[Federal Register Volume 67, Number 117 (Tuesday, June 18, 2002)]
[Notices]
[Pages 41399-41400]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-15278]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology

[Docket No. 020503109-2109-01]
RIN 0693-AB51


Establishment of Information Technology Security Validation 
Programs Fees

AGENCY: National Institute of Standards and Technology, Commerce.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
operates a number of Information Technology Security Validation 
Programs. Under these programs, vendors use independent private sector, 
accredited testing laboratories to have their products tested. The goal 
of the Information Technology Security Validation Programs is to 
promote the use of validated products and provide Federal agencies and 
other users with a security metric to use in procuring software and 
equipment. The results of the independent testing performed by 
accredited laboratories provide this metric. NIST validates the test 
results and issues validation certificates. NIST also posts and 
maintains the validated products lists on the Computer Security 
Division Web site. The Information Technology Security Validation 
Programs currently do not charge a fee for their services, but demand 
for these services as increased over 1800% since 1996 in some cases. 
This growth has resulted in significantly increased expense to NIST for 
program management and associated functions. NIST issues this notice to 
adopt a fee schedule for some of the Information Technology Security 
Validation Programs, with fees being set individually for each program. 
The fees will allow NIST to continue and expand the Information 
Technology Security Validation Programs.

DATES: This notice is effective July 18, 2002.

FOR FURTHER INFORMATION CONTACT: Ray Snouffer, Computer Security 
Division, National Institute of Standards and Technology, 100 Bureau 
Drive, Stop 8930, Gaithersburg, MD 20899-8930, telephone (301) 975-
4436, e-mail: [email protected].

SUPPLEMENTARY INFORMATION: Federal agencies, industry, and the public 
now rely on a number of measures for the protection of information and 
communications used in electronic commerce, critical infrastructure and 
other application areas. Though these measures are used to provide 
security, weaknesses such as poor design can render the product 
insecure and place highly sensitive information at risk. Adequate 
testing and validation against established standards is essential to 
provide security assurance. NIST operates a number of established 
Information Technology Security Validation Programs. Under these 
programs, vendors use independent private sector, accredited testing 
laboratories to have their products tested. The goal of the Information 
Technology Security Validation Programs is to promote the use of 
validated products and provide Federal agencies and other users with a 
security metric to use in procuring software and equipment. The results 
of the independent testing performed by accredited laboratories provide 
this metric. Federal agencies, industry, and the public can choose 
products from the Validated Products List and have increased confidence 
that the products meet their claimed levels of performance and 
security.
    NIST validates the test results and issues validation certificates. 
NIST also posts and maintains the validated products lists on the 
Computer Security Division web site. Since the IT standards, security 
specifications, and NIST security recommendations, which underlie the 
testing programs must be flexible enough to adapt to advancements and 
innovations in science and technology, NIST continually performs 
reviews and updates. This process is based on technological and 
economical changes, which require research and interpretation of the 
standards.
    The Information Technology Security Validation Programs currently 
do not charge a fee for their services, but demand for these services 
as increased over 1800% since 1996 in some cases. This growth has 
resulted in significantly increased expense to NIST for program 
management and associated functions. NIST proposes to adopt a fee 
schedule for some of the Information Technology Security Validation 
Programs with fees being set individually for each program. The fees 
will allow NIST to continue and expand the Information Technology 
Security Validation Programs. Fees will be subjected to an annual cost-
analysis to determine if the fees need adjustment.
    The first Information Technology Security Validation Program to 
charge a fee will be the Cryptographic Module Validation Program 
(CMVP). Each of the Rating Levels (1-4) will have a different fee. 
Every Validation report will be charged a ``baseline'' fee. Baseline 
fees will accompany each validation report submitted to NIST. 
Validation reports will not be reviewed until such time as NIST 
receives payment of the baseline fee from the vendor. Validation 
reports that necessitate extended evaluation and collaboration with the 
certifying laboratory will be charged an additional ``extended'' fee. 
The baseline and extended fees for each Rating Level will be:

 
------------------------------------------------------------------------
                                                                  Total
                   Level                    Baseline  Extended  possible
                                               fee       fee       fee
------------------------------------------------------------------------
1.........................................     $2750     $1250     $4000
2.........................................      3750      1750      5500
3.........................................      5250      2500      7750
4.........................................      7250      3500    10750
------------------------------------------------------------------------
 All fees are given in US dollars.

    The levels specified above are commensurate with the security 
testing levels applied by the Cryptographic Module Testing laboratories 
in determining compliance with FIPS 140-2. A government and industry 
working group composed of both users and vendors developed FIPS 140-2. 
The working group identified eleven areas of security requirements with 
four increasing levels of security for cryptographic modules. The 
security levels allow for a wide spectrum of data sensitivity (e.g., 
low value administrative data, million dollar funds transfers, and 
health data), and a diversity of application environments (e.g., a 
guarded facility, an office, and a completely unprotected location). 
Each security level offers an increase in security over the preceding 
level.

    Authority: NIST's activities to protect Federal sensitive 
(unclassified) systems are undertaken pursuant to specific 
responsibilities assigned to NIST in section 5131 of the Information 
Technology

[[Page 41400]]

Management Reform Act of 1996 (Pub. L. 104-106), the Computer 
Security Act of 1987 (Pub. L. 100-235), and Appendix III to Office 
of Management and Budget Circular A-130. NIST's authority to perform 
work for others and charge fees for those services is found at 15 
U.S.C. 273 and 275a.

    Classification: Because notice and comment are not required under 5 
U.S.C. 553 or any other law, for matters relating to agency management 
or personnel or to public property, loans, grants, benefits, or 
contracts, a regulatory flexibility analysis (5 U.S.C. 601 et seq.) is 
not required and has not been prepared.
    Executive Order 12866: This notice has been determined to be not 
significant for the purposes of Executive Order 12866.

    Dated: June 12, 2002.
Karen H. Brown,
Deputy Director.
[FR Doc. 02-15278 Filed 6-17-02; 8:45 am]
BILLING CODE 3510-13-P