[Federal Register Volume 59, Number 171 (Tuesday, September 6, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-21891]


[[Page Unknown]]

[Federal Register: September 6, 1994]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 920535-4194]
RIN 0693-AA99

 

Approval of Federal Information Processing Standards Publication 
188, Standard Security Label for Information Transfer

agency: National Institute of Standards and Technology (NIST), 
Commerce.

action: The purpose of this notice is to announce that the Secretary of 
Commerce has approved a new standard, which will be published as FIPS 
Publication 188, Standard Security Label for Information Transfer.

-----------------------------------------------------------------------

summary: On August 21, 1992 and January 28, 1994, notices were 
published in the Federal Register (57 FR 37948 and 59 FR 4031, 
respectively) that a Federal Information Processing Standard for 
Standard Security Label for the Government Open Systems Interconnection 
Profile was being proposed for Federal use.
    The written comments submitted by interested parties and other 
material available to the Department relevant to this standard were 
reviewed by NIST. On the basis of this review, NIST recommended that 
the Secretary approve the standard as a Federal Information Processing 
Standards Publication, and prepared a detailed justification document 
for the Secretary's review in support of that recommendation.
    The detailed justification document which was presented to the 
Secretary is part of the public record and is available for inspection 
and copying in the Department's Central Reference and Records 
Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street 
between Pennsylvania and Constitution Avenues NW., Washington, DC 
20230.
    This FIPS contains two sections: (1) An announcement section, which 
provides information concerning the applicability, implementation, and 
maintenance of the standard; and (2) a specifications section which 
deals with the technical requirements of the standard. Only the 
announcement section of the standard is provided in this notice.

effective date: This standard is effective March 1, 1995.

addresses: Interested parties may purchase copies of this standard, 
including the technical specifications section, from the National 
Technical Information Service (NTIS). Specific ordering information 
from NTIS for this standard is set out in the Where to Obtain Copies 
Section of the announcement section of the standard.

For further information contact: Mr. Noel Nazario, (301) 975-2837, 
National Institute of Standards and Technology, Gaithersburg, MD 20899.

    Dated: August 30, 1994.
Samuel Kramer,
Associate Director.

Federal Information Processing Standard Publication 188

(date)

Announcing A

Standard Security Label for Information Transfer

    Federal Information Processing Standards Publications (FIPS 
PUBS) are issued by the National Institute of Standards and 
Technology (NIST) after approval by the Secretary of Commerce 
pursuant to Section 111(d) of the Federal Property and 
Administrative Services Act of 1949 as amended by the Computer 
Security Act of 1987, Public Law 100-235.
    Name of Standard: Standard Security Label for Information 
Transfer.
    Category of Standard:! Computer Security, Security Labels.
    Explanation: Security labels convey information used by protocol 
entities to determine how to handle data communicated between open 
systems. Information on a security label can be used to control 
access, specify protective measures, and determine additional 
handling restrictions required by a communications security policy.
    This standard defines a security label syntax for information 
exchanged over data networks and provides label encodings for use at 
the Application and Network Layers. The syntactic constructs defined 
in this standard are intended to be used along with semantics 
provided by the authority establishing the security policy for the 
protection of the information exchanged. A separate NIST document, 
referenced in an informative appendix, defines a Computer Security 
Objects Register (CSOR) that serves as repository for label 
semantics. The CSOR assigns a unique identifier to each set of 
interpretation and handling rules. This enables the communicating 
parties to agree on the semantics for the interpretation of the 
labels. The separation of the label syntax from its semantics 
enables a few basic label structures to support multiple security 
policies.
    The label presented here defines security tags that may be 
combined into tag sets to carry security-related information. Five 
basic security tag types allow security information to be 
represented as bit maps, attribute enumerations, attribute range 
selections, hierarchical security levels, or as user-defined data. 
Because of inherent differences in layer functionality, the security 
label defined in this document is expressed both as an abstract 
label syntax specification for the OSI Application Layer and an 
encoding optimized for use at the Network Layer.
    Approving Authority: Secretary of Commerce.
    Maintenance Agency: Computer Systems Laboratory, National 
Institute of Standards and Technology.
    Cross Index:
    Federal Information Resources Management Regulations, subpart 
201-20.303, Standards, and subpart 201-39.1002, Federal Standards.
    General Procedures for Registering Computer Security Objects, 
NISTIR 5308, December 1993.
    Security Labels for Open Systems--An Invitational Workshop, 
NISTIR 4362, June 1990.
    Standard Security Label for GOSIP--An Invitational Workshop, 
NISTIR 4614, June 1991.
    Scope: This standard defines syntactic constructs for conveying 
security label information when Government sensitive but 
unclassified data is exchanged over computer networks. The syntactic 
constructs defined in this standard are intended to be used along 
with semantics provided by the authority establishing security 
policy for the protection of the information exchanged. NIST has 
established a Computer Security Objects Register (CSOR) that will 
serve as repository for label semantics. Informative Appendix A of 
this standard provides further details on the CSOR.
    This standard does not discuss the physical labeling of 
information or storage media and information displayed on a computer 
screen or other peripherals. Labeling of information stored in 
internal memory and storage media (e.g. hard disks, compact disks, 
magnetic tapes, etc.) is also outside of the scope of this standard. 
The protection of data in transit and their associated labels along 
with the binding between the data and the labels is the 
responsibility of the communications protocols involved in the 
transfer and therefore not discussed here. Compliance with this 
standard does not provide assurance of the suitability of an 
implementation for the protection of data according to specific 
security policies. That assessment must be made through the 
appropriate evaluation and certification processes.
    Applicability: This standard applies to U.S. Government 
communications systems required by agency security policy to label 
sensitive but unclassified data when exchanged over data networks. 
Although this standard is intended for use on systems handling 
unclassified information, it could be adopted by the appropriate 
authorities for use on systems handling classified information.
    Complying implementations shall be capable of transmitting, 
receiving, and obtaining information from security labels based on 
the specifications in this document.
    Specifications: Federal Information Processing Standard (FIPS 
188) Standard Security Label for Information Transfer (affixed).
    Implementation Schedule: This standard becomes effective 1 March 
1995.
    Waiver Procedure: Under certain exceptional circumstances, the 
heads of Federal departments and agencies may approve waivers to 
Federal Information Processing Standards (FIPS). The head of such 
agency may redelegate such authority only to a senior official 
designated pursuant to section 3506(b) of Title 44, United States 
Code. Waiver shall be granted only when:
    a. Compliance with a standard would adversely affect the 
accomplishment of the mission of an operator of a Federal computer 
system; or
    b. Compliance with a standard would cause a major adverse 
financial impact on the operator which is not offset by Government-
wide savings.
    Agency heads may act upon a written waiver request containing 
the information detailed above. Agency heads may also act without a 
written waiver request when they determine that conditions for 
meeting the standard cannot be met. Agency heads may approve waivers 
only by a written decision which explains the basis on which the 
agency head made the required finding(s). A copy of each decision, 
with procurement sensitive or classified portions clearly 
identified, shall be sent to: National Institute of Standards and 
Technology; ATTN: FIPS Waiver Decisions, Technology Building, Room 
B-154, Gaithersburg, MD 20899.
    In addition, notice of each waiver granted and each delegation 
of authority to approve waivers shall be sent promptly to the 
Committee on Government Operations of the House of Representatives 
and the Committee on Government Affairs of the Senate and shall be 
published promptly in the Federal Register.
    When the determination on a waiver applies to the procurement of 
equipment and/or services, a notice of the waiver determination must 
be published in the Commerce Business Daily as a part of the notice 
of solicitation for offers of an acquisition or, if the waiver 
determination is made after that notice is published, by amendment 
to such notice.
    A copy of the waiver, any supporting documents, the document 
approving the waiver and any accompanying documents, with such 
deletions as the agency is authorized and decides to make under 
United States Code Section 552(b), shall be part of the procurement 
documentation and retained by the agency.
    Where to Obtain Copies: Copies of this publication are for sale 
by the National Technical Information Service, U.S. Department of 
Commerce, Springfield, VA 22161. When ordering, refer to Federal 
Information Processing Standards Publication 188 (FIPSPUB 188), and 
identify the title. When microfiche is desired, this should be 
specified. Prices are published by NTIS in current catalogs and 
other issuances. Payment may be made by check, money order, deposit 
account or charged to a credit card accepted by NTIS.

[FR Doc. 94-21891 Filed 9-2-94; 8:45 am]
BILLING CODE 3510-CN-M