The selective application of technological and related procedural safeguards is an important responsibility of ever Federal organization in providing adequate security in its computer and telecommunications systems.  The publication provides a standard to be used by Federal organizations when these organizations specify that cryptographic based security systems are to be used to provide protection for sensitive or valuable data.  Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module.  This standard specifies the security requirements that are to be satisfied by a cryptographic module.  The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments.  the security requirements cover areas related to the secure design and implementation of a cryptographic module.  These areas include basic design and documentation, module interfaces, authorized roles and services, physical security, software security, operating system security, key management, cryptographic algorithms, electromagnetic interference/electromagnetic compatibility (EMI/RMC), and self-testing.  This revision supersedes FIPS 140 in its entirety.

The document specifies basic security criteria for two different uses of passwords in an ADP system, (1) personal identity authentication and (2) data access authorization.  It establishes the basic criteria for the design, implementation and use of a password system in those systems where passwords are used.  It identifies fundamental ADP management functions pertaining to passwords and specifies some user actions required to satisfy these functions.  Inaddition, it specifies several technical features which may be implemented in an ADP system in order to support a password system.  An implementation schedule is established for compliance with the Standard.  Numerous guidelines are provided in the Appendices for managers and users seeking to comply with the Standard.

This Guideline is intended for use by ADP managers and technical staff in establishing and carrying out a program and a technical process for computer security certification and accreditation of sensitive computer applications.  It identifies and describes the steps involved in performing computer security certification and accreditation; it identifies and discusses important issues in managing a computer security certification and accreditation; it identifies and discusesses the principal functional roles needed within an organization to carry out such a program; and it contains sample outlines of an Application Certification Plan and a Security Evaluation Report as well as a sample Accreditation Statement and sensitivity classification scheme.  A discussion of recertification and reaccreditation and its relation to change control is also included.  The Guideline also relates certification and accreditation to risk analysis, EDP audit, validation, verification and testing (VV&T), and the system life cycle.  A comprehensive list of references is included.