27 June 2001 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ------------------------------------------------------------------------- [Federal Register: June 27, 2001 (Volume 66, Number 124)] [Notices] [Page 34154-34155] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr27jn01-48] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 980911236-0314-03] RIN 0693-ZA22 Announcing Approval of Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The Secretary of Commerce approves FIPS 140-2, Security Requirements for Cryptographic Modules, which supersedes FIPS Standard 140-1, and makes it compulsory and binding on Federal agencies for the protection of sensitive, unclassified information, FIPS 140-1, which was first published in 1994, specified that it would be reviewed within five years. FIPS 140-2 is the result of the review and replaces FIPS 140-1. DATE: This standard is effective November 25, 2001. FOR FURTHER INFORMATION CONTACT: Mr. Ray Snouffer, (301) 975-4436, National Institute of Standards and Technology, 100 Bureau Drive, STOP 8930, Gaithersburg, MD 20899-8930. A copy of FIPS 140-2 is available electronically from the NIST website at: http://csrc.nist.gov/cryptval/> SUPPLEMENTARY INFORMATION: FIPS 140-1, Security Requirements for Cryptographic Modules, first issued in 1994, identified requirements for four security levels for cryptographic modules to provide for a wide spectrum of data sensitivity (e.g., low value administrative data, million dollar funds transfers, and life protecting data), and a diversity of application environments. Over 140 modules have been tested by accredited private-sector laboratories and validated to-date as conforming to this standard. The standard provided that it be reviewed within five years to consider its continued usefulness and to determine whether new or revised requirements should be added. [[Page 34155]] A notice was published in the Federal Register (63 FR 56910) on October 23, 1998, soliciting public comments on reaffirming FIPS 140-1. The comments supported reaffirming FIPS 140-1 with technical modifications to address advances in technology since FIPS 140-1 was issued. A notice was published in the Federal Register (64 FR 62654) on November 17, 1999, soliciting public comments on proposed FIPS 140-2, a revision of FIPS 140-1 making such technical modifications. The comments received (available at http://csrc.nist.gov/cryptval/) supported the issuance of proposed FIPS 140-2 with technical and editorial changes. None of them opposed the proposed revision of FIPS 140-1. The Secretary of Commerce, after making appropriate revisions to proposed FIPS 140-2, approves it, and makes it compulsory and binding on Federal agencies for the protection of sensitive, unclassified information. Authority: Under Section 5131 of the Information Technology Management Reform Act of 1996 and the Computer Security Act of 1987, the Secretary of Commerce is authorized to approve standards and guidelines for the cost effective security and privacy of sensitive information processed by federal computer systems. E.O. 12866: This notice has been determined to be significant for the purposes of E.O. 12866. Dated: June 21, 2001. Karen H. Brown, Acting Director, NIST. [FR Doc. 01-16186 Filed 6-26-01; 8:45 am] BILLING CODE 3510-CN-M ---------------------------------------------------------------------- [Federal Register: June 27, 2001 (Volume 66, Number 124)] [Notices] [Page 34155] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr27jn01-49] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology Cryptographic Key Management Workshop AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice of public workshop. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) announces a workshop to discuss the development of Cryptographic Key Management guidance for Federal Government applications. The workshop will be held to review and discuss draft documentation that will be available prior to the workshop. DATES: The Key Management Workshop will be held on November 1-2, 2001, from 9 a.m. to 5 p.m. ADDRESSES: The Key Management workshop will be held in the Administration Building (Bldg. 101), Lecture Room A, National Institute of Standards and Technology, Gaithersburg, MD. FOR FURTHER INFORMATION CONTACT: Further information may be obtained from the Key Management web site at <A HREF="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.nist.gov/kms">http://www.nist.gov/kms</A> or by contacting Elaine Barker, National Institute of Standards and Technology, Building 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930; telephone 301-975-2911; Fax 301-948-1233, or email <A HREF="mailto:[email protected]">[email protected]</A>. SUPPLEMENTARY INFORMATION: Electronic Commerce needs well-established cryptographic schemes that can provide such services as data integrity and confidentiality. Symmetric encryption schemes such as Triple DES, as defined in FIPS 46-3, and the Advanced Encryption Standard (AES) make attractive choices for the provision of these services. Systems using symmetric techniques are efficient, and their security requirements are well understood. Furthermore, these schemes have been or will be standardized to facilitate interoperability between systems. However, the implementation of such schemes requires the establishment of a shared secret key in advance. As the size of a key management system or the number of entities using a system grows, the need for key establishment can lead to a key management problem. In 1997, NIST announced plans to develop a public key-based key management standard and solicited comments from the public. In February of 2000, a public workshop was held to examine key establishment techniques that are currently available and to discuss the approach to the development of a Key Management Standard for Federal Government use. The workshop attendees suggested (1) the development of a ``framework'' document that discusses the documents to be developed and their proposed content, (2) the identification of key establishment schemes, and (3) the development of key management guidance. Following the workshop, the framework document was prepared and made available for review on the Key Management web page (<A HREF="http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.nist.gov/kms">http:// www.nist.gov/kms</A>). A key establishment scheme definition document and a key management guidance document are currently under development. Initial drafts of these documents will be made available on the Key Management web page at least one month prior to the workshop and will be the subjects under discussion during that workshop. For planning purposes, advance registration is encouraged. To register, please fax your name, address, telephone, fax and e-mail address to 301-926-2733 (Attn: Key Management Workshop) by October 19, 2000. Registration questions should be addressed to Vickie Harris on 301-975-2034. Registration will also be available at the door, space permitting. The workshop will be open to the public and is free of charge. Authority: This work is being initiated pursuant to NIST's responsibilities under the Computer Security Act of 1987, the Information Technology Management Reform Act of 1996, Executive Order 13011, and OMB Circular A-130. Dated: June 21, 2001. Karen H. Brown, Acting Director, NIST. [FR Doc. 01-16187 Filed 6-26-01; 8:45 am] BILLING CODE 3510-CN-M