within an Internet Protocol (IP) suite network. The Internet Draft document draft-ietf-ipsec-arch-sec-01.txt is a "work-in-progress" revision of RFC 1825.

3.10.2.5 Operating system security. (This BSA appears in both part 8 and part 10.) Operating system security services provide basic reference monitor services. These security mechanisms control the flow of data and use of applications to ensure the system security policy is adhered to.

3.10.2.5.1 Standards. Table 3.10-5 presents standards for operating system security.

TABLE 3.10-5 Operating system security standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

NIST

Password Usage

FIPS PUB 112: 1985

Mandated

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

GPC

NIST

Guidelines on Evaluation of Techniques for Automated Personal Identification

FIPS PUB 48:1977

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 7: Security Alarm Reporting Function (same as ITU-T X.736)

10164-7:1992

Informational

(Approved)

NPC

IEEE

POSIX, Part 1: System API - Amendment n: Protection, Audit, and Control Interfaces (C Language), Draft 15

P1003.1e: 1995

Emerging

(Draft)

NPC

IEEE

POSIX Part 2: Shell and Utilities - Amendment n: Protection and Control Utilities, Draft 15

P1003.2c: 1995

Emerging

(Draft)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

NPC

IEEE

Guide to the POSIX Open Systems Environment - A Security Framework

P1003.22: 1995

Informational

(Draft)

NPC

SAE

Avionics Operating System API Requirements for the Society of Automotive Engineers

ARD 50067: 1996

Informational

(Draft)

NPC

IEEE

Portable Operating System (POSIX), Part 1; System API/C Language (same as ISO 9945-1:1990)

1003.1:1990

Informational

(Superseded)

3.10.2.5.2 Alternative specifications. No alternative specifications are available.

3.10.2.5.3 Standards deficiencies. General operating systems for personal computers are inherently insecure and should not be used in DOD acquisitions without an assurance of "add-on" security features and an approved security risk analysis providing at least a C2 level of trust per DOD Directive 5200.28.

The DGSA stresses the need for separation mechanisms, such as a separation kernel, to maintain strict isolation, that is, information domains must be completely isolated from each other. The DGSA concept requires that information transfers between domains may occur if, and only if, a relationship is explicitly defined in each information domain's security policy. There are no current or emerging standards for design and implementation of separation kernels nor for programming interfaces for separation kernels.

Due to its age, FIPS 48 does not include information on modern security concepts.

3.10.2.5.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.2.5.5 Related standards. ISO/IEC 9945-1 as profiled by FIPS 151-2 is related to IEEE P1003.1e and IEEE P1003.2c.

The following Compartmented Mode Workstation (CMW) specifications are related to operating system security:

a. DDS-2600-5502-87, Security Requirements for System High and Compartmented Mode Workstations

b. DDS-2600-6243-92, Compartmented Mode Workstation (CMW) Evaluation Criteria

c. DDS-2600-6216-91, Compartmented Mode Workstation (CMW) Labeling: Encoding Format

d. DDS-2600-6243-91, Compartmented Mode Workstation (CMW) Labeling: Source Code and User Interface Guidelines, Revision 1

3.10.2.5.6 Recommendations. The mandated standards are recommended.

3.10.3 System management. System management encompasses those security functions required to maintain an operationally secure system. This area includes analysis areas such as certification and accreditation and risk management, as well as operationally motivated concerns such as alarm reporting, audit, and cryptographic key management.

3.10.3.1 Certification and accreditation. (This BSA appears in part 2, part 9, and part 10.) Certification and accreditation constitute a set of procedures and judgments leading to a determination of the suitability of the system to operate in the targeted operational environment.

Accreditation is the official management authorization to operate a system. The accreditation normally grants approval for the system to operate (a) in a particular security mode, (b) with a prescribed set of countermeasures (administrative, physical, personnel, communications security, emissions, and computer security controls), (c) against a defined threat and with stated vulnerabilities and countermeasures, (d) within a given operational concept and environment, (e) with stated interconnections to other systems, (f) at an acceptable level of risk for which the accrediting authority has formally assumed responsibility, and (g) for a specified period of time. The Designated Approving Authority(s) (DAA) formally accepts security responsibility for the operation of the system and officially declares that the specified system will adequately protect against compromise, destruction, or unauthorized modification under stated parameters of the accreditation. The accreditation decision affixes security responsibility with the DAA and shows that due care has been taken for security in accordance with the applicable policies.

An accreditation decision is in effect after the issuance of a formal, dated statement of accreditation signed by the DAA, and remains in effect for the specified period of time (varies according to applicable policies). A system processing classified or sensitive unclassified information should be accredited prior to operation or testing with live data unless a written waiver is granted by the DAA. In some cases (e.g., when dealing with new technology, during a transition phase, or when additional time is needed for more rigorous testing), the DAA may grant an interim approval to operate for a specified period of time. At the end of the specified time period, the DAA must make the final accreditation decision.

Certification is conducted in support of the accreditation process. It is the comprehensive analysis of both the technical and nontechnical security features and other safeguards of a system to establish the extent to which a particular system meets the security requirements for its mission and operational environment. A complete system certification must consider factors dealing with the system in its unique environment, such as its proposed security mode of operation, specific users, applications, data sensitivity, system configuration, site/facility location, and interconnections with other systems. Certification should be done by personnel who are technically competent to assess the systems ability to meet the security requirements according to an acceptable methodology. The resulting documentation of the certification activities is provided to the DAA to support the accreditation decision. Many security activities support certification, such as risk analysis, security test and evaluation, and various types of evaluations.

Ideally, certification and accreditation procedures encompass the entire life cycle of the system. Ideally, the DAA is involved from the inception of the system to ensure that the accreditation goals are clearly defined. A successful certification effort implies that system security attributes were measured and tested against the threats of the intended operational scenarios. Additionally, certification and accreditation are seen as continuing and dynamic processes; the security state of the system needs to be tracked and assessed through changes to the system and its operational environment. Likewise, the management decision to accept the changing system for continued operation is an ongoing decision process.

Standards for certification and accreditation services provide definitions and procedures for the testing and accreditation of computer systems in so far as their conformance with security standards is concerned.

3.10.3.1.1 Standards. Table 3.10-6 presents standards for certification and accreditation.

TABLE 3.10-6 Certification and accreditation standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

NIST

Guideline for Computer Security Certification and Accreditation

FIPS PUB 102:1983

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

GPC

DOD

DOD Information Technology Certification and Accreditation Process

DITSCAP: 1996

Informational

(Draft)

3.10.3.1.2 Alternative specifications. No other consortia or de facto specifications are available.

3.10.3.1.3 Standards deficiencies. Because of its age, FIPS PUB 102 does not include services for the certification and accreditation of all modern security concepts.

Certification and accreditation evaluation criteria that address current information technology, such as distributed computing and networking, are needed. As new criteria such as the Common Criteria emerge, revision of existing certification and accreditation guidelines may be required.

3.10.3.1.4 Portability caveats. There are no portability problems related to the existing specifications.

3.10.3.1.5 Related standards. NCSC-TG-029, "Introduction to Certification and Accreditation," January 1994, discusses basic concepts related to certification and accreditation and is the first of a series of guidelines in the "Rainbow Series" supporting the Trusted Computer System Evaluation Criteria (TCSEC) standard.

3.10.3.1.6 Recommendations. The mandated standard is recommended.

Procurements that require that an AIS be certified and/or accredited must reference DOD Directive 5200.28 and applicable designated approving authority guidance. DOD Directive 5200.28, "Security Requirements for Automated Information Systems (AISs)," requires certification and accreditation of AIS. FIPS PUB 102, Guidelines for Computer Security and Accreditation provides Federal guidelines for certification and accreditation. Because of its age, this FIPS PUB does not include services for the certification and accreditation of all modern security concepts. DOD 5200.28-STD provides criteria to assess security assurances of trusted systems to specific classes. DCID 1/16 provides security requirements for systems processing intelligence information.

The DISA CISS and NSA are each developing documents that will standardize the certification and accreditation process within DOD. Each document is in draft form; final documents are expected to be issued in 1997. The NSA document, "Certification and Accreditation Process Handbook for Certifiers," will be published as a "Rainbow" series document supporting the TCSEC standard. This NSA handbook focuses on certification and accreditation of standalone systems. The DISA CISS document, "DOD Information Technology Certification and Accreditation Process" (DITSCAP), will be published as a DOD publication. The DITSCAP focuses on certification and accreditation in conjunction with the programmatic aspects of the DII.

3.10.3.2 Security risk management. (This BSA appears in part 2, part 7, part 9, and part 10.) Security risk management supports accreditation through a risk analysis of an information system and its operational environment, and the steps taken to manage the risk requirements.

3.10.3.2.1 Standards. Table 3.10-7 presents standards for security risk management.

TABLE 3.10-7 Security risk management standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

NIST

Guideline for the Analysis of Local Area Network Security

FIPS PUB 191:1994

Informational

(Approved)

GPC

NIST

Guideline for Automated Data Processing Risk Analysis

FIPS PUB 65:1979

Informational

(Approved)

GPC

NIST

Guidelines for Automatic Data Processing Physical Security and Risk Management

FIPS PUB 31:1974

Informational

(Approved)

3.10.3.2.2 Alternative specifications. There are no alternative specifications.

3.10.3.2.3 Standards deficiencies. Because of its age, FIPS PUB 31 does not include information about modern security concepts.

3.10.3.2.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.3.2.5 Related standards. The following standards are related to the TCSEC standard:

a. CSC-STD-003-85 25 June 1985, Computer Security Requirements - Guidance for Applying the Department of Defense Trusted Computer Security Evaluation Criteria in Specific Environments

b. CSC-STD-004-85, 25 June 1985, Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements - Guidance for Applying the Department of Defense Trusted Computer Security Evaluation Criteria in Specific Environments

3.10.3.2.6 Recommendations. The mandated standard is recommended. Office of Management and Budget (OMB) Circular A-130, "Management of Federal Information Resources," provides guidance on effective security risk management of federal information systems. NIST Special Publication 800-12, "An Introduction to Computer Security: The NIST Handbook" provides additional guidance on risk management. DOD Directive 5200.28 requires a risk analysis of an information system be conducted in its operational environment to support accreditation of the information system. System implementors should perform the risk analysis in accordance with CSC-STD-003-85 and CSC-STD-004-85 to determine the appropriate DOD-5200.28-STD class.

3.10.3.3 Security management. (This BSA appears in part 7, part 8, part 9, and part 10.) Security management is a particular instance of information system management. Security management provides supporting services that contribute to the protection of information and resources in open systems in accordance with information domain and information security policies. The basic elements that must be managed are users, security policies, information, information processing systems that support one or more security policies, and the security functions that support the security mechanisms (automated, physical, personnel, or procedural) used to implement security services. For each of these elements, the managed objects that constitute them must be identified and maintained. For example, users must be known and registered, security policies must be represented and maintained and information objects must be identified and maintained. Security policies, security services and security mechanisms are the first classes of managed objects.

3.10.3.3.1 Standards. Table 3.10-8 presents standards for security management.

TABLE 3.10-8 Security management standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

Trusted Network Interpretation

NCSC-TG-005, Version 1: 1987

Mandated

(Approved)

GPC

DOD

Trusted Database Management System Interpretation of the Trusted Computer Systems Evaluation Criteria

NCSC-TG-021, Version 1: 1991

Mandated

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Security Services

DCE 1.1 Security Services: 1994

Mandated

(Approved)

IPC

ITU-T

The Directory: Procedures for Distributed Operation (X-ref: ISO 9594-4)

X.518: 1993

Informational

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Rev. 1.2.2

DCE Rev. 1.2.2:1996

Informational

(Approved)

IPC

ISO/IEC

OSI Common Management Information Services (CMIS) Definition, with Amendment 4: Access Control

9595:1991/ AM4:1992

Informational

(Approved)

IPC

ISO/IEC

Information Technology - Open Systems Interconnection - Common Management Information Protocol (CMIP) - Part 1: Specification (Includes amendment 1 and 2 of ISO/IEC 9596-1:1990)

9596-1:1991

Informational

(Approved)

CPC

NMF

OMNIPoint 1 (Adopts ISO Profile Sets 11183-X, 12059-X, and 12060-X, includes ISO/IEC 10164-X)

OMNIPoint 1:1993

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 7: Security Alarm Reporting Function (same as ITU-T X.736)

10164-7:1992

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 8: Security Audit Trail Function (same as ITU-T X.740)

10164-8:1993

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 9: Objects and Attributes for Access Control

10164-9:1995

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179-1:1995

Informational

(Approved)

NPC

IEEE

POSIX Part 2: Shell and Utilities - Amendment n: Protection and Control Utilities, Draft 15

P1003.2c: 1995

Emerging

(Draft)

NPC

IEEE

POSIX, Part 1: System API - Amendment n: Protection, Audit, and Control Interfaces (C Language), Draft 15

P1003.1e: 1995

Emerging

(Draft)

CPC

OMG

Common Object Request Broker Architecture (CORBA) Security

OMG 95-12-1: 1995

Emerging

(Draft)

CPC

IETF

Domain Name System (DNS) Security Extensions

RFC 2065:1997

Emerging

(Draft)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179:1992

Informational

(Superseded)

NPC

IEEE

Standard for Interoperable LAN Security - Part D: Security Management

802.10d

Informational

(Formative)

IPC

ISO/IEC

Management Plan for Security

JTC1/SC21 SD-7

Informational

(Draft)

3.10.3.3.2 Alternative specifications. There are no alternative specifications.

3.10.3.3.3 Standards deficiencies. Deficiencies exist in standardization of security policy rule representation; key management, including generation, distribution, and accounting; audit information formats; exchange of security management information; and remote security management.

The DGSA principle of decision and enforcement separation requires that the functions determining how to enforce a security policy and the actual enforcement of the policy be implemented independently. That is, the enforcement mechanisms do not need any knowledge of security policy. Standards are needed for object class definitions for classes of managed objects and for methods of representing security policy.

The DGSA calls for a separation mechanism, such as separation kernel, to mediate all calls to security critical functions to ensure that strict isolation is maintained. Standardization of object class definitions for management of critical functions used within the separation kernel is needed.

The present ISO/IEC 10164-7 "Security Alarm Reporting Function," and 10164-8, "Security Audit Trail Function," standards were designed with network security in mind. Little work has been done, either in standards groups or in products, on how to use these standards for general system management (e.g., computer systems and software).

FIPS PUB 179-1 supersedes FIPS PUB 179. The present GNMP specifications require ISO CMIS/CMIP to communicate management information and ISO OSI networking protocols. Plans are for the GNMP eventually to provide a capability to integrate the present GNMP with SNMP. One reason for this goal is the widespread use of SNMP.

No Ada bindings exist for any of the ISO or consortia system management specifications.

The IEEE POSIX Security Working Group (formerly P1003.6) is defining security extensions to the base POSIX interface standard (ISO 9945-1), to include support for audit, privilege, discretionary and mandatory access control, and information labels. These have been redesignated IEEE P1003.1e and IEEE P1003.2c. The draft standards are still incomplete, and the specifications may change.

The POSIX/UNIX permission bits are inadequate for fine-grained control over exactly which users can perform specified actions to particular files.

In the IETF, efforts to develop an acceptable security standard for SNMPv2 have been on hold since September 1995 when the IETF SNMP Working Group failed to agree on the proposals submitted. Since then, two sets of proposals for providing SNMPv2 security have emerged. The first set of proposed specifications, the User-based Security Model (USEC), also referred to as SNMPv2u, consists of two documents: RFC 1909, "An Administrative Infrastructure for SNMPv2" and RFC 1910, "The User-based Security Model for SNMPv2." Both RFCs were issued 28 February 1996 and are classified by the IETF as experimental RFCs. The other proposal is known as SNMPv2*, which its proponents claim is heavily based on USEC. Neither USEC nor SNMPv2* has been approved for a standards track by IETF.

3.10.3.3.4 Portability caveats. The structure of certain traditional UNIX directories, such as the familiar "/tmp," "/usr/spool," and "/usr/spool/mail" directories must be expressly managed to accommodate the P1003.1e and P1003.2c security standards. This is because these are directories to which all users have access and to which many programs write. A change in the way programs write to directories has the potential for causing software portability and systems administrator portability problems.

The traditional UNIX permission bits that have been carried into POSIX are inadequate for defining exactly which user can perform specific actions on specific files. Eliminating the permission bits in favor of Access Control Lists could make the secure POSIX systems incompatible with non-POSIX compliant systems and many applications.

OSF DCE Version 1.1's authentication service is based on Kerberos Version 5 (RFC 1510), but is not totally compatible wth RFC 1510. DCE 1.2.2 adds testing and official support for Kerberos Version 5.

3.10.3.3.5 Related standards. ISO/IEC 9945-1 as profiled by FIPS PUB 151-2 is related to IEEE P1003.1e and IEEE P1003.2c.

3.10.3.3.6 Recommendations. The mandated standards are recommended.

All IEEE P1003.1e and IEEE P1003.2c security systems should incorporate Access Control Lists as an optional feature in addition to permission bits (not "in place of" permission bits). The incompatibilities between the two access control methods (permission bits and access control lists) are not resolvable. The best method for resolving the overall problems seem to be incorporation Access Control Lists as an optional feature on top of permission bits. The permission bits would represent the lowest common denominator of security, showing the maximum amount of openness possible in a system. Organizations needing only the lowest level of security could continue to use the familiar permission bits and associated "chmod" command. Use of access control lists will require a change in security policy such that access is granted if and only if permission is granted and access control permits it.

3.10.3.4 Security association and key management. (This BSA appears in part 7, part 9, and part 10.) A security association is the totality of communication and security mechanisms and functions (e.g., communications protocols, security protocols, doctrinal mechanisms, security-critical mechanisms and functions) that securely binds together two security contexts in different end systems or relay systems supporting the same information domain. A security association is an application association that includes additional support from security functions and mechanisms. Key management provides procedures for handling cryptographic keying material to be used in symmetric or asymmetric cryptographic mechanisms. It includes key generation, key distribution, key storage, key archiving, and key deletion.

3.10.3.4.1 Standards. Table 3.10-9 presents standards for security association and key management.

TABLE 3.10-9 Security association and key management standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

NSA

Key Exchange Algorithm

R21-TECH-23-94: 1994

Mandated

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Key Management Protocol (KMP)

SDN.903, Version 3.2: 1989

Mandated

(Approved)

GPC

NIST

Key Management Using ANSI X9.17

FIPS PUB 171:1992

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 1: Overview, Models, and Notation

11586-1:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 2:Security Exchange Service Element Definition

11586-2:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 3: Security Exchange Service Element Protocol Specification

11586-3:1994

Informational

(Approved)

IPC

ISO

Banking Key Management (wholesale)

8732:1988

Informational

(Approved)

NPC

ANSI

Financial Institution Key Management (wholesale)

X9.17-1991

Informational

(Approved)

NPC

IEEE

Standard for Interoperable LAN Security - Part C: Key Management Protocol (KMP)

802.10c

Emerging

(Draft)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems Part 8: Key Management

10181-8

Informational

(Draft)

CPC

IETF

Internet Security Association and Key Management Protocol (ISAKMP)

draft-ietf-ipsec-isakmp-07.txt,.ps, 21 February 1997

Informational

(Draft)

CPC

IETF

The Photuris Session Key Management Protocol

draft-simpson-photuris-11.txt, 13 June 1996

Informational

(Draft)

CPC

IETF

Simple Key Management for Internet Protocols (SKIP)

draft-ietf-ipssec-skip-07.txt, August 1996

Informational

(Draft)

CPC

IETF

The Oakley Key Determination Protocol

draft-ietf-ipsc-oakley-01.txt, 5/10/96

Informational

(Draft)

NPC

IEEE

Standard for Public-Key Cryptography

P1363

Informational

(Formative)

3.10.3.4.2 Alternative specifications. There are no alternative specifications.

3.10.3.4.3 Standards deficiencies. There is a lack of guidance for establishing a Public Key Infrastructure (PKI) to automatically manage public keys through the use of public key certificates. In April 1994, NIST, in conjunction with seven other federal agencies, completed a study on automated management of public keys and associated public key certificates on a nationwide basis. Based on the recommendations of the study, GSA is establishing a PKI pilot project to provide public key certificate services for participating government agencies.

3.10.3.4.4 Portability caveats. Portability problems related to the existing specifications are unknown.

3.10.3.4.5 Related standards. There are no related standards.

3.10.3.4.6 Recommendations. The mandated standards are recommended. In FORTEZZA applications, the NSA-developed Key Exchange Algorithm, R21-TECH-23-94, must be used.

IEEE P1363, Standard for Public-Key Cryptography, is under development, with the first version expected to be ready for balloting in 1997.

The IETF's IP Security Protocol (IPSEC) Working Group (WG) is developing an Internet Key Management Protocol (IKMP) that will be specified as an application layer protocol independent of the lower layer security protocol. The IKMP will be based on ISAKMP/Oakley work begun in the Internet Draft documents for ISAKMP and the Oakley Key Determination Protocol.

3.10.3.5 Security audit. (This BSA appears in part 7, part 9, part 10, and part 11.) Security auditing is a review or examination of records and activities to test controls, ensure compliance with policies and procedures, detect breaches in security, and indicate changes in operation (paraphrased from ISO 7498-2).

3.10.3.5.1 Standards. Table 3.10-10 presents standards for security audit.

TABLE 3.10-10 Security audit standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

CPC

NMF

OMNIPoint 1 (Adopts ISO Profile Sets 11183-X, 12059-X, and 12060-X, includes ISO/IEC 10164-X)

OMNIPoint 1:1993

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 8: Security Audit Trail Function (same as ITU-T X.740)

10164-8:1993

Informational

(Approved)

CPC

X/Open

Security Interface Specification: Auditing and Authentication

S020: 1990

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems, Part 7: Security Audit Framework

10181-7

Informational

(Draft)

IPC

ISO/IEC

OSI Distributed Transaction Processing (DTP) - Draft Amendments to Parts 1-3: Transaction Processing Security

WDAMs ((SC21 N6232) to ISO 10026-1,2,3) 1994

Informational

(Draft)

3.10.3.5.2 Alternative specifications. There are no alternative specifications.

3.10.3.5.3 Standards deficiencies. ISO Transaction Processing Security work (WDAMs to ISO 10026-1,2,3) is in the early stages. Its content is not defined, and it cannot be used for procurement. ISO 10164-8 does not define a security audit, or explain how to perform one. It does not define implementation aspects, occasions where the use of the security audit trail function is appropriate, or the services necessary for the establishment and normal or abnormal release of a management association.

There is a need for a standard for programming interfaces to support development of portable tools for audit trail analysis and configuration.

3.10.3.5.4 Portability caveats. Proposed amendments to ISO 10026 have ceased. This is a high portability risk area.

3.10.3.5.5 Related standards. The following guidelines support the TCSEC standard:

a. NCSC-TG-005, Version 1, July 1987, Trusted Network Interpretation

b. NCSC-TG-011, Version 1, 1 August 1990, Trusted Network Interpretation Environments Guideline - Guidance for Applying the Trusted Network Interpretation

c. NCSC-TG-001, Version 2, June 1988, A Guide to Understanding Audit in Trusted Systems

3.10.3.5.6 Recommendations. The mandated standard is recommended.

3.10.3.6 Security alarm reporting. (This BSA appears in part 7, part 9, part 10, and part 11.) Security alarm reporting is the capability to receive notifications of security-related events, alerts of any misoperations in security services and mechanisms, alerts of attacks on system security, and information as to the perceived severity of any misoperation, attack, or breach of security.

3.10.3.6.1 Standards. Table 3.10-11 presents standards for security alarm reporting.

TABLE 3.10-11 Security alarm reporting standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

CPC

NMF

OMNIPoint 1 (Adopts ISO Profile Sets 11183-X, 12059-X, and 12060-X, includes ISO/IEC 10164-X)

OMNIPoint 1:1993

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 7: Security Alarm Reporting Function (same as ITU-T X.736)

10164-7:1992

Informational

(Approved)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179-1:1995

Informational

(Approved)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179:1992

Informational

(Superseded)

3.10.3.6.2 Alternative specifications. There are no alternative specifications.

3.10.3.6.3 Standards deficiencies. FIPS PUB 179-1 supersedes FIPS PUB 179. ISO 10164-7 does not define implementation aspects, specify the manner in which management is accomplished by the user of the Security Alarm Reporting Function (SARF), define interactions that result in the use of the SARF, or specify the services necessary for the establishment and normal and abnormal release of a management association.

3.10.3.6.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.3.6.5 Related standards. There are no related standards.

3.10.3.6.6 Recommendations. There are no recommended standards for security alarm reporting.

3.10.4 Authentication. Authentication and identification objectives ensure processes, systems, and personnel are uniquely identified and authenticated. The granularity of identification must be sufficient to determine the processes, system, and personnel's access rights. The authentication process must provide an acceptable level of assurance as to the professed identity of the processes, systems, and personnel.

3.10.4.1 Personal authentication. (This BSA appears in part 2, part 3, part 9, and part 10.) Personal authentication supports the accountability objective of being able to trace all security relevant events to individual users. In addition to supporting unique identification, standards are provided to authenticate the claimed identity.

3.10.4.1.1 Standards. Table 3.10-12 presents standards for personal authentication.

TABLE 3.10-12 Personal authentication standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

CPC

OSF

Distributed Computing Environment (DCE) Security Services

DCE 1.1 Security Services: 1994

Mandated

(Approved)

GPC

NIST

Password Usage

FIPS PUB 112: 1985

Mandated

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Rev. 1.2.2

DCE Rev. 1.2.2:1996

Informational

(Approved)

GPC

NIST

Guidelines on Evaluation of Techniques for Automated Personal Identification

FIPS PUB 48:1977

Informational

(Approved)

IPC

ISO/IEC

Information Technology - Open Systems Interconnection - The Directory: Authentication Framework edition 2 (Same as ITU-T X.509:1993)

9594-8.2:1993

Informational

(Approved)

GPC

NIST

Guideline for Use of Advanced Authentication Technology Alternatives

FIPS PUB 190:1994

Informational

(Approved)

CPC

IETF

A One-Time Password System

RFC 1938: 1996

Emerging

(Draft)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

CPC

IETF

The Kerberos Network Authentication Service (V5)

RFC 1510:1993

Informational

(Draft)

3.10.4.1.2 Alternative specifications. There are no alternative specifications.

3.10.4.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.4.1.4 Portability caveats. OSF DCE Version 1.1's authentication service is based on Kerberos Version 5 (RFC 1510), but is not totally compatible with RFC 1510. DCE 1.2.2 adds testing and official support for Kerberos Version 5.

3.10.4.1.5 Related standards. The following standards are related to personal authentication standards (particularly TCSEC):

a. DOD 5200.28-STD, DOD Trusted Computer Systems Evaluation Criteria

b. NCSC-TG-017, Version 1, "A Guide to Understanding Identification and Authentication in Trusted Systems

c. CSC-STD-002-85, "Password Management Guideline"

d. NCSC-WA-002-85, "Personal Computer Security Considerations"

e. ITU-T X.509 (1993) (same as ISO 9594-8), The Directory: Authentication Framework

3.10.4.1.6 Recommendations. The mandated standards are recommended.

3.10.4.2 Network authentication. (This BSA appears in part 7 and part 10.) Network authentication services establish the validity of a claimed identity (peer-entity) or origin (data) (paraphrased from ISO 7498-2).

3.10.4.2.1 Standards. Table 3.10-13 presents standards for network authentication.

TABLE 3.10-13 Network authentication standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Information Technology - Defense Standardized Profiles AMHXn(D)- Message Handling Systems - Message Security Protocol (MSP) Parts 1-5

MIL-STD-2045-18500: 1993

Mandated

(Approved)

IPC

ITU-T

The Directory: Authentication Framework (X-ref: ISO 9594-8)

X.509, Version 3: 1993

Mandated

(Approved)

GPC

DOD

Trusted Network Interpretation

NCSC-TG-005, Version 1: 1987

Mandated

(Approved)

GPC

NIST

Digital Signature Standard (DSS)

FIPS PUB 186:1994

Mandated

(Approved)

GPC

NIST

Secure Hash Standard (SHS)

FIPS PUB 180-1:1995

Mandated

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 3 (SP3)

SDN.301, Revision 1.5: 1989

Mandated

(Approved)

GPC

DOD

FORTEZZA Interface Control Document

FORTEZZA ICD Rev P1.5: 1994

Mandated

(Approved)

GPC

DOD

FORTEZZA Plus Interface Control Document

FORTEZZA Plus ICD Rel 3.0: 1995

Mandated

(Approved)

NPC

IEEE

Standard for Interoperable LAN Security - Part B: Secure Data Exchange (SDE)

802.10b:1992

Legacy

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, Rev. 3.0: 1994

Legacy

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, v. 4.0, Rev. A: 1997

Emerging

(Approved)

IPC

ISO

Information Processing Systems - Open Systems Interconnection - Service Definition for the Association Control Service Element (ACSE), Revised Edition

8649:1992 (Incorporates AM 1&2)

Informational

(Approved)

IPC

ISO

Information Processing Systems - Open Systems Interconnection - Protocol Specification for the ACSE, Revised Edition

8650:1992 (Incorporates AM 1)

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 1: Overview, Models, and Notation

11586-1:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 2:Security Exchange Service Element Definition

11586-2:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 3: Security Exchange Service Element Protocol Specification

11586-3:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 4: Protecting Transfer Syntax Specification

11586-4:1994

Informational

(Approved)

IPC

ISO

Transport Layer Security Protocol (TLSP) (Includes Amendment 1)

10736:1994

Informational

(Approved)

IPC

ISO

Network Layer Security Protocol (NLSP)

11577:1994

Informational

(Approved)

IPC

ISO/IEC

OSI Security Frameworks for Open Systems - Part 2: Authentication Framework

10181-2:1996

Informational

(Approved)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179-1:1995

Informational

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 4 (SP4)

SDN.401, Rev. 1.3:1989

Informational

(Approved)

GPC

NSA

Message Security Protocol (MSP) with MIME

SDN.704, Rev. 1.4: 1996

Informational

(Approved)

CPC

IETF

Privacy Enhancement for Internet Electronic Mail

RFC 1421-1424:1993

Informational

(Draft)

CPC

IETF

The Secure Sockets Layer (SSL) Protocol Version 3.0

draft-ietf-tls-ssl-version3-00.txt, 18 November 1996

Emerging

(Draft)

CPC

IETF

S/MIME Message Specification: PKCS Security Services for MIME

draft-dussc-mime-msg-spec-00.txt, September 1996

Informational

(Draft)

IPC

ISO

OSI File Transfer, Access and Management (FTAM) - Parts 1-4: Amendment 4: Enhancement to FTAM Security Services

8571-1,2,3,4:1988/ WDAM4:1993

Informational

(Draft)

GPC

NSA

Use of X.509 Certificates

SDN.706, Rev. 2.0: 1997

Informational

(Draft)

GPC

NSA

X.509 Certificates and Certification Revocation List Profiles and Certificate Path Processing Rules for the Multilevel Information Systems Security Initiative (MISSI)

SDN.706, Rev. 1.1: 1996

Informational

(Draft)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179:1992

Informational

(Superseded)

GPC

NIST

Secure Hash Standard (SHS)

FIPS PUB 180:1993

Informational

(Superseded)

3.10.4.2.2 Alternative specifications. There are no alternative specifications.

3.10.4.2.3 Standards deficiencies. FIPS PUB 179-1 supersedes FIPS PUB 179. Procurements requiring authentication in FTAM cannot specify a standard at this time. The ISO FTAM security effort is in its early stages. Current proprietary FTAM security is based on passwords for authentication. ISO TP security work is in the early stages. Its content is not defined, and it cannot be used in a procurement.

3.10.4.2.4 Portability caveats. Proposed security enhancements to FTAM (WDAM4 to ISO 8571) have ceased. This is a high portability risk area.

3.10.4.2.5 Related standards. NCSC-TG-011, Version 1, 1 August 1990, Trusted Network Interpretation Environments Guideline - Guideline for Applying the Trusted Network Interpretation, supports NCSC-TG-005.

3.10.4.2.6 Recommendations. The mandated standards are recommended.

MIL-STD-2045-18500 describes the security provided by MSP. It should be used for DOD message systems that are required to exchange classified and sensitive but unclassified information. It is based on Version 3.0 of the MSP documented in SDN701, "Secure Data Network System (SDNS) Message Security Protocol," Revision 1.5, 1 August 1989. MSP is under revision to Version 4.0 to accommodate, in part, Allied requirements. This DOD Standardized Profile (DSP) standard will be replaced by a portion of the U.S. Supplement to Allied Communications Publication (ACP) 123 or ACP 120, Common Security Protocol, when the revision to MSP is complete.

SP3 provides connectionless security services and is the basis for ISO 11577. SP3 is designed to be used at the top of layer 3.

DSS is intended to specify general security requirements for generating digital signatures. Conformance to this standard does not assure that a particular implementation is secure. The responsible authority in each Government agency or department shall assure that an overall implementation provides an acceptable level of security. DSS can be used in electronic mail, electronic funds transfer, electronic data interchange, software distribution, data storage, and other applications that require data integrity assurance and data origin authentication. It uses the Secure Hash Algorithm (SHA) specified in FIPS PUB 180-1, which supersedes FIPS PUB 180. NIST is developing a validation program to test implementations for conformance to DSS.

The following two documents should be consulted for systems required to interface with the Defense Message System (DMS):

a. FORTEZZA Interface Control Document, Rev. 1.5, 22 December 1994

b. FORTEZZA Plus Interface Control Document, Release 3.0, 1 June 1995


SDN.701, Rev.3.0, is used with DMS, Phase 1. It is for use with legacy systems only.

IEEE 802.10b is for use with legacy LANs only.

3.10.4.3 Entity authentication. (This BSA appears in part 8, part 9, part 10, and part 11.) Entity authentication standards address data, processes, systems, and enterprises.

3.10.4.3.1 Standards. Table 3.10-14 presents standards for entity authentication.

TABLE 3.10-14 Entity authentication standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Security Services

DCE 1.1 Security Services: 1994

Mandated

(Approved)

GPC

NIST

Computer Data Authentication

FIPS PUB 113:1985

Informational

(Approved)

GPC

NIST

Entity Authentication Using Public Key Cryptography

FIPS PUB 196:1996

Emerging

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Rev. 1.2.2

DCE Rev. 1.2.2:1996

Informational

(Approved)

IPC

ISO

Financial Transactions - Retail Banking Security Requirements for Message Authentication

9807

Informational

(Approved)

IPC

ISO

Entity Authentication Mechanisms - Part 1: General Model

9798-1:1991

Informational

(Approved)

IPC

ISO

Entity Authentication Mechanisms - Part 3: Entity Authentication Using a Public Key Algorithm

9798-3:1993

Informational

(Approved)

GPC

NIST

Guideline for Use of Advanced Authentication Technology Alternatives

FIPS PUB 190:1994

Informational

(Approved)

IPC

ISO

Entity Authentication - Part 2: Mechanisms Using Symmetric Encipherment Algorithms

9798-2:1994

Informational

(Approved)

IPC

ISO

Entity Authentication - Part 4: Mechanisms Using a Cryptographic Check Function

9798-4:1995

Informational

(Approved)

CPC

X/Open

Security Interface Specification: Auditing and Authentication

S020: 1990

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

CPC

IETF

The Kerberos Network Authentication Service (V5)

RFC 1510:1993

Informational

(Draft)

IPC

ISO

Entity Authentication Mechanisms, Part 5: Entity Authentication Using Zero Knowledge Techniques

9798-5:1993

Informational

(Draft)

3.10.4.3.2 Alternative specifications. There are no alternative specifications.

3.10.4.3.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.4.3.4 Portability caveats. OSF DCE Version 1.1's authentication service is based on Kerberos Version 5 (RFC 1510), but is not totally compatible with RFC 1510. DCE 1.2.2 adds testing and official support for Kerberos Version 5.

3.10.4.3.5 Related standards. The following standards are related to entity authentication:

a. DOD NCSC-TG-017, Version 1, September 1991, Guide to Understanding Identification and Authentication in Trusted Systems.

b. FIPS PUB 196, 11 October 1996.

FIPS PUB 196 becomes effective 6 April 1996. It is based on ISO/IEC 9798-3:1993 and specifies two challenge-response protocols by which entities in a computer system may authenticate their identities to one another. FIPS PUB 196 is for use in public key based challenge-response and authentication systems at the application layer within computer and digital telecommunications systems.

3.10.4.3.6 Recommendations. The mandated standards are recommended.

3.10.5 Access control. Access control is the prevention of unauthorized use of a resource including its use in an unauthorized manner. The following areas present standards which ensure that information and resources are accessed only by authorized processes, systems, and personnel, and are used only for their intended purposes.

3.10.5.1 System access control. (This BSA appears in part 4, part 9, part 10, and part 11.) System access control standards provide high-level guidance on access control frameworks and implementation.

3.10.5.1.1 Standards. Table 3.10-15 presents standards for system access control.

TABLE 3.10-15 System access control standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Security Services

DCE 1.1 Security Services: 1994

Mandated

(Approved)

CPC

OSF

Distributed Computing Environment (DCE) Rev. 1.2.2

DCE Rev. 1.2.2:1996

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

IPC

ISO/IEC

OSI Common Management Information Services (CMIS) Definition, with Amendment 4: Access Control

9595:1991/ AM4:1992

Informational

(Approved)

IPC

ISO/IEC

OSI Systems Management, Part 9: Objects and Attributes for Access Control

10164-9:1995

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 3: Access Control

10181-3

Informational

(Draft)

3.10.5.1.2 Alternative specifications. There are no alternative specifications.

3.10.5.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.5.1.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.5.1.5 Related standards. The following guidelines support the TCSEC standard:

a. NCSC-TG-003, Version 1, September 1987, A Guide to Understanding Discretionary Access Control in Trusted Systems

b. NCSC-TG-028, Version 1, May 1992, Assessing Controlled Access Protection

c. NCSC-TG-020-A, August 1989, Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access Control List Features for the UNIX System

3.10.5.1.6 Recommendations. The mandated standards are recommended.

3.10.5.2 Network access control. (This BSA appears in part 7, part 9, and part 10.) Access control is the prevention of unauthorized use of a resource, including its use in an unauthorized manner.

3.10.5.2.1 Standards. Table 3.10-16 presents standards for network access control.

TABLE 3.10-16 Network access control standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Information Technology - Defense Standardized Profiles AMHXn(D)- Message Handling Systems - Message Security Protocol (MSP) Parts 1-5

MIL-STD-2045-18500: 1993

Mandated

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 3 (SP3)

SDN.301, Revision 1.5: 1989

Mandated

(Approved)

NPC

IEEE

Standard for Interoperable LAN Security - Part B: Secure Data Exchange (SDE)

802.10b:1992

Legacy

(Approved)

IPC

ISO/IEC

OSI Common Management Information Services (CMIS) Definition, with Amendment 4: Access Control

9595:1991/ AM4:1992

Informational

(Approved)

IPC

ISO

Transport Layer Security Protocol (TLSP) (Includes Amendment 1)

10736:1994

Informational

(Approved)

IPC

ISO

Network Layer Security Protocol (NLSP)

11577:1994

Informational

(Approved)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179-1:1995

Informational

(Approved)

GPC

NIST

Guidelines for Security of Computer Applications

FIPS PUB 83:1980

Informational

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 4 (SP4)

SDN.401, Rev. 1.3:1989

Informational

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, v. 4.0, Rev. A: 1997

Emerging

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, Rev. 3.0: 1994

Legacy

(Approved)

GPC

NIST

Government Network Management Profile (GNMP)

FIPS PUB 179:1992

Informational

(Superseded)

IPC

ISO/IEC

Information Technology - Open Systems Interconnection - The Directory - Parts 1-4 DAM1: Access Control

9594-1,2,3,4:1990/ DAM1

Informational

(Draft)

IPC

ISO/IEC

Information Technology - Open Systems Interconnection - The Directory - Part 8: Authentication Framework, DAM1: Access Control

9594-8:1990/ DAM1

Informational

(Draft)

IPC

ISO

OSI File Transfer, Access and Management (FTAM) - Parts 1-4: Amendment 4: Enhancement to FTAM Security Services

8571-1,2,3,4:1988/ WDAM4:1993

Informational

(Draft)

3.10.5.2.2 Alternative specifications. There are no alternative specifications.

3.10.5.2.3 Standards deficiencies. Deficiencies in the existing standards are unknown. FIPS PUB 179-1 supersedes FIPS PUB 179.

3.10.5.2.4 Portability caveats. Proposed security enhancements to FTAM (WDAM4 to ISO 8571) has ceased. This is a high portability risk area because no standards exist.

3.10.5.2.5 Related standards. NCSC-TG-005, Version 1, July 1987, Trusted Network Interpretation, and NCSC-TG-011, Version 1, August 1990, Trusted Networks Interpretation Environments Guideline - Guideline for Applying the Trusted Network Interpretation, supports the DOD 5200.28-STD.

3.10.5.2.6 Recommendations. The mandated standards are recommended.

MIL-STD-2045-18500 describes the security provided by MSP. It should be used for DOD message systems that are required to exchange classified and sensitive but unclassified information. It is based on Version 3.0 of the MSP documented in SDN.701, "Secure Data Network System (SDNS) Message Security Protocol," Revision 1.5, 1 August 1989. MSP is under revision to Version 4.0 to accommodate, in part, Allied requirements. This DOD Standardized Profile (DSP) standard will be replaced by a portion of the U.S. Supplement to ACP 123 or ACP 120, Common Security Protocol, when the revision to MSP is complete.

SDN.701, Rev.3.0, is used with DMS, Phase 1. It is for use with legacy systems only.

SP3 provides connectionless security services and is the basis for ISO 11577. SP3 is designed to be used at the top of layer 3.

The work on File Transfer, Access, and Management (FTAM) security (WDAM4 to ISO 8571) security enhancements has been suspended. Procurements requiring access control for FTAM and transaction processing should not use these standards.

IEEE 802.10b is for use with legacy LANs only.

3.10.6 Confidentiality. Confidentiality objectives ensure the protection of the system's varied information and resources from unauthorized access. This section provides open systems standards guidance as well as the specifics of cryptography and traffic flow confidentiality.

3.10.6.1 Systems confidentiality. (This BSA appears in part 5 and part 10.) These standards provide the high-level framework with which to view the security service of confidentiality in systems.

3.10.6.1.1 Standards. Table 3.10-17 presents standards for systems confidentiality.

TABLE 3.10-17 Systems confidentiality standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

GPC

NIST

Computer Security Guidelines for Implementing the Privacy Act of 1974

FIPS PUB 41:1975

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 5: Confidentiality

10181-5

Informational

(Draft)

3.10.6.1.2 Alternative specifications. There are no alternative specifications.

3.10.6.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.6.1.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.6.1.5 Related standards. DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information. DDS-2600-6243-92, Compartmented Mode Workstation Evaluation Criteria, Version 1 (final), defines minimum security requirements for workstations to be accredited in the Compartmented Mode under the policy set forth in DCID 1/16. Public Law (PL) 93-579, Privacy Act of 1974, and PL 100-235, Computer Security Act of 1987, contain confidentiality requirements. FIPS PUB 41 provides guidance for conformance with PL 93-579.

3.10.6.1.6 Recommendations. The mandated standard is recommended. The DGSA, Volume 6 of the TAFIM, provides security principles and target security capabilities to guide system security architects in creating specific security architectures consistent with the DGSA. The DGSA should be used by system security architects to develop logical and specific security architectures.

3.10.6.2 Registration of cryptographic techniques. (This BSA appears in part 9 and part 10.) These standards provide procedures for the registration of cryptographic algorithms in a standard format with a registration authority. The need for these registration services is determined by the security architecture of the system in question. These are not implementable specifications and no conformance test is required.

3.10.6.2.1 Standards. Table 3.10-18 presents standards for registration of cryptographic techniques.

TABLE 3.10-18 Registration of cryptographic techniques standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

IPC

ISO

Procedures for the Registration of Cryptographic Algorithms

9979:1991

Informational

(Approved)

3.10.6.2.2 Alternative specifications. No other consortia or de facto specifications are available.

3.10.6.2.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.6.2.4 Portability caveats. Portability problems related to the existing specifications are unknown.

3.10.6.2.5 Related standards. No standards are related to registration of cryptographic techniques.

3.10.6.2.6 Recommendations. Procurements requiring that all cryptographic algorithms offered are registered with a registration authority in a standard format should specify conformance with ISO 9979. The NIST document, NISTIR 5308, "General Procedures for Registering Computer Security Objects," December 1993, describes the object-independent procedures for operating the Computer Security Objects Register (CSOR) established by NIST. Initially, the only family of objects registered in the CSOR is network security labels; however, plans include adding cryptographic algorithm modes of operation to the CSOR.

3.10.6.3 Data encryption security. (This BSA appears in part 5, part 7, part 10, and part 11.) Encryption is the cryptographic transformation of data to produce cipher text. Standards for data encryption security services describe services such as definitions/algorithms, modes of operation, and guidelines for use for those systems that require their data to be encrypted using data encryption security services. None of these standards are for systems processing classified information.

3.10.6.3.1 Standards. Table 3.10-19 presents standards for data encryption security.

TABLE 3.10-19 Data encryption security standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

NIST

Escrowed Encryption Standard (EES)

FIPS PUB 185: 1994

Mandated

(Approved)

GPC

NIST

Data Encryption Standard (DES) (related to ANSI X3.92-1981/R1987/R1993)

FIPS PUB 46-2:1993 (Reaffirmed until 1998)

Informational

(Approved)

GPC

NIST

Guidelines for Implementation and using the NBS Data Encryption Standard

FIPS PUB 74:1981

Informational

(Approved)

GPC

NIST

Data Encryption Standard (DES) Modes of Operation (related to ANSI X3.106-1983)

FIPS PUB 81:1980

Informational

(Approved)

GPC

NIST

Security Requirements for Cryptographic Modules

FIPS PUB 140-1:1994

Informational

(Approved)

IPC

ISO

Modes of Operation for a 64-Bit Block Cipher Algorithm (Related to ANSI X3.106)

8372:1987

Informational

(Approved)

NPC

ANSI

Data Encryption Algorithm

X3. 92-1981 (R1993)

Informational

(Approved)

NPC

ANSI

Digital Encryption Algorithm - Modes of Operation

X3.106-1983 (R1990)

Informational

(Approved)

GPC

NIST

Advanced Encryption Standard

FIPS PUB JJJ

Informational

(Formative)

3.10.6.3.2 Alternative specifications. The only other available specifications are proprietary, for example, RSA.

3.10.6.3.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.6.3.4 Portability caveats. DES applications are not interoperable with non-DES systems. Portability problems related to EES are unknown. The U.S. controls export of cryptographic technologies, products, and related technologies as munitions. On October 1, 1996, a new federal policy allowing U.S. vendors to export products using up to 56-bit encryption, provided the vendors sign an agreement to make their 56-bit encryption technologies key-recovery-compliant within 24 months.

3.10.6.3.5 Related standards. FIPS PUB 113, Computer Data Authentication, is related to DES security mechanisms and their standards.

3.10.6.3.6 Recommendations. The mandated standard is recommended. FIPS PUB 185, EES, supports lawful authorized access to the keys required to decipher enciphered information for systems requiring strong encryption protection of sensitive but unclassified information. EES provides stronger protection than DES against unauthorized access. Devices conforming to EES may be used when replacing Type II and Type III (DES) encryption devices owned by the Government. Implementations requiring use of EES should require conformance with FIPS PUB 140-1.

On 2 January 1997, NIST announced plans to develop a FIPS, Advanced Encryption Standard, incorporating an advanced encryption algorithm to replace DES (FIPS PUB 46-2).

3.10.6.4 Traffic flow confidentiality. (This BSA appears in part 7 and part 10.) Traffic flow confidentiality is a service to protect against unauthorized traffic analysis (ISO 7498-2) by concealing presence, absence, amount, direction, and frequency of traffic.

3.10.6.4.1 Standards. Table 3.10-20 presents standards for traffic flow confidentiality.

TABLE 3.10-20 Traffic flow confidentiality standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 3 (SP3)

SDN.301, Revision 1.5: 1989

Informational

(Approved)

IPC

ISO

Network Layer Security Protocol (NLSP)

11577:1994

Informational

(Approved)

IPC

ISO

OSI Distributed Transaction Processing (DTP) - Draft Amendments to Parts 1 to 3: Transaction Processing Security

WDAMs (SC21 N 5232 to ISO 10026-1,2,3) 1991

Informational

(Draft)

3.10.6.4.2 Alternative specifications. There are no alternative specifications.

3.10.6.4.3 Standards deficiencies. There are no mandated standards for traffic flow confidentiality.

3.10.6.4.4 Portability caveats. Work on proposed amendments to ISO 10026 has ceased. This is a high portability risk area, because no standards exist.

3.10.6.4.5 Related standards. There are no related standards.

3.10.6.4.6 Recommendations. No standards are recommended.

SP3 is the basis for ISO 11577.

3.10.7 Integrity. Integrity includes systems integrity, data integrity techniques, and network integrity.

3.10.7.1 Systems integrity. (This BSA appears in part 4 and part 10.) Systems integrity objectives ensure the integrity of information and resources by providing a level of protection in response to the threats of unauthorized modification, manipulation, and destruction which is commensurate with the importance and priority of the content. These standards provide the high-level framework with which to view the security service of integrity in open systems.

3.10.7.1.1 Standards. Table 3.10-21 presents standards for systems integrity.

TABLE 3.10-21 Systems integrity standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

Trusted Database Management System Interpretation of the Trusted Computer Systems Evaluation Criteria

NCSC-TG-021, Version 1: 1991

Mandated

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 6: Integrity (same as ITU-TS X.815)

10181-6

Informational

(Draft)

IPC

ITU-T

Security Frameworks in Open Systems: Integrity Framework (same as ISO 10181-6)

X.815: 1993

Informational

(Draft)

3.10.7.1.2 Alternative specifications. There are no alternative specifications.

3.10.7.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.7.1.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.7.1.5 Related standards. The following NSA documents supplement the information on integrity found in the TCSEC:

a. C Technical Report 79-91, September 1991, "Integrity in Automated Information Systems:

b. C Technical Report 111-91, October 1991, "Integrity-Oriented Control Objectives: Proposed Revisions to the Trusted Computer System Evaluation (TCSEC), DOD 5200.28-STD."

3.10.7.1.6 Recommendations. The mandated standards are recommended.

3.10.7.2 Data integrity techniques. (This BSA appears in part 4 and part 10.) Data integrity techniques provide services that allow data integrity between communicating applications to be confirmed by means of a cryptographic check function using a block cipher algorithm, by electronic signature, electronic hashing, and encryption.

3.10.7.2.1 Standards. Table 3.10-22 presents standards for data integrity techniques.

TABLE 3.10-22 Data integrity techniques standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

NIST

Secure Hash Standard (SHS)

FIPS PUB 180-1:1995

Mandated

(Approved)

GPC

NIST

Digital Signature Standard (DSS)

FIPS PUB 186:1994

Mandated

(Approved)

IPC

ISO

Data Cryptographic Techniques - Data Integrity Mechanism Using a Cryptographic Check Function Employing a Block Cipher Algorithm

9797:1989

Informational

(Approved)

CPC

IETF

IP Authentication Header (AH)

RFC 1826: 1995

Emerging

(Draft)

CPC

IETF

IP Encapsulating Security Payload (ESP)

RFC 1827: 1995

Emerging

(Draft)

CPC

IETF

Domain Name System (DNS) Security Extensions

RFC 2065:1997

Emerging

(Draft)

GPC

NIST

Secure Hash Standard (SHS)

FIPS PUB 180:1993

Informational

(Superseded)

3.10.7.2.2 Alternative specifications. Alternative de facto specifications include RSA and MD-5.

3.10.7.2.3 Standards deficiencies. Deficiencies in the existing specifications are unknown.

3.10.7.2.4 Portability caveats. Portability problems with the existing specifications are unknown.

3.10.7.2.5 Related standards. There are no related standards.

3.10.7.2.6 Recommendations. The mandated standards are recommended.

FIPS PUB 180-1, which supersedes FIPS PUB 180, specifies a Secure Hash Algorithm (SHA-1) which can be used to generate a message digest. The SHA-1 is required for use with the Digital Signature Algorithm (DSA) as specified in FIPS PUB 186 and whenever an SHA is required in federal applications.

3.10.7.3 Network integrity. (This BSA appears in part 7 and part 10.) Network integrity ensures that data is not altered or destroyed in an unauthorized manner when transmitted across a network.

3.10.7.3.1 Standards. Table 3.10-23 presents standards for network integrity.

TABLE 3.10-23 Network integrity standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Information Technology - Defense Standardized Profiles AMHXn(D)- Message Handling Systems - Message Security Protocol (MSP) Parts 1-5

MIL-STD-2045-18500: 1993

Mandated

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 3 (SP3)

SDN.301, Revision 1.5: 1989

Mandated

(Approved)

NPC

IEEE

Standard for Interoperable LAN Security - Part B: Secure Data Exchange (SDE)

802.10b:1992

Legacy

(Approved)

IPC

ISO

Transport Layer Security Protocol (TLSP) (Includes Amendment 1)

10736:1994

Informational

(Approved)

IPC

ISO

Network Layer Security Protocol (NLSP)

11577:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 1: Overview, Models, and Notation

11586-1:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 4: Protecting Transfer Syntax Specification

11586-4:1994

Informational

(Approved)

GPC

NSA

Secure Data Network System (SDNS) Security Protocol 4 (SP4)

SDN.401, Rev. 1.3:1989

Informational

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, v. 4.0, Rev. A: 1997

Emerging

(Approved)

3.10.7.3.2 Alternative specifications. There are no alternative specifications.

3.10.7.3.3 Standards deficiencies. No deficiencies have been identified in the existing standards.

3.10.7.3.4 Portability caveats. Portability problems related to the existing specifications are unknown.

3.10.7.3.5 Related standards. ITU-T X.500 (1993) (same as ISO 9594-1), Information Technology - Open Systems Interconnection - The Directory - Overview of Concepts, Models and Services, is a related standard.

3.10.7.3.6 Recommendations. The mandated standards are recommended.

MIL-STD-2045-18500 describes the security provided by MSP. It should be used for DOD message systems that are required to exchange classified and sensitive but unclassified information. It is based on Version 3.0 of the MSP documented in SDN.701, Secure Data Network System (SDNS) Message Security Protocol," Revision 1.5, 1 August 1989. MSP is under revision to Version 4.0 to accommodate, in part, Allied requirements. This DSP standard will be replaced by a portion of the U.S. Supplement to ACP 123 or ACP 120, Common Security Protocol, when the revision to MSP is complete.

SP3 provides connectionless security services and is the basis for ISO 11577. SP3 is designed to be used at the top of layer 3.

SP4 is the basis for ISO 10736.

IEEE 802.10b is for use with legacy LANs only.

3.10.8 Non-repudiation. Non-repudiation base service areas include systems non-repudiation, electronic signature, and electronic hashing. Non-repudiation services ensure that senders and recipients cannot deny the origin or delivery of data. Non-repudiation mechanisms can be used to validate the source of software packages or verifying that hardware is unchanged from its manufactured state.

3.10.8.1 Systems non-repudiation. (This BSA appears in part 5, part 7, part 10, and part 11.) These standards provide the security services for non-repudiation in systems.

3.10.8.1.1 Standards. Table 3.10-24 presents standards for systems non-repudiation.

TABLE 3.10-24 Systems non-repudiation standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

NIST

Digital Signature Standard (DSS)

FIPS PUB 186:1994

Mandated

(Approved)

GPC

DOD

Information Technology - Defense Standardized Profiles AMHXn(D)- Message Handling Systems - Message Security Protocol (MSP) Parts 1-5

MIL-STD-2045-18500: 1993

Mandated

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, Rev. 3.0: 1994

Legacy

(Approved)

GPC

NSA

Message Security Protocol (MSP)

SDN.701, v. 4.0, Rev. A: 1997

Emerging

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 1: Overview, Models, and Notation

11586-1:1994

Informational

(Approved)

IPC

ISO

Generic Upper Layer Security (GULS) - Part 4: Protecting Transfer Syntax Specification

11586-4:1994

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

CPC

IETF

IP Authentication Header (AH)

RFC 1826: 1995

Emerging

(Draft)

CPC

OMG

Common Object Request Broker Architecture (CORBA) Security

OMG 95-12-1: 1995

Emerging

(Draft)

CPC

IETF

S/MIME Message Specification: PKCS Security Services for MIME

draft-dussc-mime-msg-spec-00.txt, September 1996

Informational

(Draft)

IPC

ISO/IEC

OSI Security Frameworks in Open Systems, Part 4: Non-Repudiation (same as ITU-TS X.813)

10181-4

Informational

(Draft)

IPC

ISO

Non-Repudiation Mechanisms Part 1: General Model

13888-1:1992 (SC27 N868 (Project 1.27.06.01))

Informational

(Draft)

IPC

ISO

Non-Repudiation Mechanisms Part 2: Using Symmetric Encipherment Algorithms

13888-2:1994 (SC27 N864 (Project 1.27.06.02))

Informational

(Draft)

IPC

ISO

Non-Repudiation Mechanisms Part 3: Using Asymmetric Techniques

13888-3:1992 (SC27 N869 (Project 1.27.06.03))

Informational

(Draft)

IPC

ISO

OSI Distributed Transaction Processing (DTP) - Draft Amendments to Parts 1 to 3: Transaction Processing Security

WDAMs (SC21 N 5232 to ISO 10026-1,2,3) 1991

Informational

(Draft)

3.10.8.1.2 Alternative specifications. There are no alternative specifications.

3.10.8.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.8.1.4 Portability caveats. Portability problems in the existing standards are unknown.

3.10.8.1.5 Related standards. FIPS PUB 180-1, Secure Hash Standard, must be used with FIPS PUB 186. FIPS PUB 180-1 provides the Secure Hash Algorithm used in generating and verifying electronic signatures.

3.10.8.1.6 Recommendations. The mandated standards are recommended for non-repudiation.

MIL-STD-2045-18500 describes the security provided by MSP. It should be used for DOD message systems that are required to exchange classified and sensitive but unclassified information. It is based on Version 3.0 of the MSP documented in SDN.701, "Secure Data Network System (SDNS) Message Security Protocol," Revision 1.5, 1 August 1989. MSP is under revision to Version 4.0 to accommodate, in part, Allied requirements. This DSP standard will be replaced by a portion of the U.S. Supplement to ACP 123 or ACP 120, Common Security Protocol, when the revision to MSP is complete.

MSP provides for signed receipts. S/MIME, an Internet Draft specification, does not provide for signed receipts.

3.10.8.2 Electronic signature. (This BSA appears in part 5, part 7, and part 10.) Electronic signature is the process that operates on a message to ensure message source authenticity and integrity, and source non-repudiation. Electronic signatures are composed so that the identity of a signatory and integrity of the data can be verified.

3.10.8.2.1 Standards. Table 3.10-25 presents standards for electronic signature.

TABLE 3.10-25 Electronic signature standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

NIST

Digital Signature Standard (DSS)

FIPS PUB 186:1994

Mandated

(Approved)

IPC

ISO

Digital Signature Scheme Giving Message Recovery

9796:1991

Informational

(Approved)

CPC

IETF

Privacy Enhancement for Internet Electronic Mail

RFC 1421-1424:1993

Informational

(Draft)

IPC

ISO

Digital Signature with Appendix - Part 1: General

SC27/WG2 N294 (Project 1.27.08.01)

Informational

(Formative)

IPC

ISO

Digital Signature with Appendix - Part 2: Identity-Based Mechanisms

SC27/WG2 N295 (Project 1.27.08.02)

Informational

(Formative)

IPC

ISO

Digital Signature with Appendix - Part 3: Certificate-Based Mechanisms

SC27/WG2 N296 (Project 1.27.08.03)

Informational

(Formative)

3.10.8.2.2 Alternative specifications. Rivest-Shamir-Adelman (RSA) Public Key Algorithm RC-5 was developed and published in 1994. It is proprietary, but RSA Data Security is working to have it included in numerous Internet standards. At present, RC-5 is not recommended for DOD use because it is proprietary.

3.10.8.2.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.8.2.4 Portability caveats. DSS applications are not interoperable with non-DSS systems.

3.10.8.2.5 Related standards. FIPS PUB 180-1, Secure Hash Standard, must be used with FIPS PUB 186. FIPS PUB 180-1 provides the Secure Hash Algorithm used in generating and verifying electronic signatures.

3.10.8.2.6 Recommendations. The mandated standard is recommended. FIPS PUB 186 is implemented in the FORTEZZA cryptographic card, a PC card (formerly called a Personal Computer Memory Card International Association (PCMCIA) standard card) that can be integrated into personal computers and workstations to provide security in commercial applications. FORTEZZA is being used in the Defense Message System. FIPS PUB 186 is the government-wide key cryptographic signature system.

3.10.8.3 Electronic hashing. (This BSA appears in part 5, part 7, part 8, and part 10.) Electronic hashing services compute a condensed representation of a message or a data file, often used as a measure of data integrity checking.

3.10.8.3.1 Standards. Table 3.10-26 presents standards for electronic hashing.

TABLE 3.10-26 Electronic hashing standards

Standard TypeGPC

NIST

Secure Hash Standard (SHS)

FIPS PUB 180-1:1995

Mandated

(Approved)

IPC

ISO

Hash Functions, Part 1: General Model

10118-1:1994

Informational

(Approved)

IPC

ISO

Hash Functions, Part 2: Hash Functions Using an N-Bit Block Cipher Algorithm

10118-2:1994

Informational

(Approved)

GPC

NIST

Secure Hash Standard (SHS)

FIPS PUB 180:1993

Informational

(Superseded)

IPC

ISO

Hash Functions, Part 3: Dedicated Hash Functions

WD 10118-3, JTC1/SC27 N883 (Project 1.27.09.03)

Informational

(Draft)

IPC

ISO

Hash Functions, Part 4: Hash Functions Using Modular Arithmetic

WD 10118-4, JTC1/SC27 N884 (Project 1.27.09.04)

Informational

(Draft)

3.10.8.3.2 Alternative specifications. There are no alternative specifications.

3.10.8.3.3 Standards deficiencies. Deficiencies in the existing specifications are unknown.

3.10.8.3.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.8.3.5 Related standards. FIPS PUB 180-1 supersedes FIPS PUB 180 and is required for use with FIPS PUB 186, Digital Signature Standard.

3.10.8.3.6 Recommendations. The mandated standard is recommended. FIPS PUB 180-1 specifies SHA, which can be used to generate a message digest. SHA is required for use with the DSA as specified in FIPS PUB 186 and whenever an SHA is required for federal applications.

3.10.9 Systems availability. System availability objectives ensure service availability consistent with the operational importance of the information or valued assets.

3.10.9.1 Detection and notification. (This BSA appears in part 2, part 9, and part 10.) Detection and notification objectives ensure that a secure system has the capability to recognize that it is: under attack; may potentially enter a non-available state; has been compromised; or has failed in a potentially compromising manner. Guidance in this area focuses on reporting detected security critical conditions to proper authorities, and implementing predetermined corrective actions.

3.10.9.1.1 Standards. Table 3.10-27 presents standards for detection and notification.

TABLE 3.10-27 Detection and notification standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

3.10.9.1.2 Alternative specifications. There are no alternative specifications.

3.10.9.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.9.1.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.9.1.5 Related standards. NSA's C-Technical Report-001, Computer Viruses: Prevention, Detection, and Treatment, and NIST SP 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques, provide guidance on computer viruses. The following specifications support the TCSEC standard:

a. NCSC-TG-005, Version 1, July 1987, Trusted Network Interpretation

b. NCSC-TG-015, Version 1, October 1989, A Guide to Understanding Trusted Facility Management

c. NCSC-TG-016, Version 1, October 1992, Guidelines for Writing Trusted Facility Manuals

3.10.9.1.6 Recommendations. The mandated standard is recommended.

3.10.9.2 Security recovery. (This BSA appears in part 2, part 9, and part 10.) Recovery guidance defines provisions to allow system personnel or processes with the proper authorizations to repair or eliminate the cause of security relevant failures, isolate compromised portions of the system, and revalidate proper operations prior to returning the system to a fully operational secure state.

3.10.9.2.1 Standards. Table 3.10-28 presents standards for security recovery.

TABLE 3.10-28 Security recovery standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

IPC

CCEB

Common Criteria for Information Technology Security Evaluation, (CC) Version 1.0

CC Version 1.0: 1996

Emerging

(Draft)

3.10.9.2.2 Alternative specifications. There are no alternative specifications.

3.10.9.2.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.9.2.4 Portability caveats. Portability problems in the existing standards are unknown.

3.10.9.2.5 Related standards. The following specifications are related to the TCSEC standard:

a. NCSC-TG-005, Version 1, July 1987, Trusted Network Interpretation

b. NCSC-TG-022, Version 1, December 1991, A Guide to Understanding Trusted Recovery in Trusted Systems

c. NCSC-TG-015, Version 1, October 1989, A Guide to Understanding Trusted Facility Management

d. NCSC-TG-016, Version 1, October 1992, Guidelines for Writing Trusted Facility Manuals

3.10.9.2.6 Recommendations. The mandated standard is recommended.

3.10.10 Security labeling. Security labeling is the data bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. Security labeling includes security labeling for the following major service areas: user interface, data manaement, data interchange, graphics, network (data communications), system, and distributed computing.

3.10.10.1 User interface security labeling. (This BSA appears in part 3 and part 10.) User interface security labeling provides a human readable representation of the internal security labels associated with data management, data interchange, graphics, data communications, system, and distributed computing services.

3.10.10.1.1 Standards. Table 3.10-29 presents standards for user interface security labeling.

TABLE 3.10-29 User interface security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Human-Computer Interface (HCI) Style Guide

TAFIM Volume 8, Version 3.0: 1996

Mandated

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Adopted

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

Defense Intelligence Agency Standard User Interface Style Guide for Compartmented Mode Workstations

DIA Style Guide: 1983

Informational

(Approved)

3.10.10.1.2 Alternative specifications. There are no alternative specifications.

3.10.10.1.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.10.1.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.10.1.5 Related standards. DOD 5200.28-STD is a related standard. DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

Security-related interface requirements for workstations operating in System High or Compartmented Mode are discussed in DDS-2600-6243-91 and the DIA Style Guide, which provide the basis for the security portion of the HCI Style Guide (TAFIM Volume 8).

3.10.10.1.6 Recommendations. Appendix A of the TAFIM, Volume 8, DOD HCI Style Guide, outlines security presentation guidelines for workstations and is recommended.

3.10.10.2 Data management security labeling. (This BSA appears in part 4 and part 10.) Data management security labeling provides a security service for ensuring that data includes labeling information in support of mandatory access control security services, marking security services, handling security services, aggregation security services, sanitization security services, and release security services. Security labeling services produce and maintain the integrity of the security label and its binding to the data with which it is associated.

3.10.10.2.1 Standards. Table 3.10-30 presents standards for data management security labeling.

TABLE 3.10-30 Data management security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Informational

(Approved)

3.10.10.2.2 Alternative specifications. There are no alternative standards.

3.10.10.2.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.10.2.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.10.2.5 Related standards. Data management security labeling should be compatible with MIL-STD-2045-48501, Common Security Label, for any system with a communications interface.

DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

3.10.10.2.6 Recommendations. The mandated standard is recommended. Data management security labeling should be based of the operating system security label standards. Data management security labeling should employ binding of strength equal to or greater than that of the operating system. Compatible security labeling standards include the ability to perform a one-for-one mapping or translation between security labeling standards.

3.10.10.3 Data interchange security labeling. (This BSA appears in part 5 and part 10.) Data interchange security labeling provides a security service to define the format and correctly parse a security label into the security attributes used by other security services.

3.10.10.3.1 Standards. Table 3.10-31 presents standards for data interchange security labeling.

TABLE 3.10-31 Data interchange security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Common Security Label (CSL)

MIL-STD-2045-48501: 1995

Mandated

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Informational

(Approved)

GPC

NIST

Standard Security Label (SSL) for Information Transfer

FIPS PUB 188:1994

Informational

(Approved)

IPC

ITU-T

Message Handling Systems: Message Transfer System: Abstract Service Definition and Procedures

X.411: 1992

Informational

(Approved)

CPC

TSIG

Trusted Security Information Exchange for Restricted Environments

TSIX (RE) 1.1

Emerging

(Draft)

3.10.10.3.2 Alternative specifications. There are no alternative specifications.

3.10.10.3.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.10.3.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.10.3.5 Related standards. DOD 5200.28-STD is a related standard.

DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

3.10.10.3.6 Recommendations. The mandated standard is recommended. TSIG TSIX(RE) 1.1 includes options compatible with MIL-STD-2045-48501.

3.10.10.4 Graphics security labeling. (This BSA appears in part 6 and part 10.) Graphics security labeling provides a security service for ensuring that graphical data includes labeling information in support of mandatory access control security services, marking security services, handling security services, aggregation security services, sanitization security services, and release security services. Security labeling services produce and maintain the integrity of the security label and its binding to the data with which it is associated.

3.10.10.4.1 Standards. Table 3.10-32 presents standards for graphics security labeling.

TABLE 3.10-32 Graphics security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Informational

(Approved)

3.10.10.4.2 Alternative specifications. There are no other specifications.

3.10.10.4.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.10.4.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.10.4.5 Related standards. Graphics security labeling should be compatible with MIL-STD-2045-48501, Common Security Label, for any system with a communications interface.

DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

3.10.10.4.6 Recommendations. The mandated standard is recommended. Graphics security labeling should be based on the operating system security label standards. Graphics security labeling should employ binding of strength equal to or greater than that of the operating system. Compatible security labeling standards include the ability to perform a one-for-one mapping or translation between security labeling standards.

3.10.10.5 Data communications security labeling. (This BSA appears in part 7 and part 10.) Data communications security labeling encompasses the application of security labeling, which is used as the basis for mandatory access control security services and release security services.

3.10.10.5.1 Standards. Table 3.10-33 presents standards for data communications security labeling.

TABLE 3.10-33 Data communications security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

Common Security Label (CSL)

MIL-STD-2045-48501: 1995

Mandated

(Approved)

IPC

ISO

Transport Layer Security Protocol (TLSP) (Includes Amendment 1)

10736:1994

Informational

(Approved)

IPC

ISO

Network Layer Security Protocol (NLSP)

11577:1994

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Informational

(Approved)

GPC

NIST

Standard Security Label (SSL) for Information Transfer

FIPS PUB 188:1994

Informational

(Approved)

CPC

IETF

DoD Security Options for the Internet Protocol

RFC 1108:1991

Legacy

(Draft)

CPC

IETF

Revised Internet Protocol Security Options (RIPSO)

RFC 1038:1988

Informational

(Draft)

CPC

TSIG

Trusted Security Information Exchange for Restricted Environments

TSIX (RE) 1.1

Emerging

(Draft)

NPC

IEEE

Standard for Interoperable LAN Security-Part G: Standard for Security Labeling within Secure Data Exchange

802.10g/D7

Emerging

(Draft)

3.10.10.5.2 Alternative specifications. There are no alternative specifications.

3.10.10.5.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.10.5.4 Portability caveats. Portability problems related to the existing standards are unknown.

3.10.10.5.5 Related standards. DOD 5200.28-STD is a related standard. DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

3.10.10.5.6 Recommendations. The mandated standard is recommended and should be used for new acquisitions. MIL-STD-2045-48501 supports the exchange of security attributes, for example, sensitivity labels. It provides a means to label and protect data as it passes through communications systems and implements FIPS PUB 188 for the DOD environment. MIL-STD-2045-48501 and FIPS PUB 188 apply only to layers 3 and 4. TSIG TSIX(RE) 1.1, "Trusted Systems Interoperability Group, Trusted Security Information Exchange for Restricted Environments," includes options compatible with MIL-STD-2045-48501.

IEEE 802.10g is consistent with the SSL and the CSL.

RFC 1108 makes RFC 1038 obsolete. RFC 1108 should be used for legacy systems only. RFC 1038 is not recommended.

3.10.10.6 Operating system security labeling. (The BSA appears in part 8 and part 10.) Operating system security labeling provides a security labeling service in support of end system processing. This service is required to support similar or shared service for all other MSAs having security labels. This service includes any translation services to support other MSAs, achieve host system independence, or protect host identity.

3.10.10.6.1 Standards. Table 3.10-34 presents standards for operating system security labeling.

TABLE 3.10-34 Operating system security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Informational

(Approved)

NPC

IEEE

Standard for Interoperable LAN Security-Part G: Standard for Security Labeling within Secure Data Exchange

802.10g/D7

Emerging

(Draft)

3.10.10.6.2 Alternative specifications. There are no alternative specifications.

3.10.10.6.3 Standards deficiencies. Deficiencies in the existing standards are unknown.

3.10.10.6.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.10.6.5 Related standards. DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

3.10.10.6.6 Recommendations. The mandated standard is recommended.

3.10.10.7 Distributed computing security labeling. (This BSA appears both in part 10 and part 11.) Distributed computing security labeling provides a security labeling service to support mandatory access controls within a distributed environment.

3.10.10.7.1 Standards. Table 3.10-35 presents standards for distributed computing security labeling.

TABLE 3.10-35 Distributed computing security labeling standards

Standard Type

Sponsor

Standard

Standard Reference

Status

DoD

(Lifecycle)

GPC

DOD

The DOD Trusted Computer Systems Evaluation Criteria

DOD 5200.28-STD: 1985

Mandated

(Approved)

GPC

DOD

Trusted Database Management System Interpretation of the Trusted Computer Systems Evaluation Criteria

NCSC-TG-021, Version 1: 1991

Mandated

(Approved)

GPC

DOD

Compartmented Mode Workstation (CMW) Evaluation Criteria

DDS-2600-6243-92

Informational

(Approved)

GPC

DOD

CMW Labeling: Source Code and User Interface Guidelines, Revision 1

DDS-2600-6243-91

Informational

(Approved)

GPC

DOD

CMW Labeling: Encoding Format

DDS-2600-6216-91

Informational

(Approved)

IPC

ISO

OSI Basic Reference Model, Part 2: Security Architecture (same as CCITT X.800:1991)

7498-2:1989

Informational

(Approved)

3.10.10.7.2 Alternative specifications. There are no alternative specifications.

3.10.10.7.3 Standards deficiencies. The subjects and objects requiring security labeling in a distributed computing environment have not been standardized or identified in any standardized framework.

3.10.10.7.4 Portability caveats. Portability problems with the existing standards are unknown.

3.10.10.7.5 Related standards. DOD 5200.1-R, "Information Security Program Regulation," June 1986, establishes DOD policy for security classification, declassification, and marking of DOD information. It also contains DOD policy for safeguarding of classified information, including accountability, storage, transmission, and destruction of the information.

3.10.10.7.6 Recommendations. The mandated standards are recommended.

The DGSA (TAFIM Volume 6) provides general architectural guidance for information domains which can exist in a distributed environment. The properties of information domains share some similarities with security labels in a distributed environment.