EDD8 Annual Report QC, nist toO USU National Institute of Standards and Technology *7 53<• U.S. DepartmentofCommerce 2oC # Table of Contents Welcome 1 Division Organization 2 The Computer Security Division Responds to the Federal Information Security Management Act of 2002 3 Security Management and Assistance Group (SMA) 4 FISMA Implementation Project 4 Publications g Outreach and Awareness 8 Health Information Technology 13 Security Testing and Metrics Group (STM) 14 Validation Programs and Laboratory Accreditation 14 Security Technology Group (ST) ig Cryptographic Standards Toolkit 19 Quantum Computing 21 Authentication 22 Security Aspects of Electronic Voting 22 Systems and Network Security Group (SNS) 23 Identity Management Systems 23 Biometric Standards and Conformity Assessment Activities 30 Research in Emerging Technologies 34 Technical Security Metrics 33 Automated Vulnerability Management and Measurement 40 Infrastructure Services, Protocols, and Applications 42 CSD s Role in National and International IT Security Standards Processes 46 Systems and Network Security Technical Guidelines 49 Honors and Awards 52 Computer Security Division Publications - FY 2008 53 Ways to Engage Our Division and NIST 55 Acknowledgements 56 mBH WELCOME I TheComputerSecurityDivision(CSD),acomponentofNIST'sInforma- During FY2008 CSD explored opportunities to apply its security research tionTechnology Laboratory (ITL), providesstandardsand technology to national priorities and internal NIST initiatives. The CSD has played an to protectinformation systemsagainstthreatstotheconfidentiality, active role in implementation planning for the Comprehensive National integrity,andavailabilityofinformationandservices.DuringFiscalYear2008 Cyber Security Initiative to protect our country's critical infrastructure. The (FY2008), CSD successfully responded to numerous challenges and oppor- CSD continued to expand its support for two key national initiatives, elec- tunities in fulfilling its mission. CSD carried out a diverse research agenda tronicvoting and health informationtechnology, byresearchingthesecurity andparticipated inmanynationalpriorityinitiatives,leadingtothedevelop- requirementsofthoseareasandapplyingtheresultsofthatresearch,along mentand implementation ofhigh-quality,cost-effectivesecurityand privacy with current technologies, to advance the stated goals ofthose initiatives. mechanisms that improved information security across the federal govern- CSDalsoworkedcloselywiththeITLmanagementteamtointegratesecurity ment and throughout the national and international information security projects into ITL's research programs.These programs, which include Cyber community. Security, Pervasive Information Technologies, Identity Management, and TrustworthySoftware,aredesignedtoorganizeandbuildITLcorecompeten- In FY2008, CSD continued to develop standards, metrics, tests, and valida- ciesinthemostefficientmanner,andtomaximizetheuseofITLresourcesto tion programstopromote, measure,andvalidatethesecurityin information addressemerging informationtechnologychallenges. systems and services. Recognizing the potential benefits of more automa- tion in technical security operations, CSD hosted the Information Security These are just some ofthe highlights of the CSD program during FY2008. Automation Program (ISAP), which formalizes and advances efforts to YoumayobtainmoreinformationaboutCSD’sprogramathttp://csrc.nist.gov enable the automation and standardization of technical security opera- orbycontacting anyofthe CSDexperts noted in this report. Ifinterested in tions,includingautomatedvulnerabilitymanagementandpolicycompliance participating in any CSD challenges - whether current or future - please evaluations.TheCSDalsocontinuedtoworkcloselywithfederalagenciesto contactanyofthelistedCSDexperts. improvetheirunderstandingand implementationoftheFederal Information SecurityManagementAct(FISMA)toprotecttheirinformationand informa- William Curtis Barker tion systems. CSD supported a major intelligence community and national ChiefCybersecurityAdvisor security community initiative to build a unified framework for information securityacrossthefederalgovernment. Thisinitiativeisexpectedtoresultin greater standardization and more consistent and cost-effective security for allfederal informationsystems. As technology advances and security requirements evolve, CSD critically evaluates existing standards, guidelines, and technologies to ensure that they adequately reflect the current state ofthe art. In FY2008, CSD issued revisionsof TheKeyed-HashMessageAuthenticationCode, Federal Informa- tionProcessingStandard(FIPS) 198-1 andSecureHashStandard,FIPS180-3, as well as a draft for public comment of the RSA Strong Primes - Digital Signature Standard, FIPS 186-3. The CSD also initiated an international competitionfora nextgenerationSecureHashAlgorithm (SHA-3). 1 ) 2 Division Organization William Curtis Barker Donna Dodson ChiefCybersecurityAdvisor DeputyChiefCybersecurityAdvisor wmm MatthewScholl Donna Dodson SecurityManagement&Assistance SecurityTesting&Metrics(Acting William Burr David Ferraiolo Security Technology SystemsandNetworkSecurity 2 The Computer Security Responds Division to the i Federal Information Security Management 2DDH Act of The E-Government Act [Public Law 107-347], passed by the 107th Provide assistance to agencies and private sector - Conducted Congress and signed into law by the President in December 2002, ongoing, substantial reimbursable and non-reimbursable assistance recognized the importance of information security to the economic support, including many outreach efforts such as the Federal Infor- and national securityinterestsofthe United States.Title III ofthe E-Govern- mation Systems Security Educators' Association (FISSEA), the Federal ment Act, entitled the Federal Information Security Management Act of ComputerSecurityProgramManagers' Forum(FCSM Forum),theSmall 2002 (FISMA),includeddutiesand responsibilitiesfortheComputerSecurity Business Corner, and the Program Review for Information Security Division (CSD) in Section 303 "National Institute of Standards and Tech- ManagementAssistance(PRISMA). nology." In 2008, CSD addressed its assignments through the following Evaluate security policies and technologies from the private projectsandactivities: sectorandnationalsecuritysystemsforpotentialfederalagency Develop NIST guides for securing non-national security agency use-Hostedagrowing repositoryoffederalagencysecuritypractices, informationsystems-Issuedeighteen NISTSpecial Publications(SP) public/private security practices, and security configuration checklists covering management, operational and technical security guidance. for IT products. In conjunction with the Government of Canada's Communications Security Establishment, CSD leads the Cryptographic Collaborated with the Office of the Director of National Intelligence and the Department of Defense to transform the certification and ModuleValidation Program (CMVP). The Common Criteria Evaluation accreditation process for information systems into a common frame- andValidation Scheme(CCEVS)andCMVPfacilitatesecuritytestingof workforinformationsecurityacrossthefederalgovernment. ITproductsusablebythefederal government. Define minimum information security requirements (manage- Solicitrecommendationsofthe Information Securityand Privacy ment, operational, and technical security controls) for infor- Advisory Board on draft standards and guidelines - Solicited mation and information systems in each such category- Issued recommendationsofthe Board regularlyatquarterlymeetings. revision 2 of SP 800-53, Recommended Security Controls for Federal Provide outreach, workshops, and briefings-Conducted ongoing InformationSystems, in December2007. awareness briefings and outreach to CSD's customer community Identifymethodsforassessing effectivenessofsecurityrequire- and beyond to ensure comprehension of guidance and awareness of ments - Issued SP800-53A, Guide forAssessing theSecurityControls planned and future activities. CSD also held workshops to identify inFederalInformationSystems, inJune2008. areas that the customer community wishes to be addressed, and to scopeguidelines inacollaborativeandopenformat. Establishperformancemeasuresforagencyinformationsecurity policies and practices-Issued revision 1 ofSP800-55, Performance Satisfy annual NIST reporting requirement- Produced an annual MeasurementGuideforInformationSecurity, inJuly2008. report as a NIST Interagency Report (IR). The 2003-2007 Annual Reports are available via our Computer Security Resource Center (CSRC)websiteorupon request. — 2008 ANNUAL REPORT ; ; Assistance Group (SMA] STRATEGIC G0AL TheSecurityManagementandAssistanceCroupprovidesleadership, expertise, outreach,standards and guidelines in order to assist the federal IT community in protecting its information and informationsystems, whichallowsourfederalcustomerstousethesecriticalassetsinaccomplishing theirmissions. Overview Keytothesuccessofthisarea isourabilityto interactwith a broad constitu- ency-federal and nonfederal-in ordertoensurethatourprogram isconsis- nformation security is an integral elementofsound management. Infor- tentwith national objectivesrelatedtoorimpacted byinformationsecurity. I mation and information systems are critical assets that support the ™ mission of an organization. Protecting them can be as important as Federal Information Security ManagementAct (FISMA) protectingotherorganizational resources,suchasmoney, physical assets,or employees. However, including security considerations in the management Implementation Project of information and computers does notcompletely eliminatethe possibility The ComputerSecurity Division (CSD) continuedtodevelopthesecuritystan- thattheseassetswill beharmed. dards and guidelines required by federal legislation. Phase of the FISMA I Implementation Project included the development of the following publica- Ultimately,responsibilityforthesuccessofanorganizationlieswithitssenior tions management.They establish the organization's computer security program and its overall program goals, objectives, and priorities in orderto support Federal Information Processing Standard (FIPS) 199, Standards for themission oftheorganization. Theyarealso responsibleforensuringthat Security Categorization of Federal Information and Information required resourcesareappliedtotheprogram. Systems Collaboration with a numberofentities is critical forsuccess. Federally, we FIPS 200, MinimumSecurityRequirements forFederalInformationand collaboratewiththeUnitedStatesOfficeofManagementandBudget(0MB), InformationSystems the United States Government Accountability Office (GAO), the National SecurityAgency (NSA), the Chief Information Officers (CIO) Council, and all NIST Special Publication (SP) 800-37, Guide fortheSecurityCertifica- Executive Branchagencies. Wealsoworkcloselywith a numberofinforma- tionandAccreditationofFederalInformationSystems: tion technology organizations and standards bodies, as well as public and NISTSP800-39, ManagingRiskfromInformationSystems: AnOrgani- privateorganizations. zationalPerspective(Targeted Completion February2009); Majorinitiatives in thisarea includethe FISMA Implementation Project: NIST SP 800-53, RecommendedSecurity Controls forFederalInforma- tionSystems: Extendedoutreach initiativestofederal and nonfederalagencies; NISTSP800-53A, GuideforAssessingtheSecurityControlsinFederal Information securitytraining,awarenessand education; InformationSystems: Outreach tosmall and medium business; NISTSP800-59, GuidelineforIdentifyinganInformationSystemasa Standardsdevelopment; NationalSecuritySystem and ; Producing and updating NIST Special Publications (SP) on security NISTSP800-60, GuideforMappingTypesofInformationandInforma- managementtopics. tionSystems toSecurityCategories. — SECURITY MANAGEMENT AND ASSISTANCE GROUP (SMA) Thesecuritystandardsand guidelinesdeveloped in Phase Iwillassist In addition to the above publications, the division collaborated with the federal agencies in Manufacturing Engineering Laboratoryin developingadraftguidetoindus- trial control system security, NIST SP 800-82, Guide to Industrial Control ImplementingtheindividualstepsintheNISTRiskManagementFrame- Systems (ICS) Security: Supervisory Control and DataAcquisition (SCADA) workaspartofawell-definedanddisciplinedsystemdevelopmentlife Systems, Distributed Control Systems (DCS), and Other Control System cycleprocess; ConfigurationsSuchasProgrammableLogicControllers(PLC). Demonstrating compliance to specific requirements contained within Phase II ofthe FISMA Implementation Project, discussed in more detail in the legislation;and the nextsection ofthis annual report,focuses on several new initiatives to Establishinga level ofsecurityduediligenceacrossthefederal supportthe development ofa program for credentialing public and private government. sector organizations to provide security assessment services for federal agencies. In FY2008,theSMAgroupcompletedthefollowing keypublications: http://csrc.nist.gov/sec-cert Initial public draft of a major revision to NIST SP 800-37, Guide for Contact: Dr.RonRoss SecurityAuthorizationofFederalInformationSystems,workingincoop- (301)975-5390 [email protected] eration with the Officeofthe DirectorofNational Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), to develop a common process to authorize Organizational Credentialing Program federal informationsystemsforoperation; Phase II of the FISMA Implementation Project is focusing on building a Second publicdraftofNISTSP800-39,which istheflagshipdocument common understandingandcapabilityforFISMAsecuritycontrol implemen- in the series of FISMA-related publicationsthat provides a structured, tation and assessment in supporting developmentofa programforcreden- yetflexible approach for managing that portion ofrisk resulting from tialingpublicandprivatesectororganizationstoprovidesecurityassessment theincorporationofinformationsystemsintothemissionandbusiness servicesofinformationsystemsforfederal agencies. Thesesecurityservices processesoforganizations; involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems including the RevisionofNISTSP800-53,RecommendedSecurityControlsforFederal assessment of the information technology products and services used in InformationSystems, working with NIST's Intelligent Systems Division securitycontrolimplementation. Thesecurityassessmentserviceswilldeter- (Manufacturing Engineering Laboratory), in collaboration with the mine the extent to which the security controls are implemented correctly, DepartmentofFlomelandSecurityandorganizationswithinthefederal operating as intended, and producing the desired outcome with respectto governmentthatown,operate,andmaintainindustrialcontrolsystems, meetingthesecurityrequirementsforthesystem. to incorporate in NIST SP 800-53 guidance on appropriate safeguards andcountermeasuresforfederal industrial controlsystems, This phase of the FISMA Implementation Project includes the following initiatives: Final publication of NIST SP 800-53A, which provides a new, stream- lined, and flexible approach fordeveloping security assessment plans (1) Training Initiative: for development of training courses, Quick Start containing assessment procedures to determine the effectiveness Guides (QSG's), and FrequentlyAsked Questions (FAQ's) to establish a of security controls deployed in federal information systems. Also commonunderstandingoftheNISTstandardsandguidelinessupporting completed with NIST SP 800-53A, was an initial public draft ofweb- eachofthestepsinthe NISTRisk ManagementFramework; basedassessmentcases,whichweredevelopedbyaninteragencyteam to providesecurityassessorswith online,worked examples identifying (2) Support Tools Initiative: for identifying common programs, reference specificassessoractionstepstoaccomplishforeachoftheassessment materials,checklists,technical guides,toolsandtechniquessupporting procedures in SP800-53A; implementation andassessmentofSP800-53securitycontrols; Revision ofNISTSP800-60,which updatestheinformationtypes used (3) ProductandServicesAssuranceInitiative:fordefiningminimumcriteria and guidelinesforsuppliers in specifying securityfunctionsand assur- byagenciestodevelop informationsystem impactlevelstohelpdeter- ances(toincludeevidenceoftestresultsfromSCAPtoolsandconfigu- minethecriticalityandsensitivityoffederal information systems. 2008 ANNUAL REPORT ration checklists, etc. where applicable) ofproducts and services used This review was completed in 2005 and resulted in a listing of each term in implementingSP800-53 securitycontrols; and all definitions for each term. Several rounds of internal and external reviewswerecompleted,andcommentsandsuggestionswereincorporated (4) OrganizationalCredentialingInitiative: drawinguponmaterialfromthe into the document. The document was published in April 2006 as NISTIR above initiatives and NIST standards and guidelines, define minimum 7298, GlossaryofKeyInformationSecurityTerms. capability and proficiency criteria for credentialing public and private sectororganizations providing securityassessmentservicesforfederal In 2007, CSD initiated an update to the Glossary to reflect new terms and agencies;and any different definitions used in our publications, as well as to incorporate information assurance terms from the Committee on National Security (5) Harmonization Initiative: for identifying common relationships and Systems Instruction No 4009 (CNSSI-4009). The glossary update was well the mappings of FISMA standards, guidelines and requirements with: underwaywhenCSDwasnotifiedthatCNSSI-4009wasbeingupdated. NIST (i) ISO 27000 (International Organization for Standardization) series obtained a position on the CNSSI-4009 Glossary Working Group and has information security management standards; and (ii) ISO 9000 and beenworking onthatprojectsinceearly2008. 17000 series quality management, and laboratory testing, inspection and accreditation standards.This harmonization is important for mini- An updated NIST glossary is expected to be released in FY2009 and will mizing duplication of effort for organizations that must demonstrate includetheupdated CNSSI-4009. complianceto both FISMAand ISO requirements. Contact: Mr.RichardKissel In FY2008, the CSD completed the initial public draft of NIST Interagency (301)975-5017 Report 7328, Security Assessment Provider Requirements and Customer [email protected] Responsibilities: Building a SecurityAssessment Credentialing Program for Federal Information Systems, which provides an initial set of requirements Guidefor Mapping Types ofInformation and Information securityassessmentprovidersshouldsatisfytodemonstratethecapabilityto Systemsto Security Categories conductinformationsystemsecuritycontrolassessmentsinaccordancewith NIST standards and guidelines. The division also completed a set of Quick In August 2008, NIST issued SP 800-60 Revision 1, Volume I, Guide for Start Guides (QSG's) and FrequentlyAsked Questions (FAQ's) to establish a MappingTypes ofInformationandInformationSystems toSecurityCatego- common understandingoftheNISTstandardsandguidelinessupportingthe ries, andVolume 2, Appendices to Guide forMapping Types ofInformation categorization ofsystemsstep (i.e.,firststep) ofthe NIST Risk Management andInformationSystems toSecurityCategories. SP 800-60,thecompanion Framework. guideto FIPS 199, Standards forSecurityCategorizationofFederalInforma- tion and Information Systems, was developed to assist federal agencies in http://csrc.nist.gov/sec-cert Contacts:Mr.ArnoldJohnson Ms.PatToth categorizinginformationandinformationsystemsbyfacilitatingprovisionof (301)975-3247 (301)975-5140 appropriate levels of information security according to a range of levels of [email protected] [email protected] impactorconsequencesthatmightresultfromthecompromiseofasecurity objective. Publications t | This revision of SP 800-60 further clarifies the system security categoriza- tion process;discussesthe impactofsecuritycategorization resultsonother Glossary of Key Information SecurityTerms enterprise-wide activities such as capital planning, enterprise architecture, Over the years, the Computer Security Division (CSD) has produced many and disaster recovery planning; and provides recommendations and ratio- naleformission-basedand managementandsupportinformationtypes. informationsecurityguidancedocumentswithdefinitionsofkeytermsused. Thedefinitionforanygiventermwasnotstandardized;therefore,therewere Contacts:Mr.KevinStine Mr.RichardKissel multiple definitionsfora given term. In 2004, the CSD identified a need to (301)975-4483 (301)975-5017 increase consistency in definitions for key information securityterms in our [email protected] [email protected] documents. Guideto NISTComputerSecurity Documents The first step was a review of NIST publications (NIST Interagency Reports, Special Publications,and Federal Information ProcessingStandards)todeter- Can't find the NIST CSD document you're looking for? Are you not sure mine how key information security terms were defined in each document. which CSDdocumentsyou should be lookingfor? SECURITY MANAGEMENT AND ASSISTANCE GROUP (SMA) Currently, there are over 300 NIST information security documents. This Revision ofthe Guideto information Technology Security Role- number includes Federal Information Processing Standards (FIPS), the Based Training Requirements Special Publication (SP) 800 series, InformationTechnology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NIST IRs). These documents are In FY2007, CSD initiated an update to SP 800-16, Information Technology typically listed bypublication typeand number, orby month andyearin the SecurityTrainingRequirements: A Role-andPerformance-BasedModel, for case ofthe ITL Bulletins. This can make finding a document difficult ifthe public review and comment. Originally published in April 1998, SP 800-16 numberordateisnotknown. contains a training methodology thatfederal departmentsand agencies, as well as private sector and academic institutions, can use to develop role- InordertomakeNISTinformationsecuritydocumentsmoreaccessible,espe- based information securitytraining material. cially to those just entering the information security field or to those with needsforspecificdocuments, CSDdevelopedthe GuidetoNISTInformation During FY2008 we made significant changes to the document. We began Security Documents. Publications are listed by type and number, and the meeting with stakeholders of other federally focused information security guidepresentsthreewaystosearchfordocuments:bytopiccluster(general training and workforce development initiatives. The goal is to create a subject matters or topic areas used in information security), by family (the multi-agency task force to reduce the potential for confusion among our seventeen minimum security control family names in SP 800-53), and by constituents by 1) developing a diagram that shows the interactions and legal requirement. relationships betweenthevarious initiatives, and 2) agreeing on a common training "standard" that can be used by various federal communities that This guide is currently updated through the end ofAugust of FY2008, and currentlyownormanagethetrainingandworkforcedevelopmentinitiatives. willbeundergoingfutureupdatestomakeaccesstoCSDpublicationseasier SP800-16, Rev. 1 isexpectedtobethatcommontraining "standard." forourcustomers. WeexpecttheupdateofSP 800-16tobecompleted during FY2009. Contact: Ms.PaulineBowen 301 975-2938 Contacts:Mr.MarkWilson Ms.PaulineBowen ( ) [email protected] 301 975-3870 301 975-2938 ( ) ( ) [email protected] [email protected] Performance MeasuresforInformation Security Security Considerations inthe System Development Life Cycle The requirement to measure information security performance is driven by regulatory, financial, and organizational reasons. A number of existing Consideration of security in the System Development Life Cycle (SDLC) is essential to implementing and integrating a comprehensive risk manage- laws, rules, and regulations,such asthe Clinger-CohenAct,theGovernment ment strategy for all information systems. To be most effective, informa- Performance and ResultsAct (GPRA), and the Federal Information Security tion securitymustbe integrated intothe SDLCfrom system inception. Early Management Act (FISMA), cite information performance measurement in integration ofsecurity in the SDLC enables agenciesto maximize return on general and information security measurement in particular as a require- investmentintheirsecurityprograms,through: ment. Agenciesarealso using performancemeasuresas managementtools in their internal improvement efforts and linking implementation of their Early identification and mitigation of security vulnerabilities and programstoagency-levelstrategicplanningefforts. misconfigurations,resulting in lowercostofsecuritycontrolimplemen- tation andvulnerabilitymitigation; In July 2008, NIST released SP 800-55, Revision 1, Performance Measure- mentGuideforInformationSecurity. Thedocumentisaguidetoassistinthe Awareness of potential engineering challenges caused by mandatory development, selection, and implementation ofmeasures to be used atthe securitycontrols; information system and program levels. These measures can help indicate the effectiveness of security controls applied to information systems and Identificationofsharedsecurityservicesandreuseofsecuritystrategies supporting information securityprograms. and tools to reduce development cost and schedule while improving securityposturethrough proven methodsandtechniques; Contacts:Ms.MarianneSwanson Mr.KevinStine (301)975-3293 (301)975-4483 Facilitating informed executive decision making through comprehen- [email protected] [email protected] siveriskmanagementinatimelymanner. 2008 ANNUAL REPORT In October2008, NIST issued SP800-64, Revision 2, SecurityConsiderations During FY2008, the CSRC Web site was continuously updated with new in theSystemDevelopmentLifeCycle. Thispublicationaddressesthe FISMA information on all projectpagesalongwiththepostingofnewandupdated direction to develop guidelines recommending security integration into the publications. The new and improved CSRCWeb sitestandardizesthe CSRC agency's established SDLC, and is intendedto assistagencies in integrating Web pagesand menus, and iseasierto navigate. Some ofthe majorhigh- essential information technology (IT) security steps intotheirestablished IT lightsoftheexpanded CSRC websiteduring FY2008were: SDLC, resulting in morecosteffective, riskappropriatesecuritycontrol iden- tification, development,andtesting. Creation of web pages for the 2008 Federal Information Systems Security Educators'Association (FISSEA) Conference; Contacts: Mr.RichardKissel Mr.KevinStine (301)975-5017 (301)975-4483 ImprovedPublicationssectionthatincludedtheadditionoftheArchived [email protected] [email protected] Publicationssectionforwithdrawn FIPSand SPs (superseded); OutreachAndAwareness Cryptographic ModuleValidation Program (CMVP) and Cryptographic j | AlgorithmValidation Program (CAVP) project; ComputerSecurity Resource Center NationalVulnerability Database (NVD) website- updated the Federal TheComputerSecurityResourceCenter(CSRC)istheComputerSecurityDivi- Desktop Core Configuration (FDCC) and Security ContentAutomation sion'sWebsite. CSRCisoneofthefourmostvisitedWebsitesatNIST. Weuse Protocol (SCAP) portion ofwebsite;and theCSRCtoencouragebroadsharingofinformation securitytoolsand prac- tices,toprovidea resourceforinformationsecuritystandardsandguidelines, Addition ofassessmentcasesforthe FISMA project,to namea fewof and to identify and link key securityWeb resources to support the industry. the major highlights. The CSRC is an integral component ofall of the work thatwe conduct and produce. It is our repository for everyone, public or private sector, wanting In addition to the CSRC website, CSD maintains a publications announce- accessto ourdocumentsandotherinformation security-related information. ment mailing list. This is a free email list that notifies subscribers about CSRCservesasavital linktoall ourinternal andexternal customers. publicationsthathavebeenreleasedtothegeneralpublicandthathavebeen posted to the CSRC website. This email list is a valuabletool forthe more During FY2008, CSRC had more than 87.8 million requests, which included than 7,600 subscribers who includefederal government employees, private theadditionaltrafficcomingfromtheNationalVulnerabilityDatabase(NVD) sector,educational institutionsand individualswith a personal interestin IT that became operational in late FY2005. Ofthetotal 87.8 million requests, security. Thisemail listreachespeopleallovertheworld. Emailissenttothe the CSRC received 38.2 million requests, while the NVD website received listonly when the ComputerSecurity Division releasesa publication (Draft, 49.6 million requests. FIPS PUB, Special Publication and NIST IR). Emails are only sentoutbythe listadministrator- Pat O'Reilly (NIST, CSD). Individuals who are interested TheCSRCwebsiteistheprimarysourceforgainingaccessto NISTcomputer in learning more about this list or subscribing to this list should visit this securitypublications. Everydraftdocumentreleased for publiccommentor webpageon CSRCformore information: final documentpublishedthroughtheDivision has been postedtotheCSRC website. Based on the web site's statistics, the five most requested CSD http://csrc.nist.gov/publications/subscribe.html publicationsforFY2008were: TotalNumberoFWebsiteRequests:CSRC6NVD (1) Special Publication (SP) 800-30, RiskManagementGuide forInforma- tionTechnologySystems 100- (2) Federal Information ProcessingStandard (FIPS) 197, AdvancedEncryp- tionStandard (3) SP800-48, GuidetoSecuringLegacyIEEE802.11 Wireless Networks (4) FIPS 140-2, SecurityRequirementsforCryptographicModules (5) SP800-53 Revision 1 and, Revision 2, RecommendedSecurityControls 2002 2003 2004 2005 2006 2007 2008 FiscalYear forFederalInformationSystems