AGENCY:

National Institute of Standards and Technology, Commerce.

ACTION:

Notice.

SUMMARY:

The National Institute of Standards and Technology (NIST) operates a number of Information Technology Security Validation Programs. Under these programs, vendors use independent private sector, accredited testing laboratories to have their products tested. The goal of the Information Technology Security Validation Programs is to promote the use of validated products and provide Federal agencies and other users with a security metric to use in procuring software and equipment. The results of the independent testing performed by accredited laboratories provide this metric. NIST validates the test results and issues validation certificates. NIST also posts and maintains the validated products lists on the Computer Security Division Web site. The Information Technology Security Validation Programs currently do not charge a fee for their services, but demand for these services as increased over 1800% since 1996 in some cases. This growth has resulted in significantly increased expense to NIST for program management and associated functions. NIST issues this notice to adopt a fee schedule for some of the Information Technology Security Validation Programs, with fees being set individually for each program. The fees will allow NIST to continue and expand the Information Technology Security Validation Programs.

DATES:

This notice is effective July 18, 2002.

FOR FURTHER INFORMATION CONTACT:

Ray Snouffer, Computer Security Division, National Institute of Standards and Technology, 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930, telephone (301) 975-4436, e-mail: ray.snouffer@nist.gov.

SUPPLEMENTARY INFORMATION:

Federal agencies, industry, and the public now rely on a number of measures for the protection of information and communications used in electronic commerce, critical infrastructure and other application areas. Though these measures are used to provide security, weaknesses such as poor design can render the product insecure and place highly sensitive information at risk. Adequate testing and validation against established standards is essential to provide security assurance. NIST operates a number of established Information Technology Security Validation Programs. Under these programs, vendors use independent private sector, accredited testing laboratories to have their products tested. The goal of the Information Technology Security Validation Programs is to promote the use of validated products and provide Federal agencies and other users with a security metric to use in procuring software and equipment. The results of the independent testing performed by accredited laboratories provide this metric. Federal agencies, industry, and the public can choose products from the Validated Products List and have increased confidence that the products meet their claimed levels of performance and security.

NIST validates the test results and issues validation certificates. NIST also posts and maintains the validated products lists on the Computer Security Division web site. Since the IT standards, security specifications, and NIST security recommendations, which underlie the testing programs must be flexible enough to adapt to advancements and innovations in science and technology, NIST continually performs reviews and updates. This process is based on technological and economical changes, which require research and interpretation of the standards.

The Information Technology Security Validation Programs currently do not charge a fee for their services, but demand for these services as increased over 1800% since 1996 in some cases. This growth has resulted in significantly increased expense to NIST for program management and associated functions. NIST proposes to adopt a fee schedule for some of the Information Technology Security Validation Programs with fees being set individually for each program. The fees will allow NIST to continue and expand the Information Technology Security Validation Programs. Fees will be subjected to an annual cost-analysis to determine if the fees need adjustment.

The first Information Technology Security Validation Program to charge a fee will be the Cryptographic Module Validation Program (CMVP). Each of the Rating Levels (1-4) will have a different fee. Every Validation report will be charged a “baseline” fee. Baseline fees will accompany each validation report submitted to NIST. Validation reports will not be reviewed until such time as NIST receives payment of the baseline fee from the vendor. Validation reports that necessitate extended evaluation and collaboration with the certifying laboratory will be charged an additional “extended” fee. The baseline and extended fees for each Rating Level will be:

The levels specified above are commensurate with the security testing levels applied by the Cryptographic Module Testing laboratories in determining compliance with FIPS 140-2. A government and industry working group composed of both users and vendors developed FIPS 140-2. The working group identified eleven areas of security requirements with four increasing levels of security for cryptographic modules. The security levels allow for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and health data), and a diversity of application environments (e.g., a guarded facility, an office, and a completely unprotected location). Each security level offers an increase in security over the preceding level.

Authority: NIST's activities to protect Federal sensitive (unclassified) systems are undertaken pursuant to specific responsibilities assigned to NIST in section 5131 of the Information Technology Start Printed Page 41400Management Reform Act of 1996 (Pub. L. 104-106), the Computer Security Act of 1987 (Pub. L. 100-235), and Appendix III to Office of Management and Budget Circular A-130. NIST's authority to perform work for others and charge fees for those services is found at 15 U.S.C. 273 and 275a.

Classification: Because notice and comment are not required under 5 U.S.C. 553 or any other law, for matters relating to agency management or personnel or to public property, loans, grants, benefits, or contracts, a regulatory flexibility analysis (5 U.S.C. 601 et seq.) is not required and has not been prepared.

Executive Order 12866: This notice has been determined to be not significant for the purposes of Executive Order 12866.