A smart card is a credit-card-sized device containing one or more integrated circuit chips, which perform the functions of a microprocessor, memory, and an input/output interface.  Smart cards, and other related devices, may be used to provide an increased level of security in applications requiring controlled access to sensitive information.  This publication describes the basic components of a smart card, and the goals and obstacles of smart card application development.  Possible roles for smart cards in modern computer security systems and research conducted at the National Bureau of Standards (NBS) in the area of smart card access control systems are discussed.  A forcast is made for the characteristics and applications of future smart cards and related devices.  An overview of current standards activities for smart cards is given in an appendix.

This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet. This guide lists issues and factors that a site must consider when setting their own policies.  It makes some recommendations and gives discussions of relevant areas. this guide is only a framework for setting security policies and procedures.  In order to have an effective set of policies and procedures, a site will have to make many decisions, gain agreement, and then communicate and implement the policies.

This report describes a security policy for a secure relational database system.  This policy is intended to meet the security policy requirement specified in the DoD Trusted Computer System Evaluation Criteria.  Because the policy is intended for a relational database management system, it goes beyond policies that the reader may be familiar with for general-purpose systems.  However, it also addresses the requirements considered applicable to general-purpose systems and can serve as a useful guide to those who are called upon to produce a policy statement that will satisfy the Criteria.  The development of a security policy is the first task of a three-year project to design a multilevel secure database system that will satisfy the criteria for Class A1.

Today\‘s computer systems are vulnerable both to abuse by insiders and to penetration by outsiders, as
evidenced by the growing number of incidents reported in the press. To close all security loopholes from today\‘s systems is infeasible,
and no combination of technologies can prevent legitimate users from abusing their authority in a system; thus auditing is viewed as
the last line of defense. Over the past several years, the computer security community has been developing automated tools to
analyze computer system audit data for suspicious user behavior. This paper describes the use of such tools for detecting computer
system intrusion and describes futher technologies that may be of use for intrusion detection in the future.

This recommended Guideline for Federal agencies identifies and describes the electrical environment for safe, reliable operation of automatic data processing (ADP) systems.  The electrical environmet in and immediately outsidethe computer room is considered.  The Guideline describes the fundamentals which underlie the power, grounding, and lifesafety requirements, and provides a guide and checklist for specifying and preparing ADP sites, and evaluating their suitability.

Intrusion Detection Systems (IDS) attempt to identify unauthorized use, misuse, and abuse of computer
systems. In response to the growth in the use and development of IDS\‘s, we have developed a methodology for testing
IDS\‘s. The methodology consistes of techniques from the field of software testing which we have adapted for the specific
purpose of testing IDS\‘s. In this paper, we identify a set of general IDS performance objectives which is the basis for the
methodology. We present the details of the methodology, including strategies for test-case selection and specific testing
procedures. We include quantitative results from testing experiments on the Network Security Monitor (NSM), an IDS
developed at UC Davis. We present an overview of the software platform that we have used to create user-simulation
scripts for testing experiments. The platform consists of the UNIX tool \‘expect\’ and enhancements that we have developed,
including mechanisms for concurrent scripts and a record-and-replay feature. We also provide background information on
intrusions and IDSs to motivate our work.