27 June 2001
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html

-------------------------------------------------------------------------

[Federal Register: June 27, 2001 (Volume 66, Number 124)]
[Notices]               
[Page 34154-34155]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27jn01-48]                         

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 980911236-0314-03]
RIN 0693-ZA22

 
Announcing Approval of Federal Information Processing Standard 
(FIPS) 140-2, Security Requirements for Cryptographic Modules

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Commerce approves FIPS 140-2, Security 
Requirements for Cryptographic Modules, which supersedes FIPS Standard 
140-1, and makes it compulsory and binding on Federal agencies for the 
protection of sensitive, unclassified information, FIPS 140-1, which 
was first published in 1994, specified that it would be reviewed within 
five years. FIPS 140-2 is the result of the review and replaces FIPS 
140-1.

DATE: This standard is effective November 25, 2001.

FOR FURTHER INFORMATION CONTACT: Mr. Ray Snouffer, (301) 975-4436, 
National Institute of Standards and Technology, 100 Bureau Drive, STOP 
8930, Gaithersburg, MD 20899-8930.
    A copy of FIPS 140-2 is available electronically from the NIST 
website at:
http://csrc.nist.gov/cryptval/>

SUPPLEMENTARY INFORMATION: FIPS 140-1, Security Requirements for 
Cryptographic Modules, first issued in 1994, identified requirements 
for four security levels for cryptographic modules to provide for a 
wide spectrum of data sensitivity (e.g., low value administrative data, 
million dollar funds transfers, and life protecting data), and a 
diversity of application environments. Over 140 modules have been 
tested by accredited private-sector laboratories and validated to-date 
as conforming to this standard. The standard provided that it be 
reviewed within five years to consider its continued usefulness and to 
determine whether new or revised requirements should be added.

[[Page 34155]]

    A notice was published in the Federal Register (63 FR 56910) on 
October 23, 1998, soliciting public comments on reaffirming FIPS 140-1. 
The comments supported reaffirming FIPS 140-1 with technical 
modifications to address advances in technology since FIPS 140-1 was 
issued. A notice was published in the Federal Register (64 FR 62654) on 
November 17, 1999, soliciting public comments on proposed FIPS 140-2, a 
revision of FIPS 140-1 making such technical modifications. The 
comments received (available at http://csrc.nist.gov/cryptval/) 
supported the issuance of proposed FIPS 140-2 with technical and 
editorial changes. None of them opposed the proposed revision of FIPS 
140-1.
    The Secretary of Commerce, after making appropriate revisions to 
proposed FIPS 140-2, approves it, and makes it compulsory and binding 
on Federal agencies for the protection of sensitive, unclassified 
information.

    Authority: Under Section 5131 of the Information Technology 
Management Reform Act of 1996 and the Computer Security Act of 1987, 
the Secretary of Commerce is authorized to approve standards and 
guidelines for the cost effective security and privacy of sensitive 
information processed by federal computer systems.

    E.O. 12866: This notice has been determined to be significant for 
the purposes of E.O. 12866.

    Dated: June 21, 2001.
Karen H. Brown,
Acting Director, NIST.
[FR Doc. 01-16186 Filed 6-26-01; 8:45 am]
BILLING CODE 3510-CN-M

----------------------------------------------------------------------

[Federal Register: June 27, 2001 (Volume 66, Number 124)]
[Notices]               
[Page 34155]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27jn01-49]                         

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

 
Cryptographic Key Management Workshop

AGENCY: National Institute of Standards and Technology (NIST), 
Commerce.

ACTION: Notice of public workshop.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
announces a workshop to discuss the development of Cryptographic Key 
Management guidance for Federal Government applications. The workshop 
will be held to review and discuss draft documentation that will be 
available prior to the workshop.

DATES: The Key Management Workshop will be held on November 1-2, 2001, 
from 9 a.m. to 5 p.m.

ADDRESSES: The Key Management workshop will be held in the 
Administration Building (Bldg. 101), Lecture Room A, National Institute 
of Standards and Technology, Gaithersburg, MD.

FOR FURTHER INFORMATION CONTACT: Further information may be obtained 
from the Key Management web site at <A HREF="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.nist.gov/kms">http://www.nist.gov/kms</A> or by 
contacting Elaine Barker, National Institute of Standards and 
Technology, Building 100 Bureau Drive, Stop 8930, Gaithersburg, MD 
20899-8930; telephone 301-975-2911; Fax 301-948-1233, or email 
<A HREF="mailto:[email protected]">[email protected]</A>.

SUPPLEMENTARY INFORMATION: Electronic Commerce needs well-established 
cryptographic schemes that can provide such services as data integrity 
and confidentiality. Symmetric encryption schemes such as Triple DES, 
as defined in FIPS 46-3, and the Advanced Encryption Standard (AES) 
make attractive choices for the provision of these services. Systems 
using symmetric techniques are efficient, and their security 
requirements are well understood. Furthermore, these schemes have been 
or will be standardized to facilitate interoperability between systems. 
However, the implementation of such schemes requires the establishment 
of a shared secret key in advance. As the size of a key management 
system or the number of entities using a system grows, the need for key 
establishment can lead to a key management problem.
    In 1997, NIST announced plans to develop a public key-based key 
management standard and solicited comments from the public. In February 
of 2000, a public workshop was held to examine key establishment 
techniques that are currently available and to discuss the approach to 
the development of a Key Management Standard for Federal Government 
use. The workshop attendees suggested (1) the development of a 
``framework'' document that discusses the documents to be developed and 
their proposed content, (2) the identification of key establishment 
schemes, and (3) the development of key management guidance.
    Following the workshop, the framework document was prepared and 
made available for review on the Key Management web page (<A HREF="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.nist.gov/kms">http://
www.nist.gov/kms</A>). A key establishment scheme definition document and a 
key management guidance document are currently under development. 
Initial drafts of these documents will be made available on the Key 
Management web page at least one month prior to the workshop and will 
be the subjects under discussion during that workshop.
    For planning purposes, advance registration is encouraged. To 
register, please fax your name, address, telephone, fax and e-mail 
address to 301-926-2733 (Attn: Key Management Workshop) by October 19, 
2000. Registration questions should be addressed to Vickie Harris on 
301-975-2034. Registration will also be available at the door, space 
permitting. The workshop will be open to the public and is free of 
charge.

    Authority: This work is being initiated pursuant to NIST's 
responsibilities under the Computer Security Act of 1987, the 
Information Technology Management Reform Act of 1996, Executive 
Order 13011, and OMB Circular A-130.

    Dated: June 21, 2001.
Karen H. Brown,
Acting Director, NIST.
[FR Doc. 01-16187 Filed 6-26-01; 8:45 am]
BILLING CODE 3510-CN-M