Computer Systems Laboratory Bulletin
                               February 1991

               
                    COMPUTER SECURITY ROLES OF NIST AND NSA

The passage of the Computer Security Act of 1987 and the recent issuance of
the "National Policy for the Security of National Security Telecommunications
and Information Systems," a classified Presidential directive, has clarified
the division of responsibilities between the National Institute of Standards
and Technology (NIST) and the National Security Agency (NSA).  This CSL
Bulletin provides federal agencies with an explanation of the roles of NIST
and NSA in computer security and gives points of contact for agency computer
security and information resources management personnel.  

DIVISION OF RESPONSIBILITIES BETWEEN NIST AND NSA

NIST Responsibilities

The Computer Security Act of 1987 assigned NIST the responsibility for the
development and promulgation of cost-effective computer security standards and
guidelines for the federal unclassified systems community.  NIST's Computer
Systems Laboratory (CSL) is also responsible for the development of standards
and guidelines for federal computer systems including computer-related
telecommunications systems.  The term unclassified information as used in this
document excludes information covered by 10 U.S.C. Section 2315, the Warner
Amendment.

NSA Responsibilities

NSA and its National Computer Security Center (NCSC) have responsibility for
the security of systems and telecommunications involving classified and Warner
Amendment systems, collectively known as "national security systems."  The
President has designated the Director of NSA as the National Manager for
computer security for national security systems.  

      "National security systems" are those telecommunications and information
      systems operated by the U.S. Government, its contractors, or agents,
      that contain classified information or, as set forth in 10 U.S.C.
      Section 2315, that involves intelligence activities, involves
      cryptologic activities related to national security, involves command
      and control of military forces, involves equipment that is an integral
      part of a weapon or weapons systems, or involves equipment that is
      critical to the direct fulfillment of military or intelligence missions,
      excluding equipment or services used for routine administrative and
      business applications.  

NSA's responsibilities in this area are specified in the classified
Presidential directive issued in July 1990.  

AGENCY COMPUTER SECURITY ASSISTANCE

Unclassified Systems - NIST

CSL's Computer Security Division is available to assist federal departments
and agencies with all facets of computer security.  These include, but are not
limited to, security planning, risk management, contingency planning, security
awareness and training, network security, encryption, personal authentication
technologies, smart card applications, and virus detection and prevention. 
Detailed technical assistance can be provided to agencies on a cost-
reimbursable basis.  In accordance with the Computer Security Act of 1987,
NIST draws upon the technical expertise of NSA as appropriate, for example in
the area of classified threat assessment.  All inquiries should be directed
to:

      Chief, Computer Security Division 
      Building 225, Room A216
      Computer Systems Laboratory
      National Institute of Standards and Technology
      Gaithersburg, MD  20899
      Telephone (301) 975-2934 or FTS 879-2934

NIST has established and chairs the Federal Computer Security Program Managers
Forum which meets regularly to coordinate issues of interest to computer
security program managers in the federal unclassified security community.  The
forum provides a structured format for sharing information and expertise among
agencies at the computer security program manager level.  For further
information regarding the forum, please contact:

      Chairman, Federal Computer Security Program Managers Forum
      Building 225, Room B154
      Computer Systems Laboratory
      National Institute of Standards and Technology
      Gaithersburg, MD  20899
      Telephone (301) 975-3240 or FTS 879-3240
      
NIST publishes a list of all currently available Federal Information
Processing Standards (FIPS), guidelines, and related publications on computer
security.  For a complimentary copy of NIST Publication List 91, Computer
Security Publications, or to be placed on the mailing list for CSL Bulletins,
you may contact:

      CSL Publications
      Building 225, Room B151
      National Institute of Standards and Technology  
      Gaithersburg, MD  20899
      Telephone (301) 975-2821 or FTS 879-2821

National Security Systems - NSA

The National Security Agency, through the National Computer Security Center,
assists federal departments and agencies with information security
(communications and computer security) in issues related to national security
systems.  A full range of services, including risk assessment, security
planning, operations security, and identification of security measures, is
offered by NSA for national security systems.  Also, NSA publishes the
Information Systems Security Products and Services Catalog, which contains the
Evaluated Products List.  This list includes security products that NSA has
evaluated, those systems that are currently undergoing evaluation, and the
current status of such evaluations.  This catalog serves as a valuable
reference source for both classified and unclassified computer security
programs.  

Upon request of federal agencies and their contractors, NSA conducts
assessments of the vulnerabilities of information systems to hostile
exploitation/disruption and provides recommendations on Information Systems
Security (INFOSEC) countermeasures that are needed to eliminate or reduce
these vulnerabilities.  In allocating available resources, NSA assigns
priority to assessments of national security systems as defined in the
classified Presidential directive.  However, requests for assessments of
unclassified systems not covered by the national policy will be given
consideration by NSA.  Inquiries regarding assessments for unclassified
systems should be initially directed to NIST.  

For further information on NSA and NCSC, contact:

      Director
      National Security Agency
      Attn:  National Computer Security Center
      Airport Square #11
      Fort George G. Meade, MD  20755-6000

The National Security Telecommunications and Information Systems Security
Committee (NSTISSC), established by Presidential directive, provides a policy-
setting structure for the national security systems community.  Agencies are
represented on the NSTISSC as either members or observers, as determined by
the Presidential directive.  Additionally, the NSTISSC has two subcommittees: 
the Subcommittee on Information Systems Security (SISS) and the Subcommittee
on Telecommunications Security (STS). 
For further information regarding the NSTISSC and its subcommittees, you may
contact:

      Director 
      National Security Agency
      Attn:  NSTISSC Secretariat 
      Operations Building #3, Room COW89
      Fort George G. Meade, MD  20755-6000



Acronyms

FIPS        Federal Information Processing Standard
NCSC        National Computer Security Center (NSA)
CSL         Computer Systems Laboratory (NIST)
NIST        National Institute of Standards and Technology
NSA         National Security Agency
NSTISSC     National Security Telecommunications and Information
              Systems Security Committee
SISS        Subcommittee on Information Systems Security
STS         Subcommittee on Telecommunications Security