27 August 2003 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: August 27, 2003 (Volume 68, Number 166)] [Notices] [Page 51558-51559] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr27au03-43] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No. 030711167-3167-01] Notice of Request for Submissions of Information Security Practices by Public and Private Sector Organizations AGENCY: National Institute of Standards and Technology (NIST), Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: NIST invites public and private organizations to submit their information security practices for inclusion in its Computer Security Resource Center. The NIST Computer Security Resource Center (CSRC) Web site, located at http://csrc.nist.gov, houses security specific guidance and tools that are shared widely in support of improving security programs and fostering good security practice. Selected information security practices will be posted on the Federal Agency Security Practices (FASP) section of the CSRC Web page (http://csrc.nist.gov/fasp ). FASP includes a variety of agency security practices, which have been successfully used by the submitters in implementing their information security programs. With the recognition that protection of the Nation's critical infrastructure is dependent upon effective information security solutions and to minimize vulnerabilities associated with a variety of threats, the broader sharing of such practices will enhance the overall security of the nation. Today's federal networks and systems are highly interconnected and interdependent with non-federal systems. Access to information security [[Page 51559]] practices in the public and private sector can be applied to enhance the overall performance of Federal information security programs. DATES: Request period is open-ended. Submissions can be offered at any time. ADDRESSES: Written submissions may be sent to Computer Security Division, ATTN: Information Security Practices, Mail Stop 8930, 100 Bureau Drive, Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic submissions should be sent to: infosecpractices@nist.gov. Materials accepted by NIST will be posted to its CSRC Web site at http://csrc.nist.gov/pcig. FOR FURTHER INFORMATION CONTACT: Ms. Joan Hash, (301) 975-3357, National Institute of Standards and Technology, Attn: Computer Security Division, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899- 8930, e-mail: joan.hash@nist.gov. SUPPLEMENTARY INFORMATION: Under section 5131 of the Information Technology Management Reform Act of 1996 and sections 302-3 of the Federal Information Security Management Act of 2002 (FISMA) (Pub. L. 107-347), the Secretary of Commerce is authorized to approve standards and guidelines for Federal information systems and to make standards compulsory and binding for Federal agencies as necessary to improve the efficiency or security of Federal information systems. NIST is authorized to develop standards, guidelines, and associated methods and techniques for information systems, other than national security systems, to provide for adequate information security for agency operations and assets. The FISMA requires each Federal agency to develop, document, and implement an agency-wide information security program that will provide information security for the information and information systems supporting the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The FISMA specifically tasked NIST to evaluate public and private sector security practices. This is done to improve the level of Federal security programs and to learn from public and private sector best practices. NIST invites public and private organizations to submit their information security practices for inclusion in its Computer Security Resource Center. The NIST CSRC Web site, located at http://csrc.nist.gov specific guidance and tools that are shared widely in support of improving security programs and fostering good security practice. Selected information security practices will be posted on the FASP section of the CSRC Web page (http://csrc.nist.gov/fasp). FASP includes a variety of agency security practices, which have been successfully used by the submitters in implementing their information security programs. With the recognition that protection of the Nation's critical infrastructure is dependent upon effective information security solutions and to minimize vulnerabilities associated with a variety of threats, the broader sharing of such practices will enhance the overall security of the nation. Today's Federal networks and systems are highly interconnected and interdependent with non-Federal systems. Access to information security practices in the public and private sector can be applied to enhance the overall performance of Federal information security programs. Submitters must indicate the source of the information security practices, such as an official organization Web site, or they may submit their information security practices accompanied by a management official's approval. Submitters may request that NIST sanitize the submission to mask the source of the material. NIST will review submissions for consistency with generally accepted security practices prior to posting. These practices may be found at http://csrc.nist.gov/publications/. Submissions must include a point of contact. NIST reserves the right to accept, post and remove submissions at its discretion. By submitting material, the submitter agrees that NIST may publicly disseminate such material, regardless of copyright. Submitters agree to inform NIST if the status of the submission changes (updated, discontinued, etc.). The preferred method of transmittal of the submissions is via e-mail to infosecpractices@nist.gov. Policies and procedures may be submitted to NIST in any area of information security including, but not limited to: Accreditation, audit trails, authorization of processing, budget planning and justification, certification, contingency planning, data integrity, disaster planning, documentation, hardware and system maintenance, identification and authentication, incident handling and response, life cycle, network security, personnel security, physical and environmental protection, production input/output controls, security policy, program management, review of security controls, risk management, security awareness training, and education (to include specific course and awareness materials), and security planning. Dated: August 21, 2003. Hratch G. Semerjian, Acting Deputy Director. [FR Doc. 03-21948 Filed 8-26-03; 8:45 am]