FIPS PUB 105, WITHDRAWAL OF NINE OBSOLETE GUIDELINES IN THE FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) SERIES - - FIPS 38, 42-1, 45, 5, 65, 67, 7

FIPS PUB 105, WITHDRAWAL OF NINE OBSOLETE GUIDELINES IN THE FEDERAL INFORMATION PROCESSING STANDARDS (FIPS) SERIES - - FIPS 38, 42-1, 45, 5, 65, 67, 72, AND 105 (31 AUG 1995).

FIPS PUB 140-2, SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES (25 MAY 2001)

FIPS PUB 140-2, SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES. This Federal Information Processing Standard (140-2) was recently approved by the Secretary of Commerce. It specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. (Supersedes FIPS PUB 140-1, 1994 January 11)

FIPS PUB 171, KEY MANAGEMENT USING ANSI X9.17 (27 APR 1992)

FIPS PUB 171, KEY MANAGEMENT USING ANSI X9.17 (27 APR 1992), This standard specifies a particular selection of options for the automated distribution of keying material by the Federal Government when using the protocols of ANSI X9.17. ANSI X9.17 defines procedures for the manual and automated management of keying materials and contains a number of options. Systems which are built to conform to all options of ANSI X9.17 are likely to be complex and expensive. The selected options specified in this standard will allow the development of cost effective systems whwill, in addition, increase the likelihood of interoperability.

FIPS PUB 180-2, SECURE HASH STANDARD (SHS) (AUG 2002)

FIPS PUB 180-2, SECURE HASH STANDARD (SHS) (AUG 2002). The purpose of this standard is to specify a Secure Hash Algorithm to be used by both the transmitter and intended receiver of a message in computing and verifying a digital signature. This Standard specifies four secure hash algorithms - SHA-1, SHA-256, SHA-384, and SHA-512 - for computing a condensed representation of electronic data (message). When a message of any length < 264 bits (for SHA-1 and SHA-256) or < 2128 bits (for SHA-384 and SHA-512) is input to an algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). FIPS 180-2 superseded FIPS 180-1 as of February 1, 2003.

FIPS PUB 184, INTEGRATION DEFINITION FOR INFORMATION MODELING (IDEF1X)

FIPS PUB 184, INTEGRATION DEFINITION FOR INFORMATION MODELING (IDEF1X). This publication announces the adoption of the Integration Definition for Information Modeling (IDEF1X) as a Federal Information Processing Standard (FIPS). This standard is based on the Integration Information Support System (IISS), Volume V - Common Data Model Subsystem, Part 4 - Information Modeling Manual - IDEF1 Extended, 1 (IDEF1X) November 1985. This standard describes the IDEF1X modeling language (semantics and syntax) and associated rules and techniques, for developing a logical model of data. IDEF1X is used to produce a graphical information model which represents the structure and semantics of information within an environment or system. Use of this standard permits the construction of semantic data models which may serve to support the management of data as a resource, the integration of information systems, and the building of computer databases. This standard is the reference authority for use by information modelers required to utilize the IDEF1X modeling technique, implementors in developing tools for implementing this technique, and other computer professionals in understanding the precise syntactic and semantic rules of the standard.

FIPS PUB 185, ESCROWED ENCRYPTION STANDARD (EES) (FEB 1994)

FIPS PUB 185, ESCROWED ENCRYPTION STANDARD (EES) (FEB 1994). This Standard specifies use of a symmetric-key encryption (and decryption) algorithm (SKIPJACK) and a Law Enforcement Access Field (LEAF) creation method (one part of a key escrow system) which provides for decryption of encrypted telecommunications when interception of the telecommunications is lawfully authorized. Both the SKIPJACK algorithm and the LEAF creation method are to be implemented in electronic devices (e.g., very large scale integration chips). The devices may be incorporated in security equipment used to encrypt (and decrypt) sensitive unclassified telecommunications data. Decryption of lawfully intercepted telecommunications may be achieved through the acquisition and use of the LEAF, the decryption algorithm and the two escrowed key components.

FIPS PUB 186-2, DIGITAL SIGNATURE STANDARD (DSS) (JAN 2000)

FIPS PUB 186-2. This standard specifies a suite of algorithms which can be used to generate a digital signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. This is known as nonrepudiation since the signatory cannot, at a later time, repudiate the signature.

FIPS PUB 188, STANDARD SECURITY LABEL FOR INFORMATION TRANSFER (SEPT 1994)

FIPS PUB 188, STANDARD SECURITY LABEL FOR INFORMATION TRANSFER (SEPT 1994). Information Transfer security labels convey information used by protocol entities to determine how to handle data communicated between open systems. Information on a security label can be used to control access, specify protective measures, and determine handling restrictions required by a communications security policy. This standard defines a security label syntax for information exchanged over data networks and provides encodings of that syntax for use at the Application and Network Layers. The syntactic constructs defined in this standard are intended to be used along with semantics provided by the authority establishing the security policy for the protection of the information exchanged. A separate NIST document, referenced in an informative appendix, defines a Computer Security Objects Register (CSOR) that serves as repository for label semantics.

FIPS PUB 191, SPECIFICATIONS FOR GUIDELINE FOR THE ANALYSIS LOCAL AREA NETWORK (NOV 1994)

FIPS PUB 191, SPECIFICATIONS FOR GUIDELINE FOR THE ANALYSIS LOCAL AREA NETWORK (NOV 1994). Local area networks (LANs) have become a major tool to many organizations in meeting data processing and data communication needs. Prior to the use of LANs, most processing and communications were centralized; the information and control of that information were centralized as well. Now LANs logically and physically extend data, processing and communication facilities across the organization Security services that protect the data, processing and communication facilities must also be distributed throughout the LAN. For example, sending sensitive files that are protected with stringent access controls on one system, over a LAN to another system that has no access control protection, defeats the efforts made on the first system. Users must ensure that their data and the LAN itself are adequately protected. LAN security should be an integral part of the whole LAN, and should be important to all users. Electronic mail (email), a major application provided by most LANs, replaces much of the interoffice and even interorganizational mail that is written on paper and placed in an envelope. This envelope provides some confidentiality between the sender and receiver, and it can even be argued that the integrity of the paper envelope provides the receiver with some degree of assurance that the message was not altered. Using electronic mail does not provide these assurances. Simple transfers on unprotected LANs of inadequately protected electronic mail messages can be captured and read or perhaps even altered. For some LANs, there can be no assurance that the message actually was sent from the named sender. Fortunately tools such as encryption, digital signatures, and message authentication codes help solve these problems and can help provide some assurance. Understanding the necessity to provide security on a LAN and how to decide the appropriate security measures needed are major goals of this document. The intended readers of this document include organizational management, LAN administrators, system administrators, security officers, LAN users and others who have a responsibility for protecting information processed, stored or associated with a LAN. The purpose of this document is to help the reader understand the need for LAN security and to provide guidance in determining effective LAN security controls.

FIPS PUB 196, ENTITY AUTHENTICATION USING PUBLIC KEY CRYPTOGRAPHY (FEB 1996)

FIPS PUB 196, ENTITY AUTHENTICATION USING PUBLIC KEY CRYPTOGRAPHY (FEB 1996). This standard specifies two challenge-response protocols by which entities in a computer system may authenticate their identities to one another. These may be used during session initiation, and at any other time that entity authentication is necessary. Depending on which protocol is implemented, either one or both entities involved may be authenticated. The defined protocols are derived from an international standard for entity authentication based on public key cryptography, which uses digital signatures and random number challenges. Authentication based on public key cryptography has an advantage over many other authentication schemes because no secret information has to be shared by the entities involved in the exchange. A user (claimant) attempting to authenticate oneself must use a private key to digitally sign a random number challenge issued by the verifying entity. This random number is a time variant parameter which is unique to the authentication exchange. If the verifier can successfully verify the signed response using the claimant's public key, then the claimant has been successfully authenticated.

FIPS PUB 197, ADVANCED ENCRYPTION STANDARD (AES) (NOV 2001)

FIPS PUB 197, ADVANCED ENCRYPTION STANDARD (AES) (NOV 2001). The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.

FIPS PUB 198, THE KEYED-HAS MESSAGE AUTHENTICATION CODE (HMAC)

FIPS PUB 198, THE KEYED-HAS MESSAGE AUTHENTICATION CODE (HMAC). his standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative Approved cryptographic hash function, in combination with a shared secret key. The cryptographic strength of HMAC depends on the properties of the underlying hash function. The HMAC specification in this standard is a generalization of Internet RFC 2104, HMAC, Keyed-Hashing for Message Authentication, and ANSI X9.71, Keyed Hash Message Authentication Code.

FIPS PUB 199, STANDARDS FOR SECURITY CATEGORIZATION OF FEDERAL INFORMATION AND INFORMATION SYSTEMS (FEB 2004)

FIPS PUB 199, STANDARDS FOR SECURITY CATEGORIZATION OF FEDERAL INFORMATION AND INFORMATION SYSTEMS (FEB 2004). The E-Government Act of 2002 (Public Law 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA), tasked NIST with responsibilities for standards and guidelines, including the development of: • Standards to be used by all federal agencies to categorize all information and information systems collected or maintained by or on behalf of each agency based on the objectives of providing appropriate levels of information security according to a range of risk levels; • Guidelines recommending the types of information and information systems to be included in each category; and • Minimum information security requirements (i.e., management, operational, and technical controls), for information and information systems in each such category. FIPS Publication 199 addresses the first task cited—to develop standards for categorizing information and information systems. Security categorization standards for information and information systems provide a common framework and understanding for expressing security that, for the federal government, promotes: (i) effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities; and (ii) consistent reporting to the Office of Management and Budget (OMB) and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. Subsequent NIST standards and guidelines will address the second and third tasks cited.

FIPS PUB 200, MINIMUM SECURITY REQUIREMENTS FOR FEDERAL INFORMATION AND INFORMATION SYSTEMS (MAR 2006)

FIPS PUB 200, MINIMUM SECURITY REQUIREMENTS FOR FEDERAL INFORMATION AND INFORMATION SYSTEMS. FIPS 200 is the second standard that was specified by the Federal Information Security Management Act of 2002 (FISMA). It is an integral part of the risk management framework that NIST has developed to assist federal agencies in providing levels of information security based on levels of risk. FIPS 200 specifies minimum security requirements for federal information and information systems and a risk-based process for selecting the security controls necessary to satisfy the minimum requirements.

FIPS PUB 201-1, PERSONAL IDENTIFY VERIFICATION FOR FEDERAL EMPLOYEES AND CONTRACTORS (MAR 2006)

FIPS PUB 201-1, PERSONAL IDENTIFY VERIFICATION FOR FEDERAL EMPLOYEES AND CONTRACTORS (MAR 2006). This standard specifies the architecture and technical requirements for a common identification standard for Federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to Federally controlled government facilities and electronic access to government information systems.

FIPS PUB 31, GUIDELINES FOR AUTOMATIC DATA PROCESSING PHYSICAL SECURITY AND RISK MANAGEMENT (JUNE 1974)

FIPS PUB 31, GUIDELINES FOR AUTOMATIC DATA PROCESSING PHYSICAL SECURITY AND RISK MANAGEMENT (JUNE 1974). This publication provides guidelines to be used by Federal organizations in structuring physical security programs for their ADP facilities. It treats security analysis, natural disasters, supporting utilities, system reliability, procedural measures and controls, off-site facilities, contingency plans, security awareness and security audit. It contains statistics and information relevant to physical security of computer data and facilities and references many applicable publications for a more exhaustive treatment of specific subjects.

FIPS PUB 4, CALENDAR DATE (1 NOV 1968)

FIPS PUB 4, CALENDAR DATE (1 NOV 1968)., This standard will be prescribed for the interchange of formatted machine sensible coded data between and among agencies. Use within agency data systems is encouraged when such use contributes to operational benefits, efficiency or economy.

FIPS PUB 41, COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE PRIVACY ACT OF 1974

FIPS PUB 41, COMPUTER SECURITY GUIDELINES FOR IMPLEMENTING THE PRIVACY ACT OF 1974. This publication provides guidelines for use by Federal ADP organizations in implementing the computer securty safeguards necessary for compliance with Public Law 93-579, the Privacy Act of 1974.

FIPS PUB 46-3, DATA ENCRYPTION STANDARD (DES) (OCT 1999)

FIPS PUB 46-3, DATA ENCRYPTION STANDARD (DES) (OCT 1999). The selective application of technological and related procedural safeguards is an important responsibility of every Federal organization in providing adequate security to its electronic data systems. This publication specifies two cryptographic algorithms, the Data Encryption Standard (DES) and the Triple Data Encryption Algorithm (TDEA) which may be used by Federal organizations to protect sensitive data. Protection of data during transmission or while in storage may be necessary to maintain the confidentiality and integrity of the information represented by the data. The algorithms uniquely define the mathematical steps required to transform data into a cryptographic cipher and also to transform the cipher back to the original form. The Data Encryption Standard is being made available for use by Federal agencies within the context of a total security program consisting of physical security procedures, good information management practices, and computer system/network access controls. This revision supersedes FIPS 46-2 in its entirety.

FIPS PUB 94, GUIDELINE ON ELECTRICAL POWER FOR ADP INSTALLATIONS (21 SEP 1983)
FIPS PUB 94, GUIDELINE ON ELECTRICAL POWER FOR ADP INSTALLATIONS (21 SEP 1983).,

FIPS PUB 95-2, CODES FOR THE IDENTIFICATION OF FEDERAL AND FEDERALLY ASSISTED ORGANIZATIONS (1999 April 15)

FIPS PUB 95-2, CODES FOR THE IDENTIFICATION OF FEDERAL AND FEDERALLY ASSISTED ORGANIZATIONS (1999 April 15). Purpose: Specifies a four-character identifier for Federal Government Legislative, Judicial and Executive Branch agencies, and for Federal-State, interstate and international organizations that receive budgetary support. Also includes government-sponsored enterprises and some Federally aided organizations. Applicability: Systems requiring the interchange of data among Federal ADP users and internal data systems where such use contributes to operational benefits, efficiency and economy. Solicitation Wording: Interchange of Machine Processable Data All application programs resulting from this requirement that have been identified as those that will be interchanged, or that will record data that will be interchanged with Federal agencies, State and local governments, industry, and the public must implement FIPS 95-2 if the provisions of FIPS 95-2 apply to the data being interchanged.