94-1819. Second Solicitation of Comments on Proposed Federal Information Processing Standard for Standard Security Label for the Government Open Systems Interconnection Profile  

  • [Federal Register Volume 59, Number 19 (Friday, January 28, 1994)]
    [Unknown Section]
    [Page ]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 94-1819]
    
    
    [Federal Register: January 28, 1994]
    
    
    -----------------------------------------------------------------------
    
    DEPARTMENT OF COMMERCE
    National Institute of Standards and Technology
    [Docket No. 920535-3305]
    RIN 0693-AA99
    
    
    Second Solicitation of Comments on Proposed Federal Information 
    Processing Standard for Standard Security Label for the Government Open 
    Systems Interconnection Profile
    
    AGENCY: National Institute of Standards and Technology (NIST), 
    Commerce.
    
    ACTION: Notice; request for comments.
    
    -----------------------------------------------------------------------
    
    SUMMARY: The purpose of this notice is to announce the revised proposed 
    Federal Information Processing Standard (FIPS) for Standard Security 
    Label for the Government Open Systems Interconnection Profile. This 
    proposed FIPS was originally announced in the Federal Register (57 FR 
    37948) on August 21, 1992.
        NIST received comments from 28 government and industry 
    organizations in response to the first notice on the proposed FIPS for 
    Standard Security Label for the Government Open Systems Interconnection 
    Profile. While many of the comments supported the proposed standard, 
    other comments particularly those received from the Department of 
    Defense, recommended changes to broaden the scope of the standard and 
    make it compatible with other government efforts to develop secure 
    communications processes.
        NIST has been working with the Department of Defense and other 
    organizations to revise the original proposal and to develop a common 
    standard for security labels that will meet the needs of the interested 
    parties.
        NIST solicits views from the public, manufacturers, and Federal, 
    State and local government users on this revised proposed standard 
    prior to submission to the Secretary of Commerce for review and 
    approval.
        The revised proposed standard contains two sections: (1) An 
    announcement section, which provides information concerning the 
    applicability, implementation, and maintenance of the standard; and (2) 
    a specifications section which deals with the technical aspects of the 
    standard. Only the announcement section of the standard is provided in 
    this notice. Interested parties may obtain copies of the specifications 
    section from the Standards Processing Coordinator (ADP), National 
    Institute of Standards and Technology, Technology Building, room B64, 
    Gaithersburg, MD 20899, telephone (301) 975-2816.
    
    DATES: Comments on this revised proposed standard must be received on 
    or before March 29, 1994.
    
    ADDRESSES: Written comments concerning the revised proposed standard 
    should be sent to: Director, Computer Systems Laboratory, ATTN: Revised 
    Proposed FIPS for Standard Security Label, Technology Building, room 
    B154, National Institute of Standards and Technology, Gaithersburg, MD 
    20899.
        Written comments received in response to this notice will be made 
    part of the public record and will be made available for inspection and 
    copying in the Central Reference and Records Inspection Facility, room 
    6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and 
    Constitution Avenues, NW., Washington, DC 20230.
    
    FOR FURTHER INFORMATION CONTACT:
    Mr. Noel Nazario, National Institute of Standards and Technology, 
    Gaithersburg, MD 20899, telephone (301) 975-2837.
    
        Dated: January 24, 1994.
    Samuel Kramer,
    Associate Director.
    
    Federal Information Processing Standard Publication XXX
    
    Draft 1993 September 30 Draft
    
    Announcing a Standard Security Label for the Government Open Systems 
    Interconnection Profile
    
        Federal Information Processing Standards Publications (FIPS PUBS) 
    are issued by the National Institute of Standards and Technology (NIST) 
    after approval by the Secretary of Commerce pursuant to section 111(d) 
    of the Federal Property and Administrative Services Act of 1949 as 
    amended by the Computer Security Act of 1987, Public Law 100-235.
        Name of Standard: Standard Security Label for the Government Open 
    Systems Interconnection Profile.
        Category of Standard: Computer Security, Security Labels
        Explanation: This standard specifies the security label for the 
    U.S. Government Open Systems Interconnection Profile (GOSIP). GOSIP 
    security labels carry information used by protocol entities to 
    determine how to handle data communicated between open systems. 
    Information on a security label can be used to control access, specify 
    protective measures, and determine additional handling restrictions 
    required by a communications security policy.
        This standard specifies the syntax for the labels and relies on a 
    Computer Security Objects Register (CSOR) to provide the semantics. The 
    separation of the label syntax from its semantics enables a common 
    label format to support multiple security policies and facilitate 
    cross-domain communications.
        Given the inherent differences in layer functionality the security 
    label defined in this document is expressed both as an abstract label 
    syntax specification for the OSI Application Layer and an encoding 
    optimized for use at the Network Layer. The Application and Network 
    Layers are the initial targets of GOSIP security.
        The label presented here defines security tags that may be combined 
    into tag sets to carry security-related information. Five basic 
    security tag types allow security information to be represented as bit 
    maps, attribute enumerations, attribute range selections, hierarchical 
    security levels, or as user-defined data.
        Approving Authority: Secretary of Commerce.
        Maintenance Agency: Computer Systems Laboratory, National Institute 
    of Standards and Technology.
    
    Cross Index:
    
    Federal Information Resources Management Regulations, subpart 201-
    20.303, Standards, and subpart 201-39.1002, Federal Standards.
    ``Procedures for Registering Computer Security Objects'', NISTIR XXXX, 
    September 1993.
    ``U.S. Government Open Systems Interconnection Profile'' (GOSIP), FIPS 
    PUB 146-1, April 1991.
    
        Scope: This standard specifies a security label for GOSIP-complaint 
    implementations. It includes two label specifications, one suitable for 
    the OSI Application Layer, and the other for the Network Layer. GOSIP 
    will call for the use of this standard when optional security protocols 
    at these layers require the use of security labels.
        Applicability: The specified Standard Security Label (SSL) applies 
    to OSI communications systems handling U.S. Government unclassified but 
    sensitive data. The SSL shall be used on OSI systems required to label 
    data as indicated in the security chapter of GOSIP. Although this 
    standard is intended for use on systems handling unclassified 
    information, it could be adopted by the appropriate authorities for use 
    on systems handling classified information.
        The SSL may be used by OSI protocols to control access, specify 
    protective measures, and indicate handling restrictions required by a 
    network security policy as registered in a Computer Security Objects 
    Register.
        Complying implementations shall be capable of transmitting, 
    receiving, and obtaining information from security labels based on the 
    specifications in this document.
        Specifications: Federal Information Processing Standard (FIPS xxx) 
    Standard Security Label for the Government Open Systems Interconnection 
    Profile (affixed).
        Implementation Schedule: This standard becomes effective six months 
    after publication of a notice in the Federal Register of its approval 
    by the Secretary of Commerce.
        Waiver Procedure: Under certain exceptional circumstances, the 
    heads of Federal departments and agencies may approve waivers to 
    Federal Information Processing Standards (FIPS). The head of such 
    agency may redelegate such authority only to a senior official 
    designated pursuant to section 3506(b) of title 44, United States Code. 
    Waiver shall be granted only when:
        a. Compliance with a standard would adversely affect the 
    accomplishment of the mission of an operator of a Federal computer 
    system; or
        b. Compliance with a standard would cause a major adverse financial 
    impact on the operator which is not offset by Government-wide savings.
        Agency heads may act upon a written waiver request containing the 
    information detailed above. Agency heads may also act without a written 
    waiver request when they determine that conditions for meeting the 
    standard cannot be met. Agency heads may approve waivers only by a 
    written decision which explains the basis on which the agency head made 
    the required finding(s). A copy of each decision, with procurement 
    sensitive or classified portions clearly identified, shall be sent to: 
    National Institute of Standards and Technology; ATTN: FIPS Waiver 
    Decisions, Technology Building, room B-154, Gaithersubrg, MD 20899.
        In addition, notice of each waiver granted and each delegation of 
    authority to approve waivers shall be sent promptly to the Committee on 
    Government Operations of the House of Representatives and the Committee 
    on Government Affairs of the Senate and shall be published promptly in 
    the Federal Register.
        When the determination on a waiver applies to the procurement of 
    equipment and/or services, a notice of the waiver determination must be 
    published in the Commerce Business Daily as a part of the notice of 
    solicitation for offers of an acquisition or, if the waiver 
    determination is made after that notice is published, by amendment of 
    such notice.
        A copy of the waiver, any supporting documents, the document 
    approving the waiver and any accompanying documents, with such 
    deletions as the agency is authorized and decides to make under United 
    States Code section 552(b), shall be part of the procurement 
    documentation and retained by the agency.
        Where to Obtain Copies: Copies of this publication are for sale by 
    the National Technical Information Service, U.S. Department of 
    Commerce, Springfield, VA 22161. When ordering, refer to Federal 
    Information Processing Standards Publication XX (FIPS PUB XX), and 
    identify the title. When microfiche is desired, this should be 
    specified. Prices are published by NTIS in current catalogs and other 
    issuances. Payment may be made by check, money order, deposit account 
    or charged to a credit card accepted by NTIS.
    
    [FR Doc. 94-1819 Filed 1-27-94; 8:45 am]
    BILLING CODE 3510-CN-M
    
    
    

Document Information

Published:
01/28/1994
Department:
National Institute of Standards and Technology
Entry Type:
Uncategorized Document
Action:
Notice; request for comments.
Document Number:
94-1819
Dates:
Comments on this revised proposed standard must be received on or before March 29, 1994.
Pages:
0-0 (None pages)
Docket Numbers:
Federal Register: January 28, 1994, Docket No. 920535-3305
RINs:
0693-AA99