[Federal Register Volume 59, Number 19 (Friday, January 28, 1994)]
[Unknown Section]
[Page ]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-1819]
[Federal Register: January 28, 1994]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 920535-3305]
RIN 0693-AA99
Second Solicitation of Comments on Proposed Federal Information
Processing Standard for Standard Security Label for the Government Open
Systems Interconnection Profile
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice; request for comments.
-----------------------------------------------------------------------
SUMMARY: The purpose of this notice is to announce the revised proposed
Federal Information Processing Standard (FIPS) for Standard Security
Label for the Government Open Systems Interconnection Profile. This
proposed FIPS was originally announced in the Federal Register (57 FR
37948) on August 21, 1992.
NIST received comments from 28 government and industry
organizations in response to the first notice on the proposed FIPS for
Standard Security Label for the Government Open Systems Interconnection
Profile. While many of the comments supported the proposed standard,
other comments particularly those received from the Department of
Defense, recommended changes to broaden the scope of the standard and
make it compatible with other government efforts to develop secure
communications processes.
NIST has been working with the Department of Defense and other
organizations to revise the original proposal and to develop a common
standard for security labels that will meet the needs of the interested
parties.
NIST solicits views from the public, manufacturers, and Federal,
State and local government users on this revised proposed standard
prior to submission to the Secretary of Commerce for review and
approval.
The revised proposed standard contains two sections: (1) An
announcement section, which provides information concerning the
applicability, implementation, and maintenance of the standard; and (2)
a specifications section which deals with the technical aspects of the
standard. Only the announcement section of the standard is provided in
this notice. Interested parties may obtain copies of the specifications
section from the Standards Processing Coordinator (ADP), National
Institute of Standards and Technology, Technology Building, room B64,
Gaithersburg, MD 20899, telephone (301) 975-2816.
DATES: Comments on this revised proposed standard must be received on
or before March 29, 1994.
ADDRESSES: Written comments concerning the revised proposed standard
should be sent to: Director, Computer Systems Laboratory, ATTN: Revised
Proposed FIPS for Standard Security Label, Technology Building, room
B154, National Institute of Standards and Technology, Gaithersburg, MD
20899.
Written comments received in response to this notice will be made
part of the public record and will be made available for inspection and
copying in the Central Reference and Records Inspection Facility, room
6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and
Constitution Avenues, NW., Washington, DC 20230.
FOR FURTHER INFORMATION CONTACT:
Mr. Noel Nazario, National Institute of Standards and Technology,
Gaithersburg, MD 20899, telephone (301) 975-2837.
Dated: January 24, 1994.
Samuel Kramer,
Associate Director.
Federal Information Processing Standard Publication XXX
Draft 1993 September 30 Draft
Announcing a Standard Security Label for the Government Open Systems
Interconnection Profile
Federal Information Processing Standards Publications (FIPS PUBS)
are issued by the National Institute of Standards and Technology (NIST)
after approval by the Secretary of Commerce pursuant to section 111(d)
of the Federal Property and Administrative Services Act of 1949 as
amended by the Computer Security Act of 1987, Public Law 100-235.
Name of Standard: Standard Security Label for the Government Open
Systems Interconnection Profile.
Category of Standard: Computer Security, Security Labels
Explanation: This standard specifies the security label for the
U.S. Government Open Systems Interconnection Profile (GOSIP). GOSIP
security labels carry information used by protocol entities to
determine how to handle data communicated between open systems.
Information on a security label can be used to control access, specify
protective measures, and determine additional handling restrictions
required by a communications security policy.
This standard specifies the syntax for the labels and relies on a
Computer Security Objects Register (CSOR) to provide the semantics. The
separation of the label syntax from its semantics enables a common
label format to support multiple security policies and facilitate
cross-domain communications.
Given the inherent differences in layer functionality the security
label defined in this document is expressed both as an abstract label
syntax specification for the OSI Application Layer and an encoding
optimized for use at the Network Layer. The Application and Network
Layers are the initial targets of GOSIP security.
The label presented here defines security tags that may be combined
into tag sets to carry security-related information. Five basic
security tag types allow security information to be represented as bit
maps, attribute enumerations, attribute range selections, hierarchical
security levels, or as user-defined data.
Approving Authority: Secretary of Commerce.
Maintenance Agency: Computer Systems Laboratory, National Institute
of Standards and Technology.
Cross Index:
Federal Information Resources Management Regulations, subpart 201-
20.303, Standards, and subpart 201-39.1002, Federal Standards.
``Procedures for Registering Computer Security Objects'', NISTIR XXXX,
September 1993.
``U.S. Government Open Systems Interconnection Profile'' (GOSIP), FIPS
PUB 146-1, April 1991.
Scope: This standard specifies a security label for GOSIP-complaint
implementations. It includes two label specifications, one suitable for
the OSI Application Layer, and the other for the Network Layer. GOSIP
will call for the use of this standard when optional security protocols
at these layers require the use of security labels.
Applicability: The specified Standard Security Label (SSL) applies
to OSI communications systems handling U.S. Government unclassified but
sensitive data. The SSL shall be used on OSI systems required to label
data as indicated in the security chapter of GOSIP. Although this
standard is intended for use on systems handling unclassified
information, it could be adopted by the appropriate authorities for use
on systems handling classified information.
The SSL may be used by OSI protocols to control access, specify
protective measures, and indicate handling restrictions required by a
network security policy as registered in a Computer Security Objects
Register.
Complying implementations shall be capable of transmitting,
receiving, and obtaining information from security labels based on the
specifications in this document.
Specifications: Federal Information Processing Standard (FIPS xxx)
Standard Security Label for the Government Open Systems Interconnection
Profile (affixed).
Implementation Schedule: This standard becomes effective six months
after publication of a notice in the Federal Register of its approval
by the Secretary of Commerce.
Waiver Procedure: Under certain exceptional circumstances, the
heads of Federal departments and agencies may approve waivers to
Federal Information Processing Standards (FIPS). The head of such
agency may redelegate such authority only to a senior official
designated pursuant to section 3506(b) of title 44, United States Code.
Waiver shall be granted only when:
a. Compliance with a standard would adversely affect the
accomplishment of the mission of an operator of a Federal computer
system; or
b. Compliance with a standard would cause a major adverse financial
impact on the operator which is not offset by Government-wide savings.
Agency heads may act upon a written waiver request containing the
information detailed above. Agency heads may also act without a written
waiver request when they determine that conditions for meeting the
standard cannot be met. Agency heads may approve waivers only by a
written decision which explains the basis on which the agency head made
the required finding(s). A copy of each decision, with procurement
sensitive or classified portions clearly identified, shall be sent to:
National Institute of Standards and Technology; ATTN: FIPS Waiver
Decisions, Technology Building, room B-154, Gaithersubrg, MD 20899.
In addition, notice of each waiver granted and each delegation of
authority to approve waivers shall be sent promptly to the Committee on
Government Operations of the House of Representatives and the Committee
on Government Affairs of the Senate and shall be published promptly in
the Federal Register.
When the determination on a waiver applies to the procurement of
equipment and/or services, a notice of the waiver determination must be
published in the Commerce Business Daily as a part of the notice of
solicitation for offers of an acquisition or, if the waiver
determination is made after that notice is published, by amendment of
such notice.
A copy of the waiver, any supporting documents, the document
approving the waiver and any accompanying documents, with such
deletions as the agency is authorized and decides to make under United
States Code section 552(b), shall be part of the procurement
documentation and retained by the agency.
Where to Obtain Copies: Copies of this publication are for sale by
the National Technical Information Service, U.S. Department of
Commerce, Springfield, VA 22161. When ordering, refer to Federal
Information Processing Standards Publication XX (FIPS PUB XX), and
identify the title. When microfiche is desired, this should be
specified. Prices are published by NTIS in current catalogs and other
issuances. Payment may be made by check, money order, deposit account
or charged to a credit card accepted by NTIS.
[FR Doc. 94-1819 Filed 1-27-94; 8:45 am]
BILLING CODE 3510-CN-M