80 FR 48295 - Government Use of Standards for Security and Conformance Requirements for Cryptographic Algorithm and Cryptographic Module Testing and Validation Programs
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology Federal Register Volume 80, Issue 155 (August 12, 2015)
National Institute of Standards and Technology
Federal Register Volume 80, Issue 155 (August 12, 2015)
| Page Range | 48295-48296 | |
| FR Document | 2015-19743 |
[Federal Register Volume 80, Number 155 (Wednesday, August 12, 2015)] [Notices] [Pages 48295-48296] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2015-19743] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 150706577-5577-01] RIN 0693-XC051 Government Use of Standards for Security and Conformance Requirements for Cryptographic Algorithm and Cryptographic Module Testing and Validation Programs AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice; Request for information. ----------------------------------------------------------------------- SUMMARY: NIST is seeking public comment on the potential use of certain International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities, currently specified by Federal Information Processing Standard (FIPS) 140-2. The National Technology Transfer and Advancement Act (NTTAA) directs federal agencies to adopt voluntary consensus standards wherever possible. The responses to this request for information will be used to plan possible changes to the FIPS or in a decision to use all or part of the ISO/IEC standards for testing, conformance and validation of cryptographic algorithms and modules. DATES: Comments on the potential use of ISO/IEC 19790:2014 must be received no later than 5 p.m., EST on September 28, 2015. ADDRESSES: Written comments concerning the potential use of ISO/IEC 19790:2014 should be sent to: Information Technology Laboratory, ATTN Use of ISO/IEC 19790, Mail Stop 7730, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899. Electronic comments should be sent to: UseOfISO@nist.gov. FOR FURTHER INFORMATION CONTACT: Ms. Diane Honeycutt, telephone (301) 975-8443, MS 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899 or via email at DHoneycutt@nist.gov. SUPPLEMENTARY INFORMATION: The National Technology Transfer and Advancement Act (NTTAA), Public Law 104-113, directs federal agencies with respect to their use of and participation in the development of voluntary consensus standards. The NTTAA's objective is for federal agencies to adopt voluntary consensus standards, wherever possible, in lieu of creating proprietary, non-consensus standards. As the implementation of commercial cryptography, which is used to protect U.S. non-national security information and information systems, is now commoditized and built, marketed and used globally, NIST is seeking comments on using the ISO/IEC 19790:2014 Security Requirements for Cryptographic Modules standard as the U.S. Federal Standard for cryptographic modules (http://www.iso.org/iso/catalogue_detail.htm?csnumber=59142). The standards for cryptographic module testing, conformance, and validation activities are currently specified by Federal Information Processing Standard (FIPS) 140-2. This standard is used to ensure encryption technologies used by the U.S. Government meet minimally acceptable requirements and can demonstrate an acceptable level of conformance to the Standard that is commensurate with the risk the U.S. Government finds acceptable when using encryption technologies to protect U.S. Government information and information systems. NIST is interested in the commercial and market effects to U.S. industry and the potential changes to visibility in cryptographic modules conformance to standards, as well as the ISO/IEC 19790:2014 standards ability to meet requirements for the U.S. Government. NIST is also interested in comments on the possible uses of ISO/IEC 19790:2014 that range from use of only selected sections, continuing with a FIPS requirement that cites a baseline version of the ISO/IEC 19790:2014, and/or full use of the ISO/IEC standard. NIST is also interested in feedback on the impacts of a potential U.S. Government requirement for use and conformance using a standard with a fee-based model where organizations must purchase copies of the ISO/IEC 19790:2014. NIST is particularly interested in comments from commercial implementers of cryptography, testing and conformance organizations, users of cryptography, and organizations who currently require or cite FIPS 140-2 as a normative reference, on the benefits versus risks in using ISO/IEC 19790:2014 rather than FIPS 140-2 from perspectives of technology, implementations, risks and impacts to commercial IT markets. NIST requests comments on the following questions regarding the use of ISO/IEC 19790:2014, but comments on other cryptographic test and conformance issues will also be considered. (1) Have your customers or users asked for either ISO/IEC 19790:2014 or FIPS 140-2 validations in cryptographic products? (2) Have the markets you serve asked for either validation and have you noticed any changes in what the markets you serve are asking for? (3) Do you think the ISO/IEC 19790:2014 standard specifies tests and provides evidence of conformance for cryptographic algorithms and modules better, equally or less as compared to FIPS 140-2 and in what areas? (4) Is there a difference in risk that you perceive would be mitigated or accepted in use of one standard versus the other? (5) Are the requirements in ISO/IEC 19790:2014 specific enough for your organization to develop a cryptographic module that can demonstrate conformance to this standard? (6) Would the U.S. Government citation of an ISO standard that has a fee for access to the standard inhibit your use or implementation of this standard? (7) Do either FIPS 140-2 or ISO/IEC 19790:2014 have a gap area that is not required for implementation, test or validation that presents an unacceptable risk to users of cryptographic modules? The responses to this request for information will be used to plan possible changes to the FIPS or in a decision to use all or part of ISO/IEC 19790:2014 for testing, conformance and validation of cryptographic algorithms and modules. In any decision made, it is the intention of NIST to continue [[Page 48296]] specifying requirements for cryptography and cryptographic mechanisms used by the U.S. Government and a program for commercial products to demonstrate conformance to those requirements. It is also the intention of NIST to continue to specify the cryptographic modules, modes and key management schemes that are acceptable for use by the U.S. Government to protect its information and information systems regardless of any test, conformance or validation standards decision. Authority: Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology after approval by the Secretary of Commerce, pursuant to Section 5131 of the Information Technology Management Reform Act of 1996 (Pub. L. 104-106), and the Federal Information Security Management Act of 2002 (Pub. L. 107-347). Kevin Kimball, Chief of Staff. [FR Doc. 2015-19743 Filed 8-11-15; 8:45 am] BILLING CODE 3510-13-P
![Federal Register / Vol. 80, No. 155 / Wednesday, August 12, 2015 / Notices 48295
regarding the reimbursement of and validation of cryptographic the possible uses of ISO/IEC 19790:2014
antidumping duties prior to liquidation algorithms and modules. that range from use of only selected
of the relevant entries during this DATES: Comments on the potential use sections, continuing with a FIPS
review period. Failure to comply with of ISO/IEC 19790:2014 must be received requirement that cites a baseline version
this requirement could result in the no later than 5 p.m., EST on September of the ISO/IEC 19790:2014, and/or full
Department’s presumption that 28, 2015. use of the ISO/IEC standard. NIST is
reimbursement of antidumping duties ADDRESSES: Written comments also interested in feedback on the
occurred and the subsequent assessment concerning the potential use of ISO/IEC impacts of a potential U.S. Government
of double antidumping duties. 19790:2014 should be sent to: requirement for use and conformance
We are issuing and publishing these Information Technology Laboratory, using a standard with a fee-based model
results in accordance with sections ATTN Use of ISO/IEC 19790, Mail Stop where organizations must purchase
751(a)(1) and 777(i)(1) of the Act and 19 7730, National Institute of Standards copies of the ISO/IEC 19790:2014.
CFR 351.213 and 351.221(b)(4). and Technology, 100 Bureau Drive, NIST is particularly interested in
Dated: July 30, 2015. Gaithersburg, MD 20899. comments from commercial
Ronald K. Lorentzen, Electronic comments should be sent implementers of cryptography, testing
to: UseOfISO@nist.gov. and conformance organizations, users of
Acting Assistant Secretary for Enforcement
and Compliance. FOR FURTHER INFORMATION CONTACT: Ms.
cryptography, and organizations who
Diane Honeycutt, telephone (301) 975– currently require or cite FIPS 140–2 as
Appendix a normative reference, on the benefits
8443, MS 8930, National Institute of
List of Topics Discussed in the Preliminary Standards and Technology, versus risks in using ISO/IEC
Results Decision Memorandum Gaithersburg, MD 20899 or via email at 19790:2014 rather than FIPS 140–2 from
Summary DHoneycutt@nist.gov. perspectives of technology,
Background implementations, risks and impacts to
SUPPLEMENTARY INFORMATION: The
Partial Rescission commercial IT markets. NIST requests
National Technology Transfer and
Scope of the Order comments on the following questions
Discussion of the Methodology Advancement Act (NTTAA), Public Law
regarding the use of ISO/IEC
Non-Market Economy Status 104–113, directs federal agencies with
19790:2014, but comments on other
PRC-Wide Entity respect to their use of and participation
cryptographic test and conformance
Recommendation in the development of voluntary
issues will also be considered.
[FR Doc. 2015–19359 Filed 8–11–15; 8:45 am] consensus standards. The NTTAA’s (1) Have your customers or users
BILLING CODE 3510–DS–P objective is for federal agencies to adopt asked for either ISO/IEC 19790:2014 or
voluntary consensus standards, FIPS 140–2 validations in cryptographic
wherever possible, in lieu of creating products?
DEPARTMENT OF COMMERCE proprietary, non-consensus standards. (2) Have the markets you serve asked
As the implementation of commercial for either validation and have you
National Institute of Standards and cryptography, which is used to protect noticed any changes in what the
Technology U.S. non-national security information markets you serve are asking for?
[Docket No. 150706577–5577–01] and information systems, is now (3) Do you think the ISO/IEC
commoditized and built, marketed and 19790:2014 standard specifies tests and
RIN 0693–XC051 used globally, NIST is seeking provides evidence of conformance for
comments on using the ISO/IEC cryptographic algorithms and modules
Government Use of Standards for 19790:2014 Security Requirements for
Security and Conformance better, equally or less as compared to
Cryptographic Modules standard as the FIPS 140–2 and in what areas?
Requirements for Cryptographic U.S. Federal Standard for cryptographic
Algorithm and Cryptographic Module (4) Is there a difference in risk that
modules (http://www.iso.org/iso/ you perceive would be mitigated or
Testing and Validation Programs catalogue_detail.htm?csnumber=59142). accepted in use of one standard versus
AGENCY: National Institute of Standards The standards for cryptographic the other?
and Technology (NIST), Commerce. module testing, conformance, and (5) Are the requirements in ISO/IEC
ACTION: Notice; Request for information. validation activities are currently 19790:2014 specific enough for your
specified by Federal Information organization to develop a cryptographic
SUMMARY: NIST is seeking public Processing Standard (FIPS) 140–2. This module that can demonstrate
comment on the potential use of certain standard is used to ensure encryption conformance to this standard?
International Organization for technologies used by the U.S. (6) Would the U.S. Government
Standardization/International Government meet minimally acceptable citation of an ISO standard that has a fee
Electrotechnical Commission (ISO/IEC) requirements and can demonstrate an for access to the standard inhibit your
standards for cryptographic algorithm acceptable level of conformance to the use or implementation of this standard?
and cryptographic module testing, Standard that is commensurate with the (7) Do either FIPS 140–2 or ISO/IEC
conformance, and validation activities, risk the U.S. Government finds 19790:2014 have a gap area that is not
currently specified by Federal acceptable when using encryption required for implementation, test or
Information Processing Standard (FIPS) technologies to protect U.S. Government validation that presents an unacceptable
140–2. The National Technology information and information systems. risk to users of cryptographic modules?
mstockstill on DSK4VPTVN1PROD with NOTICES
Transfer and Advancement Act NIST is interested in the commercial The responses to this request for
(NTTAA) directs federal agencies to and market effects to U.S. industry and information will be used to plan
adopt voluntary consensus standards the potential changes to visibility in possible changes to the FIPS or in a
wherever possible. The responses to this cryptographic modules conformance to decision to use all or part of ISO/IEC
request for information will be used to standards, as well as the ISO/IEC 19790:2014 for testing, conformance and
plan possible changes to the FIPS or in 19790:2014 standards ability to meet validation of cryptographic algorithms
a decision to use all or part of the ISO/ requirements for the U.S. Government. and modules. In any decision made, it
IEC standards for testing, conformance NIST is also interested in comments on is the intention of NIST to continue
VerDate Sep<11>2014 18:16 Aug 11, 2015 Jkt 235001 PO 00000 Frm 00009 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN1](https://thefederalregister.org/doc/80_FR_48450/page/1.svg)
![48296 Federal Register / Vol. 80, No. 155 / Wednesday, August 12, 2015 / Notices
specifying requirements for sequences received by 5:00 p.m. Pacific are intended to mimic
cryptography and cryptographic Time September 30, 2015 will be 2. Source of the sequence(s)
mechanisms used by the U.S. considered for inclusion in this 3. Proposed use scenario for the control(s)
evaluation. Sequences submitted after 4. Physical form of nucleic acids submitted
Government and a program for
(if any)
commercial products to demonstrate this date may be considered in further 5. Intellectual property rights status
conformance to those requirements. It is evaluations.
also the intention of NIST to continue ADDRESSES: Inquiries regarding ERCC
To submit files or for further
to specify the cryptographic modules, participation and/or sequence questions on sequence submission
modes and key management schemes submissions should be sent by email to please contact ERCCsequences@nist.gov.
that are acceptable for use by the U.S. ERCCsequences@nist.gov. See Authority: 15 U.S.C. 272(b) and (c).
Government to protect its information SUPPLEMENTARY INFORMATION for file
Kevin Kimball,
and information systems regardless of formats and other information about
any test, conformance or validation Chief of Staff.
sequence submission.
standards decision. [FR Doc. 2015–19742 Filed 8–11–15; 8:45 am]
FOR FURTHER INFORMATION CONTACT:
BILLING CODE 3510–13–P
Authority: Federal Information Processing Sarah Munro, Jerod Parsons, or Marc
Standards Publications (FIPS PUBS) are Salit by email at ERCCsequences@
issued by the National Institute of Standards nist.gov.
and Technology after approval by the DEPARTMENT OF COMMERCE
SUPPLEMENTARY INFORMATION: NIST is
Secretary of Commerce, pursuant to Section
5131 of the Information Technology reconvening the External RNA Controls National Oceanic and Atmospheric
Management Reform Act of 1996 (Pub. L. Consortium (ERCC) to develop external Administration
104–106), and the Federal Information RNA controls for gene expression RIN 0648–XE071
Security Management Act of 2002 (Pub. L. assays. This group has already
107–347). established a set of 96 RNA control Taking and Importing Marine
Kevin Kimball, sequences, commonly referred to as the Mammals: Taking Marine Mammals
ERCC controls, which is maintained as Incidental to Navy Operations of
Chief of Staff.
NIST Standard Reference Material 2374. Surveillance Towed Array Sensor
[FR Doc. 2015–19743 Filed 8–11–15; 8:45 am]
Participation in the ERCC is open to all. System Low Frequency Active Sonar
BILLING CODE 3510–13–P
ERCC activities may include:
AGENCY: National Marine Fisheries
1. Design and contribution of RNA control Service (NMFS), National Oceanic and
DEPARTMENT OF COMMERCE sequences,
2. validation of RNA control molecules Atmospheric Administration (NOAA),
with multi-laboratory testing, Commerce.
National Institute of Standards and
3. analysis of results, and ACTION: Notice; issuance of four Letters
Technology 4. dissemination of ERCC products, such as of Authorization.
validated sequences, methods, and analysis
External RNA Controls Consortium— tools. SUMMARY: In accordance with
Call for Participation and Contributions For further information on ERCC regulations issued under the Marine
to a Sequence Library participation, please contact Mammal Protection Act, as amended,
ERCCsequences@nist.gov. we hereby give notification that we, the
AGENCY: National Institute of Standards
& Technology (NIST), Department of NIST is collecting nucleic acid National Marine Fisheries Service
Commerce. sequences to form an extended library of (NMFS), have issued four 1-year Letters
ACTION: Notice.
ERCC sequences suitable for the of Authorization (Authorizations) to the
preparation of RNA controls. The RNA U.S. Navy (Navy) to take marine
SUMMARY: NIST is reconvening the control sequences are intended to mimic mammals by harassment incidental to
External RNA Controls Consortium endogenous RNA molecules, including their military readiness activities
(ERCC), a public, private, and academic mRNA, mRNA isoforms, microRNA, associated with the routine training,
research collaboration to develop and other classes of biological RNA testing, and military operations of
external RNA controls for gene molecules. Intellectual property rights Surveillance Towed Array Sensor
expression assays (71 FR 10012 and may be maintained on submitted System Low Frequency Active
NIST Standard Reference Material 2374, sequences, but submitted sequences (SURTASS LFA) sonar within the
available at http://www.nist.gov/mml/ must be declared to be free for use as northwest Pacific Ocean and the north-
bbd/srm-2374.cfm). ERCC products are RNA controls. Selected sequence central Pacific Ocean.
being extended to accommodate contributions will be experimentally DATES: These Authorizations are
recently emerged applications. This is a evaluated based on testing of the effective from August 15, 2015, through
call for (1) participation in ERCC following three RNA control August 14, 2016.
activities and (2) collection of nucleic hypotheses: ADDRESSES: Electronic copies of the
acid sequences to extend the ERCC 1. The RNA controls behave as mimics of Navy’s March 31, 2015, application
library. endogenous RNA in assays letter and the Authorizations are
The ERCC library is a tool for 2. The RNA controls do not interfere with available by writing to Jolie Harrison,
generating RNA controls; any party may assays of endogenous RNA Chief, Permits and Conservation
disseminate such controls. Intellectual 3. Hypotheses 1 and 2 are valid in commonly
mstockstill on DSK4VPTVN1PROD with NOTICES
used RNA assays
Division, Office of Protected Resources,
property rights may be maintained on National Marine Fisheries Service, 1315
submitted sequences, but submitted Sequence submissions should consist East-West Highway, Silver Spring, MD
sequences must be declared to be free of (1) a single sequence fasta file or 20910–3225, by telephoning the contact
for use as RNA controls. multi-fasta file and (2) a single text file listed here (See FOR FURTHER
DATES: NIST will compile a library of containing the following metadata for INFORMATION CONTACT), or online at:
sequences to be experimentally each submitted sequence: http://www.nmfs.noaa.gov/pr/permits/
evaluated as RNA controls. Those 1. The class of RNA molecule the control(s) incidental/military.htm#surtass. The
VerDate Sep<11>2014 18:16 Aug 11, 2015 Jkt 235001 PO 00000 Frm 00010 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN1](https://thefederalregister.org/doc/80_FR_48450/page/2.svg)
Document Created: 2016-09-27 22:26:24
Document Modified: 2016-09-27 22:26:24
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice; Request for information. | |
| Dates | Comments on the potential use of ISO/IEC 19790:2014 must be received no later than 5 p.m., EST on September 28, 2015. | |
| Contact | Ms. Diane Honeycutt, telephone (301) 975-8443, MS 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899 or via email at [email protected] | |
| FR Citation | 80 FR 48295 | |
| RIN Number | 0693-XC05 |
2024 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR