Assessing
Security Requirements for Controlled Unclassified Information (NIST
Special Publication 800-171A)
The protection of Controlled Unclassified Information (CUI)
resident in nonfederal systems and organizations is of paramount importance to
federal agencies and can directly impact the ability of the federal government
to successfully conduct its assigned missions and business operations. This
publication provides federal and nonfederal organizations with assessment
procedures and a methodology that can be employed to conduct assessments of the
CUI security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations. The assessment
procedures are flexible and can be customized to the needs of the organizations
and the assessors conducting the assessments. Security assessments can be
conducted as self-assessments; independent, third-party assessments; or
government-sponsored assessments and can be applied with various degrees of
rigor, based on customer-defined depth and coverage attributes. The findings
and evidence produced during the security assessments can facilitate risk-based
decisions by organizations related to the CUI requirements.
Cloud
Computing Service Metrics Description (NIST Special Publication 500-307)
With cloud computing in the mainstream, there is a
preponderance of cloud based services in the market and the choices for
consumers increase daily. However, comparing the service offerings between
cloud service providers is not a straightforward exercise. As part of the
decision-making framework for moving to the cloud, having data on measurable
capabilities, for example - quality of service, availability and reliability,
give the cloud service customer the tools and opportunity to make informed
choices and to gain an understanding of the service being delivered. A metric
provides knowledge about characteristics of a cloud property through both its
definition (e.g., expression, unit, rules) and the values resulting from the
measurement of the property. This document proposes concepts and a model to
represent cloud service metrics. This model represents the information needed
to understand a targeted cloud property and which constraints should be applied
during measurement.
Forensic
Latent Fingerprint Preprocessing Assessment (NISTIR 8215)
This report provides a brief introduction into
fingerprint preprocessing, discussion regarding the experimental design, structure,
and contents of the latent fingerprint image database, and details of proposed preprocessing efficacy metrics.
Juliet 1.3 Test Suite: Changes From 1.2
(NIST Technical Note 1995)
The Juliet test suite is a systematic set of thousands of
small test programs in C/C++ and Java exhibiting over 100 classes of errors,
such as buffer overflow, OS injection, hardcoded password, absolute path
traversal, NULL pointer de-reference, uncaught exception, deadlock, and missing
release of resource. These test programs should be helpful in determining
capabilities of software assurance tools, particularly static analyzers, in
Unix, Microsoft Windows, and other environments. Juliet was developed by the
National Security Agency's Center for Assured Software and first released in
December 2010. It has been enhanced twice since then. Version 1.2 was released
in May 2013 with a total of 86,864 test cases. Released in October 2017,
version 1.3 fixes about two dozen systematic problems in version 1.2 and adds
tests for pre- and post-increment and -decrement operators. This technical note
details the changes from version 1.2 to 1.3. This note also lists the
systematic problems that we know remain in Juliet 1.3.
Nail to Nail Fingerprint
Challenge: Prize Analysis (NISTIR 8210)
In September 2017, the Intelligence Advanced Research
Projects Activity held a fingerprint data collection as part of the Nail to
Nail Fingerprint Challenge. Participating Challengers deployed devices designed
to collect an image of the full nail to nail surface area of a fingerprint –
equivalent to a rolled fingerprint – from an unacclimated user without
assistance from a trained device operator. Images captured from these devices
were searched against a set of traditionally- captured operator-assisted rolled
fingerprints. Thousands of latent fingerprints were also searched against the
images.
NIST Special Database 300: Uncompressed
Plain and Rolled Images from Fingerprint Cards (NIST Technical Note
1993)
A new collection of legacy inked rolled and plain
fingerprint card scans are being released to the public. The cards were scanned
at three resolutions in the 8 bit grayscale colorspace. The data is available
as lossless images for free.
Quick Start
Guide for Populating Mobile Test Devices (NIST Special
Publication 800-202)
This guide provides procedures for documenting and
populating various data elements typically found within the contents of a mobile device, e.g.,
mobile phone, tablet, etc. The guide discusses techniques and considerations for preparing the internal
memory of a mobile device for use in testing a mobile forensic tool.
Platform
Firmware Resiliency Guidelines (NIST Special Publication
800-193)This document provides technical guidelines and
recommendations supporting resiliency of platform firmware and data against
potentially destructive attacks. The platform is a collection of fundamental
hardware and firmware components needed to boot and operate a system. A
successful attack on platform firmware could render a system inoperable,
perhaps permanently, or requiring reprogramming by the original manufacturer,
resulting in significant disruptions to users. The technical guidelines in this
document promote resiliency in the platform by describing security mechanisms
for protecting the platform against unauthorized changes, detecting
unauthorized changes that occur, and recovering from attacks rapidly and
securely. Implementers, including Original Equipment Manufacturers (OEMs) and
component/device suppliers, can use these guidelines to build stronger security
mechanisms into platforms. System administrators, security professionals, and
users can use this document to guide procurement strategies and priorities for
future systems.
Security
Recommendations for Server-based Hypervisor Platforms (NIST Special
Publication 800-125rev1)
The Hypervisor platform is a collection of software
modules that provides virtualization of hardware resources (such as CPU,
Memory, Network and Storage) and thus enables multiple computing stacks (made
of an operating system (OS) and application programs) called Virtual Machines
(VMs) to be run on a single physical host. In addition, it may have the
functionality to define a network within the single physical host (called
virtual network) to enable communication among the VMs resident on that host as
well as with physical and virtual machines outside the host. With all this
functionality, the hypervisor has the responsibility to mediate access to
physical resources, provide run time isolation among resident VMs and enable a
virtual network that provides security-preserving communication flow among the
VMs and between the VMs and the external network. The architecture of a
hypervisor can be classified in different ways. The security recommendations in
this document relate to ensuring the secure execution of baseline functions of
the hypervisor and are therefore agnostic to the hypervisor architecture.
Further, the recommendations are in the context of a hypervisor deployed for
server virtualization and not for other use cases such as embedded systems and
desktops. Recommendations for secure configuration of a virtual network are
dealt with in a separate NIST document (Special Publication 800-125B).
‘Software Science’
revisited: rationalizing
Halstead’s system using dimensionless units (NIST Technical Note 1990)
The set of software metrics introduced by Maurice H.
Halstead in the 1970s has seen much scrutiny and not infrequent criticism. This
article takes a fresh look at these metrics using quantity calculus (the
algebra of units) and a new approach to dimensionless units. In this way, it is
possible to assign units to the major Halstead metrics in a manner that is
logically consistent. However, Halstead's repurposing of counts of software
attributes as counts of unobservable mental events leads to a less plausible,
more confusing set of metrics for coding effort than for software attributes.
|
