[Federal Register Volume 59, Number 171 (Tuesday, September 6, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-21891]
[[Page Unknown]]
[Federal Register: September 6, 1994]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 920535-4194]
RIN 0693-AA99
Approval of Federal Information Processing Standards Publication
188, Standard Security Label for Information Transfer
agency: National Institute of Standards and Technology (NIST),
Commerce.
action: The purpose of this notice is to announce that the Secretary of
Commerce has approved a new standard, which will be published as FIPS
Publication 188, Standard Security Label for Information Transfer.
-----------------------------------------------------------------------
summary: On August 21, 1992 and January 28, 1994, notices were
published in the Federal Register (57 FR 37948 and 59 FR 4031,
respectively) that a Federal Information Processing Standard for
Standard Security Label for the Government Open Systems Interconnection
Profile was being proposed for Federal use.
The written comments submitted by interested parties and other
material available to the Department relevant to this standard were
reviewed by NIST. On the basis of this review, NIST recommended that
the Secretary approve the standard as a Federal Information Processing
Standards Publication, and prepared a detailed justification document
for the Secretary's review in support of that recommendation.
The detailed justification document which was presented to the
Secretary is part of the public record and is available for inspection
and copying in the Department's Central Reference and Records
Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street
between Pennsylvania and Constitution Avenues NW., Washington, DC
20230.
This FIPS contains two sections: (1) An announcement section, which
provides information concerning the applicability, implementation, and
maintenance of the standard; and (2) a specifications section which
deals with the technical requirements of the standard. Only the
announcement section of the standard is provided in this notice.
effective date: This standard is effective March 1, 1995.
addresses: Interested parties may purchase copies of this standard,
including the technical specifications section, from the National
Technical Information Service (NTIS). Specific ordering information
from NTIS for this standard is set out in the Where to Obtain Copies
Section of the announcement section of the standard.
For further information contact: Mr. Noel Nazario, (301) 975-2837,
National Institute of Standards and Technology, Gaithersburg, MD 20899.
Dated: August 30, 1994.
Samuel Kramer,
Associate Director.
Federal Information Processing Standard Publication 188
(date)
Announcing A
Standard Security Label for Information Transfer
Federal Information Processing Standards Publications (FIPS
PUBS) are issued by the National Institute of Standards and
Technology (NIST) after approval by the Secretary of Commerce
pursuant to Section 111(d) of the Federal Property and
Administrative Services Act of 1949 as amended by the Computer
Security Act of 1987, Public Law 100-235.
Name of Standard: Standard Security Label for Information
Transfer.
Category of Standard:! Computer Security, Security Labels.
Explanation: Security labels convey information used by protocol
entities to determine how to handle data communicated between open
systems. Information on a security label can be used to control
access, specify protective measures, and determine additional
handling restrictions required by a communications security policy.
This standard defines a security label syntax for information
exchanged over data networks and provides label encodings for use at
the Application and Network Layers. The syntactic constructs defined
in this standard are intended to be used along with semantics
provided by the authority establishing the security policy for the
protection of the information exchanged. A separate NIST document,
referenced in an informative appendix, defines a Computer Security
Objects Register (CSOR) that serves as repository for label
semantics. The CSOR assigns a unique identifier to each set of
interpretation and handling rules. This enables the communicating
parties to agree on the semantics for the interpretation of the
labels. The separation of the label syntax from its semantics
enables a few basic label structures to support multiple security
policies.
The label presented here defines security tags that may be
combined into tag sets to carry security-related information. Five
basic security tag types allow security information to be
represented as bit maps, attribute enumerations, attribute range
selections, hierarchical security levels, or as user-defined data.
Because of inherent differences in layer functionality, the security
label defined in this document is expressed both as an abstract
label syntax specification for the OSI Application Layer and an
encoding optimized for use at the Network Layer.
Approving Authority: Secretary of Commerce.
Maintenance Agency: Computer Systems Laboratory, National
Institute of Standards and Technology.
Cross Index:
Federal Information Resources Management Regulations, subpart
201-20.303, Standards, and subpart 201-39.1002, Federal Standards.
General Procedures for Registering Computer Security Objects,
NISTIR 5308, December 1993.
Security Labels for Open Systems--An Invitational Workshop,
NISTIR 4362, June 1990.
Standard Security Label for GOSIP--An Invitational Workshop,
NISTIR 4614, June 1991.
Scope: This standard defines syntactic constructs for conveying
security label information when Government sensitive but
unclassified data is exchanged over computer networks. The syntactic
constructs defined in this standard are intended to be used along
with semantics provided by the authority establishing security
policy for the protection of the information exchanged. NIST has
established a Computer Security Objects Register (CSOR) that will
serve as repository for label semantics. Informative Appendix A of
this standard provides further details on the CSOR.
This standard does not discuss the physical labeling of
information or storage media and information displayed on a computer
screen or other peripherals. Labeling of information stored in
internal memory and storage media (e.g. hard disks, compact disks,
magnetic tapes, etc.) is also outside of the scope of this standard.
The protection of data in transit and their associated labels along
with the binding between the data and the labels is the
responsibility of the communications protocols involved in the
transfer and therefore not discussed here. Compliance with this
standard does not provide assurance of the suitability of an
implementation for the protection of data according to specific
security policies. That assessment must be made through the
appropriate evaluation and certification processes.
Applicability: This standard applies to U.S. Government
communications systems required by agency security policy to label
sensitive but unclassified data when exchanged over data networks.
Although this standard is intended for use on systems handling
unclassified information, it could be adopted by the appropriate
authorities for use on systems handling classified information.
Complying implementations shall be capable of transmitting,
receiving, and obtaining information from security labels based on
the specifications in this document.
Specifications: Federal Information Processing Standard (FIPS
188) Standard Security Label for Information Transfer (affixed).
Implementation Schedule: This standard becomes effective 1 March
1995.
Waiver Procedure: Under certain exceptional circumstances, the
heads of Federal departments and agencies may approve waivers to
Federal Information Processing Standards (FIPS). The head of such
agency may redelegate such authority only to a senior official
designated pursuant to section 3506(b) of Title 44, United States
Code. Waiver shall be granted only when:
a. Compliance with a standard would adversely affect the
accomplishment of the mission of an operator of a Federal computer
system; or
b. Compliance with a standard would cause a major adverse
financial impact on the operator which is not offset by Government-
wide savings.
Agency heads may act upon a written waiver request containing
the information detailed above. Agency heads may also act without a
written waiver request when they determine that conditions for
meeting the standard cannot be met. Agency heads may approve waivers
only by a written decision which explains the basis on which the
agency head made the required finding(s). A copy of each decision,
with procurement sensitive or classified portions clearly
identified, shall be sent to: National Institute of Standards and
Technology; ATTN: FIPS Waiver Decisions, Technology Building, Room
B-154, Gaithersburg, MD 20899.
In addition, notice of each waiver granted and each delegation
of authority to approve waivers shall be sent promptly to the
Committee on Government Operations of the House of Representatives
and the Committee on Government Affairs of the Senate and shall be
published promptly in the Federal Register.
When the determination on a waiver applies to the procurement of
equipment and/or services, a notice of the waiver determination must
be published in the Commerce Business Daily as a part of the notice
of solicitation for offers of an acquisition or, if the waiver
determination is made after that notice is published, by amendment
to such notice.
A copy of the waiver, any supporting documents, the document
approving the waiver and any accompanying documents, with such
deletions as the agency is authorized and decides to make under
United States Code Section 552(b), shall be part of the procurement
documentation and retained by the agency.
Where to Obtain Copies: Copies of this publication are for sale
by the National Technical Information Service, U.S. Department of
Commerce, Springfield, VA 22161. When ordering, refer to Federal
Information Processing Standards Publication 188 (FIPSPUB 188), and
identify the title. When microfiche is desired, this should be
specified. Prices are published by NTIS in current catalogs and
other issuances. Payment may be made by check, money order, deposit
account or charged to a credit card accepted by NTIS.
[FR Doc. 94-21891 Filed 9-2-94; 8:45 am]
BILLING CODE 3510-CN-M
