New Updates to Federal Industry Technology Standards and Guidance

Published: July 01, 2015

Cloud ComputingDOCCritical Infrastructure ProtectionCybersecurityDigital GovernmentDOEDOJ

So far in 2015, the National Institute of Standards and Technology (NIST) has published almost a dozen documents that will have some impact on the products and services contractors provide to the federal government. Half of these were released during the month of June.

Whether they realize it or not, most contractors providing the government with information technologies and services are familiar with the Information Technology Laboratory (ITL) at the NIST. The ITL develops tests, methodologies, reference data, and technical analyses to further develop productive uses of information technology. Its programs concentrate on a broad range of areas including critical infrastructure technology, networking, security, and advanced information technologies, along with the mathematical, statistical, and computational sciences. This is the organization within NIST that’s responsible for creating numerous management, administrative, technical, and physical standards and guidelines for federal information systems. The series of documents that get the most attention from tech vendors address computer systems technology (the Special Publication 500-series) and computer security systems (the Special Publication 800-series). In addition to reporting on ITL’s research and test methods, both of these series report on collaborative activities with industry, government, and academic groups. Nearly half a dozen new documents published in the month of June, which are briefly summarized below.

Computer Systems Technology

JPEG 2000 CODEC Certification Guidance for 1000 ppi Fingerprint Friction Ridge Imagery

Published: June 04, 2015

Criminal justice communities throughout the world exchange fingerprint imagery data, and fingerprint technology has continued to evolve and advance. JPEG 2000 was developed as a standard encoder and decoder (CODEC) to improve on image compression standard’s methodology to deliver better performance (data compression and image quality) and greater flexibility. In 2013, NIST partnered with the Federal Bureau of Investigation to develop guidance for applying JPEG 2000 to compress fingerprint scans that are captured at 1000 ppi. This guidance was published (NIST Special Publication 500-289), and the FBI’s Advisory Policy Board (APB) adopted the standards in June 2014. The previous document stopped short of providing guidance on testing for compliance, which is where this new guidance comes into play. This document provides background behind the conformance testing, describes the CODEC pathways to be tested and the metrics used to measure compliance, and provides instructions on how to run the protocol and submit results to NIST for evaluation.

Conformance Testing Methodology Framework for ANSI/NIST-ITL 1-2011 Update: 2013, Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information

Published: June 24, 2015

Conformance testing measures whether an implementation meets established standard technical requirements. No conformance test can be complete enough to cover the full range of possibilities in mandatory, conditional, and optional characteristics that could be included in American National Standards Institute (ANSI)/NIST-ITL 2011 Update: 2013 transactions, which addresses data formatting for fingerprint, facial, and other biometric information. However, a conformance test tool that dependably implements a standard conformance testing methodology could increase confidence of the test results. This document discusses three levels of conformance testing (Level 1, Level 2, and Level 3) and provides syntax for describing conformance test procedures.

Computer Security Series

Guide to Industrial Control Systems (ICS) Security

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Published: June 18, 2015

Industrial Control Systems (ICS) are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and manufacturing of things like automotive, aerospace, and durable goods. These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. This document provides guidance on how to secure ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other systems performing control functions. The document identifies known threats and vulnerabilities to these systems, provides recommended security countermeasures to mitigate the associated risks, and presents an ICS-tailored security control overlay (based on NIST SP 800-53 Rev. 4).

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Published: June 18, 2015

The purpose of this publication is to provide federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI), which is of increasing importance as agencies rely more and more on external service providers. Ensuring this protection for unclassified federal information in nonfederal information systems and organizations depends on the federal government providing an orderly, structured process for identifying the different types of information that are routinely used by federal agencies. These requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or that provide security protection for such components.

Recommendation for Random Number Generation Using Deterministic Random Bit Generators

Published: June 24, 2015

In response to public concerns around cryptographic security, NIST has revised guidance for generating random numbers, a key component in data encryption. This new recommendation includes several notable changes. One of the most significant is the removal of the Dual_EC_DRBG algorithm, conversationally referred to as the "Dual Elliptic Curve random number generator," from the list of recommended algorithms. Another change revolves around one of the remaining random number algorithms and additional options for its use. Other revisions address reintroducing randomness to deterministic algorithms.

Take Away for Vendors

Standards and technology are continually evolving. While these documents make for dry reading, it’s worth noting that the effects of finalizing of one document from the Special Publication (SP) 800-series continue to ripple through federal system requirements, in turn shaping agency buying habits. A competitive edge can be gained or lost based on a vendor’s ability to stay on top of the most current standards and requirements agencies face.