Category : Various Text files
Archive   : CSP.ZIP
Filename : LIST91.WP5

 
Output of file : LIST91.WP5 contained in archive : CSP.ZIP
ÿWPCÍ
ûÿ2‰BVR‡¨ Z/TmsRmn 10pt (K)²ÿÿy.`8D,aô`ô\  PŽ]5QôPþþþþþþþÿþÿÿÿþÿÿþÿÿÿÿÿÿþÿþÿÿÿÿÿÿÿÿþÿÿ"‚ÿÿÿÿ5ÿÿÿÿÿÿÿÿÿÿÿÿÿÿ…ÿÿÿÿÿÿ^D0 COMPUTER SECURITY PUBLICTIONS
LIST 91
Revised April 1991
*********************************************************

NATIONAL COMPUTER SYSTEMS LABORATORY
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
GAITHERSBURG, MARYLAND 20899


The National Computer Systems Laboratory (NCSL) is responsible
for developing standards, providing technical assistance, and
conducting research for computers and related systems. These
activities provide technical support to government and industry
in the effective, safe and economical use of computers. NCSL's
work is mandated under the Brooks Act (P.L. 89-306) and the
Computer Security Act of 1987 (P.L. 100-235). NCSL's activities
also support key goals of the Department of Commerce: to
maintain a U.S. competitive position in international trade; to
improve U.S. productivity; and to improve the management of
government and the delivery of services.

NCSL's major activities are:

o determining requirements for and participating in the
development of national and international voluntary
industry standards for computers and related
telecommunications;

o developing testing methodologies to support the
development and implementation of standards;

o developing guidelines, technology forecasts, and
other products to aid in the effective management and
application of computer and related
telecommunications technology;

o disseminating and exchanging information with
federal, state and local governments, industry,
professional, and research organizations on computer
use and standards needs;

o providing technical support for the development of
government policies in information technology;

o providing direct technical assistance to federal
agencies on a cost-reimbursable basis; and

o carrying out applied research and development, often
in cooperation with other government agencies and
with industry.

COMPUTER SECURITY ACTIVITIES Ôh)0*0*0*°°Ԍ
NCSL's responsibilities were reaffirmed and strengthened by the
enactment of the Computer Security Act of 1987 (P.L. 100-235).
This legislation tasks NCSL to perform research, develop
standards and guidelines, develop validation procedures for
standards, provide assistance to federal agencies and the private
sector, and assist federal agencies with their security planning
and training activities.

Computer security is important to managers and users of
information systems. Security is the tool for achieving
integrity and accuracy of data, confidentiality of information
handled by systems, and the availability of systems, data, and
services. Many different accidental and intentional events can
threaten security. NCSL identifies and develops cost-effective
methods to protect computers and data against all types of
losses. These methods include technical solutions to computer
security problems, as well as sound management practices.


HOW TO ORDER PUBLICATIONS

These publications are available through the Government Printing
Office (GPO) and the National Technical Information Service
(NTIS). The source, price, and order number for each publication
are indicated on the Publication Price List at the end of the
brochure. Orders for publications should include title of
publication, NIST publication number (Spec. Pub. 000, NISTIR 000,
etc.) and GPO or NTIS number. You may order at the price listed;
however, prices are subject to change without notice.

Order forms are included at the end of this brochure. Submit
payment in the form of postal money order, express money order,
or check made out to the Superintendent of Documents for GPO-
stocked documents or to the National Technical Information
Service for NTIS-stocked documents.

Mailing addresses are:

Superintendent of Documents
U.S. Government Printing Office
Washington, DC 20402

National Technical Information Service
5285 Port Royal Road
Springfield, VA 22161

Telephone numbers for information are:

GPO Order Desk (202) 783-3238
NTIS Orders (703) 487-4650


Note: Publications with SN numbers are stocked by GPO. Ôh)0*0*0*°°ԌPublications with PB numbers are stocked by NTIS.

FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATIONS (FIPS PUBS)
---------------------------------------------------------------
Federal Information Processing Standards Publications (FIPS PUBS)
are developed by the National Computer Systems Laboratory (NCSL)
and issued under the provisions of the Federal Property and
Administrative Services Act of 1949, as amended by the Computer
Security Act of 1987 (P.L. 100-235).

FIPS PUBS are sold by the National Technical Information Service
(NTIS), U.S. Department of Commerce. A list of current FIPS
covering all NCSL program areas is available from:

Standards Processing Coordinator (ADP)
National Computer Systems Laboratory
Technology Building, B-64
National Institute of Standards and Technology
Gaithersburg, MD 20899
Telephone: (30l) 975-2817

FIPS PUB 31
GUIDELINES FOR ADP PHYSICAL SECURITY AND RISK MANAGEMENT
June 1974

Provides guidance to federal organizations in developing physical
security and risk management programs for their ADP facilities.
Covers security analysis, natural disasters, failure of supporting
utilities, system reliability, procedural measures and controls,
protection of off-site facilities, contingency plans security
awareness, and security audit. Can be used as a checklist for
planning and evaluating security of computer systems.

FIPS PUB 39
GLOSSARY FOR COMPUTER SYSTEMS SECURITY
February 1974

A reference document containing approximately 170 terms and
definitions pertaining to privacy and computer security.

FIPS PUB 41
COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE PRIVACY ACT OF 1974
May 1975

Provides guidance in the selection of technical and related procedural
methods for protecting personal data in automated information systems.
Discusses categories of risks and the related safeguards for physical
security, information management practices, and system controls to
improve system security.

FIPS PUB 46-1
DATA ENCRYPTION STANDARD
January 1988 (Reaffirmed until 1993)
Ôh)0*0*0*°°ԌSpecifies an algorithm to be implemented in electronic hardware
devices and used for the cryptographic protection of sensitive, but
unclassified, computer data. The algorithm uniquely defines the
mathematical steps required to transform computer data into a
cryptographic cipher and the steps required to transform the cipher
back to its original form. This standard has been adopted as a
voluntary industry standard ANSI X3.92-1981/R1987.

FIPS PUB 48
GUIDELINES ON EVALUATION OF TECHNIQUES FOR AUTOMATED PERSONAL
IDENTIFICATION
April 1977

Discusses the performance of personal identification devices, how to
evaluate them and considerations for their use within the context of
computer systems security.

FIPS PUB 65
GUIDELINE FOR AUTOMATIC DATA PROCESSING RISK ANALYSIS
August 1979

Presents a technique for conducting a risk analysis of an ADP facility
and related assets. Provides guidance on collecting, quantifying, and
analyzing data related to the frequency of occurrence and the damage
caused by adverse events. This guideline describes the
characteristics and attributes of a computer system that must be known
for a risk analysis and gives an example of the risk analysis process.

FIPS PUB 73
GUIDELINES FOR SECURITY OF COMPUTER APPLICATIONS
June 1980

Describes the different security objectives for a computer
application, explains the control measures that can be used, and
identifies the decisions that should be made at each stage in the life
cycle of a sensitive computer application. For use in planning,
developing and operating computer systems which require protection.
Fundamental security controls such as data validation, user identity
verification, authorization, journaling, variance detection, and
encryption are discussed.

FIPS PUB 74
GUIDELINES FOR IMPLEMENTING AND USING THE NBS DATA ENCRYPTION STANDARD
April 1981

Provides guidance for the use of cryptographic techniques when such
techniques are required to protect sensitive or valuable computer
data. For use in conjunction with FIPS PUB 46-1 and FIPS PUB 81.

FIPS PUB 81
DES MODES OF OPERATION
December 1980

Defines four modes of operation for the Data Encryption Standard whichÔh)0*0*0*°°Ԍmay be used in a wide variety of applications. The modes specify how
data will be encrypted (cryptographically protected) and decrypted
(returned to original form). The modes included in this standard are
the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC)
mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB)
mode.

FIPS PUB 83
GUIDELINE ON USER AUTHENTICATION TECHNIQUES FOR COMPUTER NETWORK
ACCESS CONTROL
September 1980

Provides guidance in the selection and implementation of techniques
for authenticating the users of remote terminals in order to safeguard
against unauthorized access to computers and computer networks.
Describes use of passwords, identification tokens, verification by
means of personal attributes, identification of remote devices, role
of encryption in network access control, and computerized
authorization techniques.

FIPS PUB 87
GUIDELINES FOR ADP CONTINGENCY PLANNING
March 1981

Describes what should be considered when developing a contingency plan
for an ADP facility. Provides a suggested structure and format which
may be used as a starting point from which to design a plan to fit
each specific operation.

FIPS PUB 88
GUIDELINE ON INTEGRITY ASSURANCE AND CONTROL IN DATABASE APPLICATIONS
August 1981

Provides explicit advice on achieving database integrity and security
control. Identifies integrity and security problems and discusses
procedures and methods which have proven effective in addressing these
problems. Provides an explicit, step-by-step procedure for examining
and verifying the accuracy and completeness of a database.

FIPS PUB 94
GUIDELINE ON ELECTRICAL POWER FOR ADP INSTALLATIONS
September 1982

Provides information on factors in the electrical environment that
affect the operation of ADP systems. Describes the fundamentals of
power, grounding, life-safety, static electricity, and lightning
protection requirements, and provides a checklist for evaluating ADP
sites.

FIPS PUB 102
GUIDELINE FOR COMPUTER SECURITY CERTIFICATION AND ACCREDITATION
September 1983

Describes how to establish and carry out a certification andÔh)0*0*0*°°Ԍaccreditation program for computer security. Certification consists
of a technical evaluation of a sensitive system to see how well it
meets its security requirements. Accreditation is the official
management authorization for the operation of the system and is based
on the certification process.

FIPS PUB 112
STANDARD ON PASSWORD USAGE
May 1985

This standard defines ten factors to be considered in the design,
implementation, and use of access control systems that are based on
passwords. It specifies minimum security criteria for such systems
and provides guidance for selecting additional security criteria for
password systems which must meet higher security requirements.

FIPS PUB 113
STANDARD ON COMPUTER DATA AUTHENTICATION
May 1985

This standard specifies a Data Authentication Algorithm (DAA) which,
when applied to computer data, automatically and accurately detects
unauthorized modifications, both intentional and accidental. Based on
the Data Encryption Standard (DES), this standard is compatible with
the requirements adopted by the Department of the Treasury and the
banking community to protect electronic fund transfer transactions.

FIPS PUB 139
INTEROPERABILITY AND SECURITY REQUIREMENTS FOR USE OF THE DATA
ENCRYPTION STANDARD IN THE PHYSICAL LAYER OF DATA COMMUNICATIONS
August 1983

This standard facilitates the interoperation of government data
communication facilities, systems, and data that require cryptographic
protection using the Data Encryption Standard (DES) algorithm. The
standard specifies interoperability and security-related requirements
using encryption at the Physical Layer of the ISO Open Systems
Interconnection (OSI) Reference Model (International Standard 7498) in
the telecommunications systems conveying ADP or narrative text
information. (formerly Federal Standard 1026)

FIPS PUB 140
GENERAL SECURITY REQUIREMENTS FOR EQUIPMENT USING THE DATA ENCRYPTION
STANDARD
April 1982

This standard prescribes security requirements for implementation of
the Data Encryption Standard (DES) in telecommunications equipment and
systems used by the departments and agencies of the U.S. Government.
(formerly Federal Standard 1027)

FIPS PUB 141
INTEROPERABILITY AND SECURITY REQUIREMENTS FOR USE OF THE DATA
ENCRYPTION STANDARD WITH CCITT GROUP 3 FACSIMILE EQUIPMENTÔh)0*0*0*°°ԌApril 1985

This standard specifies interoperability and security-related
requirements for use of encryption with International Telegraph and
Telephone Consultative Committee (CCITT), Group 3 type facsimile
equipment conveying Automatic Data Processing (ADP) and/or narrative
text information.
(formerly Federal Standard 1028)

SPECIAL PUBLICATIONS AND OTHER REPORTS
--------------------------------------
These publications present the results of NCSL studies, investiga-
tions, and research on computer security and risk management issues.
Publications are sold by either the Government Printing Office or the
National Technical Information Service, as indicated for each entry on
the Publication Price List at the end of the brochure.

SPECIAL PUBLICATIONS
--------------------

NIST SPEC PUB
500-174
GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS TOOLS*
By Irene E. Gilbert
October 1989

This document recommends a process for selecting automated risk
analysis tools, describing important considerations for developing
selection criteria for acquiring risk analysis software. The report
describes three essential elements that should be present in an
automated risk analysis tool: data collection, analysis, and output
results. It is intended primarily for managers and those responsible
for managing risks in computer and telecommunications systems.

NIST SPEC PUB
500-172
COMPUTER SECURITY TRAINING GUIDELINES
By Mary Anne Todd and Constance Guitian
November 1989

These guidelines provide a framework for determining the training
needs of employees involved with computer systems. It describes the
learning objectives of agency computer security training programs --
what the employee should know and be able to direct or actually
perform -- so that agencies may use the guidance to develop or acquire
training programs that fit the agency environment.

NIST SPEC PUB
500-171
COMPUTER USER'S GUIDE TO THE PROTECTION OF INFORMATION RESOURCES*
By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
December 1989

Computers have changed the way we handle our information resources. Ôh)0*0*0*°°ԌLarge amounts of information are stored in one central place with the
ability to be accessed from remote locations. Users have a personal
responsibility for the security of the system and the data stored in
it. This document outlines the user's responsibilities and provides
security and control guidelines to be implemented.

NIST SPEC PUB
500-170
MANAGEMENT GUIDE TO THE PROTECTION OF INFORMATION RESOURCES*
By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
October 1989

This guide introduces information systems security concerns and
outlines the issues that must be addressed by all agency managers in
meeting their responsibilities to protect information systems within
their organizations. It describes essential components of an
effective information resource protection process that applies to a
stand-alone personal computer or to a large data processing facility.

NIST SPEC PUB
500-169
EXECUTIVE GUIDE TO THE PROTECTION OF INFORMATION RESOURCES*
By Cheryl Helsing, Marianne Swanson, and Mary Anne Todd
October 1989

This guide assists executives to address a host of questions regarding
the protection and safety of computer systems and their information
resources. The publication introduces information systems security
concerns, outlines the management issues that must be addressed by
agency policies and programs, and describes essential components of an
effective implementation process.

NIST SPEC PUB
500-168
REPORT OF THE INVITATIONAL WORKSHOP ON DATA INTEGRITY
By Zella G. Ruthberg and William T. Polk
September 1989

This publication contains the proceedings of the second invitational
workshop on computer integrity which took place at NIST on January 25-
27, 1989. The workshop focused on data integrity models, data
quality, integrity controls, and certification of transformation
procedures that preserve data integrity. Results of the first data
integrity workshop held in October 1987, are contained in NIST Special
Publication 500-160.

NIST SPEC PUB
500-166
COMPUTER VIRUSES AND RELATED THREATS: A MANAGEMENT GUIDE*
By John P. Wack and Lisa J. Carnahan
August 1989

This document contains guidance for managing the threats of computer
viruses and related software and unauthorized use. It is gearedÔh)0*0*0*°°Ԍtowards managers of end-user groups and managers dealing with multi-
user systems, personal computers and networks. The guidance is
general and addresses the vulnerabilities that are most likely to be
exploited.

NIST SPEC PUB
500-160
REPORT OF THE INVITATIONAL WORKSHOP ON INTEGRITY POLICY IN COMPUTER
INFORMATION SYSTEMS (WIPCIS)
Stuart W. Katzke and Zella G. Ruthberg, Editors
January 1989

This report contains the proceedings of the first invitational
workshop on integrity policy. The workshop established a foundation
for further progress in defining a model for information integrity.
The workshop was held in response to the paper by David Clark of
M.I.T. and David Wilson of Ernst & Whinney entitled "A Comparison of
Military and Commercial Data Security Policy."

NBS SPEC PUB
500-158
ACCURACY, INTEGRITY, AND SECURITY IN COMPUTERIZED VOTE-TALLYING
By Roy G. Saltman
August 1988

This study surveys some events concerning computerized vote-tallying
and reviews current problems. The report recommends that accepted
practices of internal control be applied to vote-tallying, including
the use of software for integrity and logical correctness; dedicated
software use and dedicated operation; improved design and
certification of vote-tallying systems that do not use ballots; and
improved pre-election testing and partial manual recounting of
ballots.

NIST SPEC PUB
500-157
SMART CARD TECHNOLOGY: NEW METHODS FOR COMPUTER ACCESS CONTROL
By Martha E. Haykin and Robert B. J. Warner
September 1988

This document describes the basic components of a smart card and
provides background information on the underlying integrated circuit
technologies. The capabilities of a smart card are discussed,
especially its applicability for computer security. The report
describes research being conducted on smart card access control
techniques; other major U.S. and international groups involved in the
development of standards for smart cards and related devices are
listed in the appendix.

NBS SPEC PUB
500-156
MESSAGE AUTHENTICATION CODE (MAC) VALIDATION SYSTEM: REQUIREMENTS AND
PROCEDURES
By Miles Smid, Elaine Barker, David Balenson and Martha HaykinÔh) 0*0*0*°°ԌMay 1988

Describes the Message Authentication Code (MAC) Validation System
(MVS) which was developed by NBS to test message authentication
devices for conformance to two data authentication standards
(including FIPS 113). This publication describes the basic design and
configuration of the MVS, and the requirements and administrative
procedures to be followed for requesting validations.

NBS SPEC PUB
500-153
GUIDE TO AUDITING FOR CONTROLS AND SECURITY: A SYSTEM DEVELOPMENT
LIFE CYCLE APPROACH
Editors/Authors: Zella G. Ruthberg, Bonnie Fisher, William E. Perry,
John W. Lainhart IV, James G. Cox, Mark Gillen, and Douglas B. Hunt
April 1988

This guide describes a process for auditing the system development
life cycle (SDLC) of an automated information system (AIS) to ensure
that controls and security are designed and built into the system.
The guide was developed by the Electronic Data Processing (EDP)
Systems Review and Security Work Group of the Computer Security
Project within the President's Council on Integrity and Efficiency
(PCIE), and contains bibliographies and a description of pertinent
laws and regulations.

NBS SPEC PUB
500-137
SECURITY FOR DIAL-UP LINES
By Eugene F. Troy
May 1986

Ways to protect computers from intruders via dial-up telephone lines
are discussed in this guide. Highlighted are hardware devices which
can be fitted to computers or used with their dial-up terminals to
provide communications protection for non-classified computer systems.
Six different types of hardware devices and the ways that they can be
used to protect dial-up computer communications are described. Also
discussed are techniques that can be added to computer operating
systems or incorporated into system management or administrative
procedures.

NBS SPEC PUB
500-134
GUIDE ON SELECTING ADP BACKUP PROCESS ALTERNATIVES
By Irene Isaac
November 1985

Discusses the selection of ADP backup processing support in advance of
events that cause the loss of data processing capability. Emphasis is
placed on management support at all levels of the organization for
planning, funding, and testing of an alternate processing strategy.
The alternative processing methods and criteria for selecting the most
suitable method are presented, and a checklist for evaluating theÔh)
0*0*0*°°Ԍsuitability of alternatives is provided.

NBS SPEC PUB
500-133
TECHNOLOGY ASSESSMENT: METHODS FOR MEASURING THE LEVEL OF COMPUTER
SECURITY
By William Neugent, John Gilligan, Lance Hoffman, and Zella G.
Ruthberg
October 1985

The document covers methods for measuring the level of computer
security, i.e., technical tools or processes which can be used to help
establish positive indications of security adequacy in computer
applications, systems, and installations. The report addresses
individual techniques and approaches, as well as broader methodologies
which permit the formulation of a composite measure of security that
uses the results of individual techniques and approaches.

NBS SPEC PUB
500-121
GUIDANCE ON PLANNING AND IMPLEMENTING COMPUTER SYSTEMS RELIABILITY
By Lynne S. Rosenthal
January 1985

This report presents guidance to managers and planners on the basic
concepts of computer system reliability and on the implementation of a
management program to improve system reliability. Topics covered
include techniques for quantifying and evaluating data to measure
system reliability, the design of systems for reliability, and
recovery of a computer system after it has failed or produced
erroneous output. An appendix contains references and a list of
selected readings.

NBS SPEC PUB
500-120
SECURITY OF PERSONAL COMPUTER SYSTEMS - A MANAGEMENT GUIDE
By Dennis D. Steinauer
January 1985

This publication provides practical advice on the following issues:
physical and environmental protection system and data access control;
integrity of software and data; backup and contingency planning;
auditability; and communications protection. References to additional
information, a self-audit checklist, and a guide to security products
for personal computers are in-cluded in the appendices.

NBS SPEC PUB
500-109
OVERVIEW OF COMPUTER SECURITY CERTIFICATION AND ACCREDITATION
By Zella G. Ruthberg and William Neugent
April 1984

This publication is a summary of and a guide to FIPS PUB 102,
Guideline to Computer Security Certification and Accreditation. It isÔh) 0*0*0*°°Ԍoriented toward the needs of ADP policy managers, information resource
managers, ADP technical managers, and ADP staff in understanding the
certification and accreditation process.

NBS SPEC PUB
500-85
EXECUTIVE GUIDE TO ADP CONTINGENCY PLANNING
By James K. Shaw and Stuart W. Katzke
July 1981

This document provides, in the form of questions and answers, the
background and essential information required to understand the
developmental process for automatic data processing (ADP) contingency
plans. The primary intended audience consists of executives and
managers who depend on ADP resources and services, yet may not be
directly responsible for the daily management or supervision of data
processing activities or facilities.

NBS SPEC PUB
500-67
THE SRI HIERARCHICAL DEVELOPMENT METHODOLOGY (HDM) AND ITS APPLICATION
TO THE DEVELOPMENT OF SECURE SOFTWARE
By Karl N. Levitt, Peter Neumann, and Lawrence Robinson
October 1980

Describes the SRI Hierarchical Development Methodology for designing
large software systems such as operating systems and data management
systems that must meet stringent security requirements.

NBS SPEC PUB
500-61
MAINTENANCE TESTING FOR THE DATA ENCRYPTION STANDARD
By Jason Gait
August 1980

Describes four tests that can be used by manufacturers and users to
check the operation of data encryption devices. These tests are
simple, efficient, and independent of the implementation of the Data
Encryption Standard (FIPS 46).

NBS SPEC PUB
500-57
AUDIT AND EVALUATION OF COMPUTER SECURITY II: SYSTEM VULNERABILITIES
AND CONTROLS
By Zella G. Ruthberg
April 1980

Proceedings of the second NBS/GAO workshop to develop improved
computer security audit procedures. Covers eight sessions: three
sessions on managerial and organizational vulnerabilities and controls
and five technical sessions on terminals and remote peripherals,
communication components, operating systems, applications and non-
integrated data files, and data base management systems.
Ôh) 0*0*0*°°ԌNBS SPEC PUB
500-54
A KEY NOTARIZATION SYSTEM FOR COMPUTER NETWORKS
By Miles E. Smid
October 1979

Describes a system for key notarization, which can be used with an
encryption device, to improve data security in computer networks. The
key notarization system can be used to communicate securely between
two users, communicate via encrypted mail, protect personal files, and
provide a digital signature capability.

NIST SPEC PUB
800-1
COMPUTER SECURITY IN THE 1980s: SELECTED
BIBLIOGRAPHY
Rein Turn, Compiler, and Lawrence E. Bassham,
Editor
December 1990

This bibliography cites selected books and articles on computer
security published from January 1980 through October 1989. To have
been selected, an article had to be substantial in content and have
been published in professional or technical journals, magazines, or
conference proceedings. Citations are listed under ten categories and
the appendix contains addresses of citations in the bibliography.Ôˆ
0*0*0*°°Ô
OTHER REPORTS
-------------

NBSIR 86-3386
WORK PRIORITY SCHEME FOR EDP AUDIT AND COMPUTER SECURITY REVIEW
By Zella Ruthberg and Bonnie Fisher
August 1986

This publication describes a methodology for prioritizing the work
performed by EDP auditors and computer security reviewers. Developed
at an invitational workshop attended by government and private sector
experts, the work plan enables users to evaluate computer systems for
both EDP audit and security review functions and to develop a
measurement of the risk of the systems. Based on this measure of
risk, the auditor can then determine where to spend review time.

NISTIR 4453ÔH
0*0*0*°°Ô SRI INTERNATIONAL IMPROVING THE SECURITY OF
YOUR UNIX SYSTEM,
Edward Roback, NIST Coordinator
August 1990

This publication provides various suggestions for improving the
security of those systems operating under the UNIX operating system.

NISTIR 4451
U.S. DEPARTMENT OF COMMERCE METHODOLOGY FOR
CERTIFYING SENSITIVE COMPUTER APPLICATIONS
Edward Roback, NIST Coordinator
November 1990

This publication describes a standard certification methodology
employed by the U.S. Department of Commerce to ensure that sensitive
applications meet applicable federal policies, regulations, and
standards. The methodology takes the reader through the certification
process step-by-step and describes how audits, internal control
reviews, and risk analyses fit into the certification process.

NISTIR 4409
1989 COMPUTER SECURITY AND PRIVACY PLANS
(CSPP) REVIEW PROJECT: A FIRST-YEAR FEDERAL
RESPONSE TO THE COMPUTER SECURITY ACT OF 1987
(FINAL REPORT)
Dennis M. Gilbert, Report Coordinator
September 1990

This report describes the Computer Security and Privacy Plan review
effort that was conducted in response to the Computer Security Act of
1987 by a joint team from NIST and the National Security Agency (NSA)
in 1989. The report also discusses future directions for implementing
the Act.

NISTIR 4387
U.S. DEPARTMENT OF JUSTICE SIMPLIFIED RISK
ANALYSIS GUIDELINES (SRAG)
Edward Roback, NIST Coordinator
August 1990

This publication contains a risk analysis methodology developed by the
U.S. Department of Justice.

NISTIR 4378
AUTOMATED INFORMATION SYSTEM SECURITY ACCREDITATION GUIDELINES
Edward Roback, NIST Coordinator
August 1990

This report presents guidelines developed by the Federal Aviation
Administration for the preparation of documentation for the security
accreditation of automated information systems.

NISTIR 4362
SECURITY LABELS FOR OPEN SYSTEMS: AN INVITATIONAL WORKSHOP
By Noel Nazario
June 1990

This publication presents the results of a workshop on security labels
held May 30-31, 1990, at NIST. The workshop covered general issues of
labels in "end systems" as well as specific issues of labels in secure
Open System Interconnection (OSI) networks.

NISTIR 4359
DOMESTIC DISASTER RECOVERY PLAN FOR PCs, OIS, AND SMALL VS SYSTEMS
Edward Roback, NIST Coordinator
August 1990

This publication describes a disaster recovery methodology developed
by Advanced Information Management, Inc., under contract to the U.S.
Department of State.

NISTIR 4325
U.S. DEPARTMENT OF ENERGY RISK ASSESSMENT METHODOLOGY
Edward Roback, NIST Coordinator
May 1990

This publication presents a methodology developed by the U.S.
Department of Energy. Volume I of the report includes risk assessment
guideline instructions, a resource table, and a completed sample;
Volume II contains risk assessment worksheets. (NISTIR 4325 contains
both volumes.)

NISTIR 90-4262
SECURE DATA NETWORK SYSTEM (SDNS) KEY MANAGEMENT DOCUMENTS
Charles Dinkel
February 1990

This publication includes four documents dealing with key management
which were developed by the National Security Agency as output from
the SDNS project. The first document profiles the implementation of
SDNS Key Management services in Open Systems. The second document
defines the services provided by the Key Management Application
Service Element (KMASE). The third document gives the specification
of the protocol for services provided by the KMASE. The fourth
document specifies the framework of the SDNS security attribute
negotiation service.

NISTIR 90-4259
SECURE DATA NETWORK SYSTEM (SDNS) ACCESS CONTROL DOCUMENTS
Charles Dinkel
February 1990

This publication contains three documents developed by the National
Security Agency as output from the SDNS project. The first document
describes the principles and functions of the SDNS access control and
authentication security services. The second document gives a
functional description of the SDNS access control system. The third
document details the capabilities and implementation requirements of
the Access Control Information Specification (ACIS).

NISTIR 90-4250

SECURE DATA NETWORK SYSTEM (SDNS) NETWORK, TRANSPORT, AND MESSAGE
SECURITY PROTOCOLS
Charles Dinkel
February 1990

This publication contains four security protocol documents developed
by the National Security Agency as output from the SDNS project.
Areas covered include security at layer 3 of the OSI Model;
cryptographic techniques to protect data at transport connections or
in connectionless-mode transmission; specifications for message
security service and protocol; and directory systems specifications
for message security protocol.

NISTIR 90-4228
PROTOTYPING SP4: A SECURE DATA NETWORK SYSTEM TRANSPORT PROTOCOL
INTEROPERABILITY DEMONSTRATION PROJECT
Charles Dinkel, Noel Nazario, and
Robert Rosenthal
January 1990

This report describes the results of work that NCSL completed as part
of its commitment to provide solutions and develop standards for
computer network security. NCSL worked in partnership with the
National Security Agency and industry to demonstrate security at the
Transport layer (layer 4) of the Open Systems Interconnection (OSI)
model.

CSL BULLETINS
-------------
CSL Bulletins are published by NIST's Computer Systems Laboratory.
Each bulletin presents an in-depth discussion of a single topic of
significant interest to the information systems community. To receive
a specific bulletin or to be placed on a mailing list to receive
future bulletins, send your name, organization, and mailing address
to:

CSL Publications
National Institute of Standards
and Technology
Technology Building, B151
Gaithersburg, MD 20899
(301) 975-2821 or FTS 879-2821

The following bulletins have been issued to date:

Data Encryption Standard, June 1990*

Guidance to Federal Agencies on the Use
Trusted Systems Technology, July 1990*

Computer Virus Attacks, August 1990*

Bibliography of Computer Security
Glossaries, September 1990*

Review of Federal Agency Computer
Security and Privacy Plans (CSPP): A
Summary Report, October 1990*

Computer Security Roles of NIST and NSA,
February 1991*

FIPS 140 - A Standard in Transition,
April 1991*

--------------------------------------------------------------------
SUBJECT INDEX
-------------------------------------------------------------------
Contingency Planning Physical Security

FIPS PUB 87 FIPS PUB 31
SPEC PUB 500-85
SPEC PUB 500-134 Power, Grounding, and
Life Safety
Database Security

FIPS PUB 88 FIPS PUB 94

Data Integrity Privacy

SPEC PUB 500-160 FIPS PUB 41
SPEC PUB 500-168

Encryption Risk Management

FIPS PUB 46-1 FIPS PUB 31
FIPS PUB 74 SPEC PUB 60
FIPS PUB 81 SPEC PUB 500-174
FIPS PUB 113
FIPS PUB 139
FIPS PUB 140
FIPS PUB 141
SPEC PUB 500-54
SPEC PUB 500-61
SPEC PUB 500-156

Evaluation of Computer Security Software and
Operating
Systems
FIPS PUB 102
SPEC PUB 500-57 SPEC PUB 500-67
SPEC PUB 500-109 SPEC PUB 500-121
SPEC PUB 500-153 SPEC PUB 500-134
NBSIR 86-3386

General Computer Security Training Guidelines

FIPS PUB 39 SPEC PUB 500-
172
FIPS PUB 73
FIPS PUB 112 User Authentication
SPEC PUB 500-120
SPEC PUB 500-133 FIPS PUB 48
SPEC PUB 500-137 FIPS PUB 83
SPEC PUB 500-158 SPEC PUB 500-157
SPEC PUB 500-166
SPEC PUB 500-169
SPEC PUB 500-170
SPEC PUB 500-171

Network Security
SPEC PUB 500-54
---------------------------------------------------------------------
PUBLICATION PRICE LIST
---------------------------------------------------------------------

PUBLICATION ORDERING NUMBER
PRICE

FIPS PUB 31 FIPS PUB 31 $11.95
FIPS PUB 39 FIPS PUB 39 $ 9.95
FIPS PUB 41 FIPS PUB 41 $ 9.95
FIPS PUB 46-1 FIPS PUB 46-1 $ 9.95
FIPS PUB 48 FIPS PUB 48 $ 9.95
FIPS PUB 65 FIPS PUB 65 $ 9.95
FIPS PUB 73 FIPS PUB 73 $11.95
FIPS PUB 74 FIPS PUB 74 $ 9.95
FIPS PUB 81 FIPS PUB 81 $ 9.95
FIPS PUB 83 FIPS PUB 83 $ 9.95
FIPS PUB 87 FIPS PUB 87 $ 9.95
FIPS PUB 88 FIPS PUB 88 $11.95
FIPS PUB 94 FIPS PUB 94 $16.95
FIPS PUB 102 FIPS PUB 102 $11.95
FIPS PUB 112 FIPS PUB 112 $11.95
FIPS PUB 113 FIPS PUB 113 $ 9.95
FIPS PUB 139 FIPS PUB 139 $ .00
FIPS PUB 140 FIPS PUB 140 $ 3.25
FIPS PUB 141 FIPS PUB 141 $ 6.50
SPEC PUB 54 PB 80104698 $11.95
SPEC PUB 57 SN 003-003-02178-4 $ 7.00
SPEC PUB 61 PB 80221211 $ 9.95
SPEC PUB 67 PB 81115537 $13.95
SPEC PUB 85 PB 82165226 $ 9.95
SPEC PUB 109 SN 003-003-02567-4 $ 1.50
SPEC PUB 120 SN 003-003-02627-1 $ 3.00
SPEC PUB 121 SN 003-003-02628-0 $ 2.25
SPEC PUB 133 SN 003-003-02686-7 $ 8.00
SPEC PUB 134 SN 003-003-02701-4 $ 1.75
SPEC PUB 137 PB 86213097 $13.95
SPEC PUB 153 SN 003-003-02856-8 $13.00
SPEC PUB 156 SN 003-003-02860-6 $ 2.75
SPEC PUB 157 SN 003-003-02887-8 $ 2.75
SPEC PUB 158 SN 003-003-02883-5 $ 7.50
SPEC PUB 160 SN 003-003-02904-1 $11.00
SPEC PUB 166 SN 003-003-02955-6 $ 2.50
SPEC PUB 168 SN 003-003-02966-1 $20.00
SPEC PUB 169 SN 003-003-02969-6 $ 1.50
SPEC PUB 170 SN 003-003-02968-8 $ 1.75
SPEC PUB 171 SN 003-003-02970-0 $ 1.00
SPEC PUB 172 SN 003-003-02975-1 $ 2.50
SPEC PUB 174 SN 003-003-02971-8 $ 2.00
SPEC PUB 800-1 SN 003-003-03060-1 $11.00
NBSIR 86-3386 PB 86247897 $11.95
NBSIR 86-3386 PB 86247897 $11.95
NISTIR 4325 PB 90-244484 $23.00
NISTIR 4359 PB 90-265240 $15.00
NISTIR 4362 PB 90-247446 $30.00
NISTIR 4378 PB 90-264102 $15.00
NISTIR 4387 PB 90-265257 $17.00
NISTIR 4409 PB 91-107504 $23.00
NISTIR 4451 PB 91-120162 $17.00
NISTIR 4453 PB 91-120121 $17.00
NISTIR 90-4228 PB 90-159609 $15.00
NISTIR 90-4250 PB 90-198946 $17.00
NISTIR 90-4259 PB 90-188061 $23.00
NISTIR 90-4262 PB 90-188079 $17.00

FIPS available from NTIS
SN Numbers - Stocked by GPO
PB Numbers - Stocked by NTIS

*Document can be dowloaded from this bbs.

  3 Responses to “Category : Various Text files
Archive   : CSP.ZIP
Filename : LIST91.WP5

  1. Very nice! Thank you for this wonderful archive. I wonder why I found it only now. Long live the BBS file archives!

  2. This is so awesome! 😀 I’d be cool if you could download an entire archive of this at once, though.

  3. But one thing that puzzles me is the “mtswslnkmcjklsdlsbdmMICROSOFT” string. There is an article about it here. It is definitely worth a read: http://www.os2museum.com/wp/mtswslnk/