Computer Security Roles of NIST and NSA
b1e7b784efded2b8f8354d5e778b74b85caaddb4add36faba692f40b8253a895
Computer Systems Laboratory Bulletin
February 1991
COMPUTER SECURITY ROLES OF NIST AND NSA
The passage of the Computer Security Act of 1987 and the recent issuance of
the "National Policy for the Security of National Security Telecommunications
and Information Systems," a classified Presidential directive, has clarified
the division of responsibilities between the National Institute of Standards
and Technology (NIST) and the National Security Agency (NSA). This CSL
Bulletin provides federal agencies with an explanation of the roles of NIST
and NSA in computer security and gives points of contact for agency computer
security and information resources management personnel.
DIVISION OF RESPONSIBILITIES BETWEEN NIST AND NSA
NIST Responsibilities
The Computer Security Act of 1987 assigned NIST the responsibility for the
development and promulgation of cost-effective computer security standards and
guidelines for the federal unclassified systems community. NIST's Computer
Systems Laboratory (CSL) is also responsible for the development of standards
and guidelines for federal computer systems including computer-related
telecommunications systems. The term unclassified information as used in this
document excludes information covered by 10 U.S.C. Section 2315, the Warner
Amendment.
NSA Responsibilities
NSA and its National Computer Security Center (NCSC) have responsibility for
the security of systems and telecommunications involving classified and Warner
Amendment systems, collectively known as "national security systems." The
President has designated the Director of NSA as the National Manager for
computer security for national security systems.
"National security systems" are those telecommunications and information
systems operated by the U.S. Government, its contractors, or agents,
that contain classified information or, as set forth in 10 U.S.C.
Section 2315, that involves intelligence activities, involves
cryptologic activities related to national security, involves command
and control of military forces, involves equipment that is an integral
part of a weapon or weapons systems, or involves equipment that is
critical to the direct fulfillment of military or intelligence missions,
excluding equipment or services used for routine administrative and
business applications.
NSA's responsibilities in this area are specified in the classified
Presidential directive issued in July 1990.
AGENCY COMPUTER SECURITY ASSISTANCE
Unclassified Systems - NIST
CSL's Computer Security Division is available to assist federal departments
and agencies with all facets of computer security. These include, but are not
limited to, security planning, risk management, contingency planning, security
awareness and training, network security, encryption, personal authentication
technologies, smart card applications, and virus detection and prevention.
Detailed technical assistance can be provided to agencies on a cost-
reimbursable basis. In accordance with the Computer Security Act of 1987,
NIST draws upon the technical expertise of NSA as appropriate, for example in
the area of classified threat assessment. All inquiries should be directed
to:
Chief, Computer Security Division
Building 225, Room A216
Computer Systems Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899
Telephone (301) 975-2934 or FTS 879-2934
NIST has established and chairs the Federal Computer Security Program Managers
Forum which meets regularly to coordinate issues of interest to computer
security program managers in the federal unclassified security community. The
forum provides a structured format for sharing information and expertise among
agencies at the computer security program manager level. For further
information regarding the forum, please contact:
Chairman, Federal Computer Security Program Managers Forum
Building 225, Room B154
Computer Systems Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899
Telephone (301) 975-3240 or FTS 879-3240
NIST publishes a list of all currently available Federal Information
Processing Standards (FIPS), guidelines, and related publications on computer
security. For a complimentary copy of NIST Publication List 91, Computer
Security Publications, or to be placed on the mailing list for CSL Bulletins,
you may contact:
CSL Publications
Building 225, Room B151
National Institute of Standards and Technology
Gaithersburg, MD 20899
Telephone (301) 975-2821 or FTS 879-2821
National Security Systems - NSA
The National Security Agency, through the National Computer Security Center,
assists federal departments and agencies with information security
(communications and computer security) in issues related to national security
systems. A full range of services, including risk assessment, security
planning, operations security, and identification of security measures, is
offered by NSA for national security systems. Also, NSA publishes the
Information Systems Security Products and Services Catalog, which contains the
Evaluated Products List. This list includes security products that NSA has
evaluated, those systems that are currently undergoing evaluation, and the
current status of such evaluations. This catalog serves as a valuable
reference source for both classified and unclassified computer security
programs.
Upon request of federal agencies and their contractors, NSA conducts
assessments of the vulnerabilities of information systems to hostile
exploitation/disruption and provides recommendations on Information Systems
Security (INFOSEC) countermeasures that are needed to eliminate or reduce
these vulnerabilities. In allocating available resources, NSA assigns
priority to assessments of national security systems as defined in the
classified Presidential directive. However, requests for assessments of
unclassified systems not covered by the national policy will be given
consideration by NSA. Inquiries regarding assessments for unclassified
systems should be initially directed to NIST.
For further information on NSA and NCSC, contact:
Director
National Security Agency
Attn: National Computer Security Center
Airport Square #11
Fort George G. Meade, MD 20755-6000
The National Security Telecommunications and Information Systems Security
Committee (NSTISSC), established by Presidential directive, provides a policy-
setting structure for the national security systems community. Agencies are
represented on the NSTISSC as either members or observers, as determined by
the Presidential directive. Additionally, the NSTISSC has two subcommittees:
the Subcommittee on Information Systems Security (SISS) and the Subcommittee
on Telecommunications Security (STS).
For further information regarding the NSTISSC and its subcommittees, you may
contact:
Director
National Security Agency
Attn: NSTISSC Secretariat
Operations Building #3, Room COW89
Fort George G. Meade, MD 20755-6000
Acronyms
FIPS Federal Information Processing Standard
NCSC National Computer Security Center (NSA)
CSL Computer Systems Laboratory (NIST)
NIST National Institute of Standards and Technology
NSA National Security Agency
NSTISSC National Security Telecommunications and Information
Systems Security Committee
SISS Subcommittee on Information Systems Security
STS Subcommittee on Telecommunications Security