This document is a guide to the basic technical aspects of conducting information security assessments. It presents technical testing and examination methods and techniques that an organization might use as part of an assessment, and offers insights to assessors on their execution and the potential impact they may have on systems and networks. For an assessment to be successful and have a positive impact on the security posture of a system (and ultimately the entire organization), elements beyond the execution of testing and examination must support the technical process. Suggestions for...

The mission of the National Institute of Standards and Technology (NIST) is to promote U.S. innovation and industrial competitiveness. One of NIST's core competencies is the development and use of standards. During late 2007, Technology Services (TS) canvassed other NIST Operating Units (OUs) to answer the question: How well is NIST doing in this area? The OUs were specifically asked about instances where NIST has played an active role in the development or implementation of documentary standards that: (1) have been broadly adopted, or (2) have produced, or are expected to produce,...

The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) for Federal Employees and Contractors, (Federal Information Processing Standard 201 (FIPS 201)) was developed to establish standards for identity credentials. This document, Special Publication 800-87 (SP 800-87), provides the organizational codes necessary to establish the PIV Federal Agency Smart Credential Number (PIV...

This publication discusses the fundamental technologies and features of SSL VPNs. It describes SSL and how it fits within the context of layered network security. It presents a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments. It also compares the SSL VPN technology with IPsec VPNs and other VPN solutions. This information is particularly valuable for helping organizations to determine how best to deploy SSL VPNs within their specific network environments.

The purpose of this document is to provide an overview of active content and mobile code technologies in use today and offer insights for making informed IT security decisions on their application and treatment. The discussion gives details about the threats, technology risks, and safeguards for end user systems, such as desktops and laptops. Although various end user applications, such as email clients, can involve active content, Web browsers remain the primary vehicle for delivery and are underscored in the discussion. The tenets presented for Web browsers apply equally well to other end...

This Recommendation specifies key establishment schemes using discrete logarithm cryptography, based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography).

This paper describes the steps in the software development process, knowledge of which is useful to organize and structure software development projects. Structuring a software development project from inception provides a clear path to completion. This set of guidelines provides a software development team with a progression of steps to conceive code, test, revise, and publish software applications that will best satisfy clients' software needs. Following these steps will clarify the respective roles for a software development team, show how their tasks fit together in a time schedule, and...

This report describes the certification of the rheological properties of Standard Reference Material(r) (SRM) 2490, a non-Newtonian fluid consisting of polyisobutylene dissolved in 2,6,10,14-tetramethylpentadecane.

Higher order or "definitive" methods have been in use at NIST for several decades to establish certified values for electrolytes and other trace elements in clinical Standard Reference Materials (SRMs). Although some of these methods have been described in various NIST 260 series documents, there has not been, until now, a single information resource providing comprehensive descriptions of the methods in a format which facilitates systematic updates for new methods, performance improvements to existing methods and removal of methods which are considered obsolete. This manual attempts to...

The Office of Law Enforcement Standards (OLES) of the National Institute of Standards and Technology (NIST) furnishes technical support to the National Institute of Justice (NIJ) program to strengthen law enforcement and criminal justice in the United States. OLES's function is to develop standards and conduct research that will assist law enforcement and criminal justice agencies in the selection and procurement of quality equipment.