NIST releases update to security standards for sensitive data

Featured eBooks
Cyber Workforce
Read Now

Law Enforcement Tech

Read Now

AI in the Workplace

Read Now
Insights & Reports
Document Automation & E-Signature for the Public Sector
Presented By Carahsoft
Download Now
By Jill R. Aitoro

By Jill R. Aitoro

|

Rule specifies requirements for computer components providing services for confidentiality and information authentication.

The National Institute of Standards and Technology released on Friday a revised draft to security metrics used by federal agencies to test how well their computer systems fight off hacking attempts.

NIST announced the new draft of the Federal Information Processing Standard 140-3, "Security Requirements for Cryptographic Modules," which guides agencies in their efforts to protect sensitive data. The standard specifies the security requirements for information systems' cryptographic modules, which provide services for confidentiality, integrity and authentication of information. A computer system's cryptographic modules might enforce password rules, for example, or data encryption requirements.

"FIPS 140-3 adds new security features that reflect recent advances in technology and security methods," said the draft document, which includes requirements for ensuring data protection in software applications and preventing non-invasive attacks that can be performed against a security application without direct physical contact.

"Since information security requirements vary for different applications, organizations should identify their information resources and determine the sensitivity to and the potential impact of losses," the document noted. "Controls should be based on the potential risks."

Agencies can use FIPS to test cryptographic modules included in both hardware and software products against four levels of security that range from a minimum set of information assurance requirements, to maximum protection that incorporates multifactor authentication. The products receive a rating that reflects the maximum security level met.

More than 2,000 modules conform to FIPS 140-1 and FIPS 140-2; the latter mandates that the standard be reviewed within five years to address new and revised requirements, according to a Federal Register notice announcing the latest revision.

The revised draft reflected comments received on the first public draft, posted for public review and comment on July 13, 2007, and from a March 2008 software security workshop. All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010.

NEXT STORY: TSA 'Soldiers On'