The selective application of technological and related procedural safeguards is an important responsibility of ever Federal organization in providing adequate security in its computer and telecommunications systems.  The publication provides a standard to be used by Federal organizations when these organizations specify that cryptographic based security systems are to be used to provide protection for sensitive or valuable data.  Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module.  This standard specifies the security requirements that are to be satisfied by a cryptographic module.  The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments.  the security requirements cover areas related to the secure design and implementation of a cryptographic module.  These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/RMC), and self-testing.  This revision supersedes FIPS 140 in its entirety.

The document specifies basic security criteria for two different uses of passwords in an ADP system, (1) personal identity authentication and (2) data access authorization.  It establishes the basic criteria for the design, implementation and use of a password system in those systems where passwords are used.  It identifies fundamental ADP management functions pertaining to passwords and specifies some user actions required to satisfy these functions.  Inaddition, it specifies several technical features which may be implemented in an ADP system in order to support a password system.  An implementation schedule is established for compliance with the Standard.  Numerous guidelines are provided in the Appendices for managers and users seeking to comply with the Standard.

This Guideline is intended for use by ADP managers and technical staff in establishing and carrying out a program and a technical process for computer security certification and accreditation of sensitive computer applications.  It identifies and describes the steps involved in performing computer security certification and accreditation; it identifies and discusses important issues in managing a computer security certification and accreditation; it identifies and discusesses the principal functional roles needed within an organization to carry out such a program; and it contains sample outlines of an Application Certification Plan and a Security Evaluation Report as well as a sample Accreditation Statement and sensitivity classification scheme.  A discussion of recertification and reaccreditation and its relation to change control is also included.  The Guideline also relates certification and accreditation to risk analysis, EDP audit, validation, verification and testing (VV&T), and the system life cycle.  A comprehensive list of references is included.

This publication provides a guideline to be used by Federal organizations in the selection and evaluation of techniques for automatically verifying the identity of individuals seeking access to computer systems and networks via terminals, where controlled acceddibility is required for security purposes.  The guideline describes various techniques for verifying identity and provides a set criteria for the evaluation of automated identification systems embodying techniques.

This publication provides guidelines for use by Federal ADP organizations in implementing the computer security safeguards necessary for compliance with Public Law 93-579, the Privacy Act of 1974.  A wide variety of technical and related procedural safeguards are described.  These fall into three broad categories: Physical security, information management practices, and computer system/network security controls.  As each organization processing personal data has unique characteristics, specific organizations should draw upon the material provided in order to select a well-balanced combination of safeguards which meets their particular requirements.