December 1992 CSL Bulletin Advising users on computer systems technology USING INFORMATION TECHNOLOGY STANDARDS IN FEDERAL ACQUISITIONS Information technology (IT) standards are an important part of federal government strategies for managing information resources. Standards help to promote the interoperability of different manufacturers' systems, the portability of applications, and the sharing of ideas, data, and training. But while standards are often accepted in the abstract, it is not always easy for managers and users to put standards to work for their organizations. The development of standards is just one step in a long process that starts with the identification of requirements and leads to the implementation of standards in off-the-shelf products. Along the way to implementation, it is often necessary to define relationships between standards, to develop profiles of standards, to select options in standards, and to test products for conformance to standards and for interoperability. The Computer Systems Laboratory (CSL) develops Federal Information Processing Standards (FIPS), profiles, evaluation guides, and tests, and works with vendors and users to support the development and use of standards in off-the-shelf commercial products. This bulletin describes some of CSL's technical activities that help organizations incorporate standards into their information system acquisitions. Application Portability Profile Today's push for open systems environments (OSE) reflects users' requirements to preserve their investments in software and to reduce their dependence on a single vendor's products. Standards and consensus-based specifications are the foundation for OSEs. The Application Portability Profile (APP) issued by CSL assists organizations in developing plans for moving toward open systems environments. A basic framework for open systems, the APP describes federal, national, international and other specifications that can be integrated to accommodate a broad range of information technology needs. The APP includes standards such as GOSIP (Government Open Systems Interconnection Profile) and POSIX (Portable Operating System Interface for Computer Environments), as well as other specifications needed to specify services, interfaces, protocols and data formats for interoperability and portability. Standards and specifications included in the APP are organized into major service areas: operating system services; user interface services; data management services; data interchange services; programming services; graphics services; and network services. Security and system management services are common to all of the service areas. Organizations can use the APP as a tool to develop their individual profiles for applications such as office document interchange, electronic data interchange, and logistics support. Suggested references which can be incorporated into solicitation documents are provided. Issued as NIST Special Publication (SP) 500-167, the APP is available from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161; telephone (703) 487- 4650. The order number is PB90-219866. In 1993 CSL plans to issue a revised APP to reflect changing user needs, to update specifications, and to add specifications for graphics services, electronic data interchange, and integrated software engineering environments. User and Evaluation Guides NIST has issued several acquisition guides for GOSIP (FIPS 146- 1), one of the key components of the APP. GOSIP defines a common set of data communications services, interfaces and protocols that enable systems developed by different vendors to work together and is based on national and international voluntary industry standards, and on implementation agreements developed by the Open Systems Environments (OSE) Implementors' Workshop. With participation by users and industry, the workshop selects options from the base standards and develops profiles and tests to advance the development of standards-based products. The current version of GOSIP includes protocols for electronic mail; file transfer, access and management; virtual terminal service; the interconnection of several networking technologies; the transfer of Office Document Architecture (ODA) formats; and other protocols and services. NIST Special Publication 500-192, Government Open Systems Interconnection Profile Users' Guide, Version 2, provides background information on the Open Systems Interconnection (OSI) standards, and discusses general and specific issues related to the use of GOSIP in agency acquisitions. A section of the guide deals with procurement issues and provides specific language that can be used in solicitations. This publication is available from the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402; telephone (202) 783-3238. The order number is SN003-003-03119-4. Users need methods for evaluating and selecting technical products that are procurement candidates. NIST Special Publication 500-182, Guidelines for the Evaluation of Message Handling Systems Implementations, details a generic process that helps users acquire message handling systems. The guide advises how to determine the best message handling systems (MHS) for electronic mail requirements, and how to identify potential MHS implementations. The candidate implementations can then be measured against functional and performance factors, and rated. An example of the evaluation and selection process is presented in this guideline. NIST Special Publication 500-196, Guidelines for the Evaluation of File Transfer, Access and Management Implementations, follows a similar procedure for applications that transfer, access, and manage files using direct peer-to-peer communications. SP 500- 182 is available from the National Technical Information Service; the order number is PB90-269598. SP 500-196 is available from the Government Printing Office; the order number is SN003-003- 03120-8. GOSIP and POSIX Revisions CSL is collaborating with several industry groups to develop a common OSI specification that will consolidate the requirements of major U.S. computer users and provide a single specification to guide the development of OSI products. The planned Industry and Government Open Systems Specification (IGOSS) will enable these computer users to speak with one voice to vendors and to form a large market for OSI products. When the IGOSS is complete, it will replace the current version of GOSIP. CSL plans to revise FIPS 151-1, POSIX, to adopt international specifications (ISO/IEC 9945-1) with certain modifications for the federal government. POSIX defines a C language interface to an operating system environment and supports the portability of applications software at the source-code level, between computer systems of different vendors. The standard provides the services necessary to create and manage processes, execute programs, define and communicate signals, define and process system clock operations, manage files and directories, and control input- output processing to and from external devices. Validation of Products Although the parts that make up a system may be in conformance with standards, there is no assurance that the products will interoperate or that applications software can be moved from one system to another. Testing for conformance to standards becomes increasingly important as standards become more complex and interrelated. Organizations need an independent, objective means of ascertaining that products conform to standards and interoperate with other products as intended. Tests are an important factor in user acceptance and in the development of dependable products; compliance with standards provides increased assurance that a computer program written for one machine will run on other computers. CSL has established validation activities for programming languages COBOL, Fortran, Ada, Pascal, C, and MUMPS; POSIX; Database Language SQL; GOSIP; graphics standards; and security standards. CSL's validation activities include developing test methods and procedures, accrediting testing laboratories, and validating products for conformance with standards. An on-line GOSIP Register Database System includes listings of test suites, test systems, means of testing, conformance testing laboratories, tested products and interoperability testing services. The GOSIP register database may be accessed by either of two methods: Using the Internet address 138.27.7.2 and logging on under the user-name jitcl. No password is necessary. The users will be presented with a second login prompt. Log on under the user-name jitcl; no password is necessary. Using a modem and dialing (602) 538-5233. Log in using the user-name jitcl. No password is necessary. Recommended modem configuration is 8-bits, 1 stop bit, no parity, and baud rates of 1200 or 2400 speed. On-line information is available for the POSIX testing program as well. To access the system, you must be able to send and receive e-mail via the Internet. For most e-mail systems, send a message to posix@nist.gov. When the e-mail system responds with "Subject," you may type anything. The next line should be a basic command for the e-mail server to send one or more of the following documents: Register: a register of accredited laboratories and tested implementations. Policy: general information on NIST's POSIX testing policy. Required: information on requirements for certificates of validation under FIPS 151-1. After you issue your send command and a carriage return, the next line should signal the end of the e-mail message as required by your e-mail system. Your e-mail system may respond with EOT for the end of transmission. The mail server program reads the message and sends the requested document to the requester's e-mail address. The current version of the Posix Conformance Test Suite is NIST- PCTS:151-1 (Version 1.1) dated 9-28-90, available from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161; telephone (703) 487-4650. Validated Products List NIST issues a quarterly publication, Validated Products List, that provides information on products that have been validated for conformance to FIPS. Products having a current validation certificate or test report may be offered or delivered by vendors in response to requirements set forth in solicitations by federal agencies. The Validated Products List contains conformance testing information for the following information technology standards: Programming Languages: COBOL, Fortran, Ada, Pascal, C, and MUMPS Database Language SQL Computer Graphics GOSIP POSIX Security The validated products list is available from: National Technical Information Service 5285 Port Royal Road Springfield, VA 22151 Individual copies may be ordered from (703) 487-4630. Subscriptions may be ordered from (703) 487-4650. The entries in the validated products list may be accessed on the Internet using the following instructions: Type: ftp speckle.ncsl.nist.gov. (Internet address is 129.6.59.2). Login as user ftp. Type your e-mail address as the password. Type: cd pub/vpl. Putting Computer Security Requirements into Information Technology Acquisitions Legislation, policies and regulations require that agencies protect the integrity, availability, and confidentiality of the federal government's automated information, as well as the resources used to enter, store, process, and transmit the information. Computer security should be an integral part of all phases of information resources management (IRM). This means establishing security as a management priority; identifying information resources and determining threats and potential losses; selecting and implementing control measures to reduce potential losses; and auditing and monitoring results. By incorporating computer security considerations into the planning, design and acquisition of systems, agencies can achieve less expensive and better quality security than by adding the needed security controls after a system is operational. Acquisition involves both computer security and procurement specialists, and each group of specialists brings different expertise and perspectives to the process. Representatives from more than 30 government and industry organizations worked with NIST to develop a guide that summarizes both the computer security and the acquisition aspects of IRM. Issued as NIST Special Publication 800-4, Computer Security Considerations in Federal Procurements, the guide helps procurement initiators, contracting officers, and computer security officials understand the concepts for integrating computer security into agency acquisitions and for selecting needed computer security features, assurances, and procedures. The guide provides specifications and contract language for the following: computer security; control of hardware and software; control of information and data; documentation; legal issues; contract administration, end of task and closeout; computer security training; personnel security; physical security; and computer security features in systems. Another NIST report, Sample Statements of Work for Federal Computer Security Services, provides tasking language for services such as preparation of risk analyses and security planning documents. Computer Security Considerations in Federal Procurements (NIST Special Publication 800-4) is available from the Government Printing Office, Washington, DC 20402; telephone (202) 783-3238. The order number is SN 003-003-03147-0; cost is $6.00. Another acquisition guide, Sample Statements of Work for Federal Computer Security Services (NISTIR 4749), is available from the National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161; telephone (703) 487-4650. The order number is PB92- 148261. Files on NIST Bulletin Board NIST operates a computer security bulletin board that provides information on standards and publications. To reach the bulletin board through a modem and communications software, dial (301) 948-5717 for 2400 baud or less. Dial (301) 948-5140 for 9600 baud. Data Bits: 8/no parity or 7/even parity. Stop Bits: 1. To reach the bulletin board through the Internet: telnet cs-bbs.nist.gov (129.6.54.30). The account is "bbs." The password is "bbs." (Lower case is required.) Several NIST publications are located in the pub directory. The Computer Security Bulletin Board System User's Guide (revised 1992) is available from the National Technical Information Service. Reference NISTIR 4933, order number PB93-113553, price $17.50. The Basic Tool for Standards Implementation The Federal Information Resources Management Regulation (FIRMR) Parts 201-20 and 201-39, issued by the General Services Administration (GSA), provide the foundation for the implementation of standards by agencies. GSA also issues the Federal ADP and Telecommunications Standards Index which contains useful information for incorporating standards in solicitation documents. The Federal ADP and Telecommunications Standards Index is available from the Government Printing Office, Washington, DC 20402; telephone (202) 783-3238. Agencies should review FIPS individually to determine the applicability to agency acquisitions. In some cases, it is necessary to select alternatives or options from the FIPS. The index provides terminology for use in requirements statements and documents, purchase agreements, solicitations, and offers for acquisition of equipment, services, and software. For a copy of NIST Publications List 58, FIPS Publications, call CSL Publications at (301) 975-2821. All FIPS are available for sale by the National Technical Information Service; telephone (703) 487-4650. Waivers to Standards CSL's goal is to create standards that meet real needs and that can be supported by real products; however, it may be necessary from time to time to waive the use of FIPS when compliance would have an adverse impact on the agency. Uniform waiver procedures have been developed to clarify the conditions for granting waivers and to place the authority for waivers with officials best able to make decisions about the impact of standards on agency mission and costs. The waiver procedures were announced in a January 30, 1989 Federal Register notice (Vol. 54, No. 18, p. 4322). The notice included a memorandum disseminated in November 1988 by the Secretary of Commerce to the heads of Executive departments and agencies delegating the authority to waive FIPS. Summary of Procedures for Waivers to FIPS Waivers shall be granted only when: o compliance with a standard would adversely affect the accomplishment of the mission of an operator of a federal computer system; or o cause a major adverse financial impact on the operator which is not offset by government-wide savings. Agency heads may act upon a written waiver request or without a written request when they determine that conditions for meeting the standard cannot be met. Agency heads may approve waivers only by a written decision which explains the basis on which the agency head made the required finding. Copies of waiver decisions must be sent to NIST, the Committee on Government Operations of the House of Representatives, and the Committee on Governmental Affairs of the Senate, and published in the Federal Register. A copy of the waiver and supporting documentation must be retained by the agency as part of the procurement documentation. A note of the waiver determination must be published in the Commerce Business Daily when it applies to the procurement of equipment and/or services. The head of an agency may redelegate the authority to grant waivers only to a senior official designated pursuant to section 3506(b) of Title 44, U.S. Code.