18 June 2002

[Federal Register: June 18, 2002 (Volume 67, Number 117)]
[Notices]
[Page 41399-41400]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr18jn02-37]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 020503109-2109-01]
RIN 0693-AB51


Establishment of Information Technology Security Validation
Programs Fees

AGENCY: National Institute of Standards and Technology, Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST)
operates a number of Information Technology Security Validation
Programs. Under these programs, vendors use independent private sector,
accredited testing laboratories to have their products tested. The goal
of the Information Technology Security Validation Programs is to
promote the use of validated products and provide Federal agencies and
other users with a security metric to use in procuring software and
equipment. The results of the independent testing performed by
accredited laboratories provide this metric. NIST validates the test
results and issues validation certificates. NIST also posts and
maintains the validated products lists on the Computer Security
Division Web site. The Information Technology Security Validation
Programs currently do not charge a fee for their services, but demand
for these services as increased over 1800% since 1996 in some cases.
This growth has resulted in significantly increased expense to NIST for
program management and associated functions. NIST issues this notice to
adopt a fee schedule for some of the Information Technology Security
Validation Programs, with fees being set individually for each program.
The fees will allow NIST to continue and expand the Information
Technology Security Validation Programs.

DATES: This notice is effective July 18, 2002.

FOR FURTHER INFORMATION CONTACT: Ray Snouffer, Computer Security
Division, National Institute of Standards and Technology, 100 Bureau
Drive, Stop 8930, Gaithersburg, MD 20899-8930, telephone (301) 975-
4436, e-mail: ray.snouffer@nist.gov.

SUPPLEMENTARY INFORMATION: Federal agencies, industry, and the public
now rely on a number of measures for the protection of information and
communications used in electronic commerce, critical infrastructure and
other application areas. Though these measures are used to provide
security, weaknesses such as poor design can render the product
insecure and place highly sensitive information at risk. Adequate
testing and validation against established standards is essential to
provide security assurance. NIST operates a number of established
Information Technology Security Validation Programs. Under these
programs, vendors use independent private sector, accredited testing
laboratories to have their products tested. The goal of the Information
Technology Security Validation Programs is to promote the use of
validated products and provide Federal agencies and other users with a
security metric to use in procuring software and equipment. The results
of the independent testing performed by accredited laboratories provide
this metric. Federal agencies, industry, and the public can choose
products from the Validated Products List and have increased confidence
that the products meet their claimed levels of performance and
security.
    NIST validates the test results and issues validation certificates.
NIST also posts and maintains the validated products lists on the
Computer Security Division web site. Since the IT standards, security
specifications, and NIST security recommendations, which underlie the
testing programs must be flexible enough to adapt to advancements and
innovations in science and technology, NIST continually performs
reviews and updates. This process is based on technological and
economical changes, which require research and interpretation of the
standards.
    The Information Technology Security Validation Programs currently
do not charge a fee for their services, but demand for these services
as increased over 1800% since 1996 in some cases. This growth has
resulted in significantly increased expense to NIST for program
management and associated functions. NIST proposes to adopt a fee
schedule for some of the Information Technology Security Validation
Programs with fees being set individually for each program. The fees
will allow NIST to continue and expand the Information Technology
Security Validation Programs. Fees will be subjected to an annual cost-
analysis to determine if the fees need adjustment.
    The first Information Technology Security Validation Program to
charge a fee will be the Cryptographic Module Validation Program
(CMVP). Each of the Rating Levels (1-4) will have a different fee.
Every Validation report will be charged a ``baseline'' fee. Baseline
fees will accompany each validation report submitted to NIST.
Validation reports will not be reviewed until such time as NIST
receives payment of the baseline fee from the vendor. Validation
reports that necessitate extended evaluation and collaboration with the
certifying laboratory will be charged an additional ``extended'' fee.
The baseline and extended fees for each Rating Level will be:

------------------------------------------------------------------------
                                                                  Total
                   Level                    Baseline  Extended  possible
                                               fee       fee       fee
------------------------------------------------------------------------
1.........................................     $2750     $1250     $4000
2.........................................      3750      1750      5500
3.........................................      5250      2500      7750
4.........................................      7250      3500    10750
------------------------------------------------------------------------
 All fees are given in US dollars.

    The levels specified above are commensurate with the security
testing levels applied by the Cryptographic Module Testing laboratories
in determining compliance with FIPS 140-2. A government and industry
working group composed of both users and vendors developed FIPS 140-2.
The working group identified eleven areas of security requirements with
four increasing levels of security for cryptographic modules. The
security levels allow for a wide spectrum of data sensitivity (e.g.,
low value administrative data, million dollar funds transfers, and
health data), and a diversity of application environments (e.g., a
guarded facility, an office, and a completely unprotected location).
Each security level offers an increase in security over the preceding
level.

    Authority: NIST's activities to protect Federal sensitive
(unclassified) systems are undertaken pursuant to specific
responsibilities assigned to NIST in section 5131 of the Information
Technology

[[Page 41400]]

Management Reform Act of 1996 (Pub. L. 104-106), the Computer
Security Act of 1987 (Pub. L. 100-235), and Appendix III to Office
of Management and Budget Circular A-130. NIST's authority to perform
work for others and charge fees for those services is found at 15
U.S.C. 273 and 275a.

    Classification: Because notice and comment are not required under 5
U.S.C. 553 or any other law, for matters relating to agency management
or personnel or to public property, loans, grants, benefits, or
contracts, a regulatory flexibility analysis (5 U.S.C. 601 et seq.) is
not required and has not been prepared.
    Executive Order 12866: This notice has been determined to be not
significant for the purposes of Executive Order 12866.

    Dated: June 12, 2002.
Karen H. Brown,
Deputy Director.
[FR Doc. 02-15278 Filed 6-17-02; 8:45 am]
BILLING CODE 3510-13-P