This document provides guidelines for federal organizations’ acquisition and use of security-related information technology (IT) products and services. NIST’s advice is provided in the context of larger recommendations regarding security assurance (see NIST Special Publication 800-23, http://csrc.nist.gov).
This document has been developed by NIST in furtherance of its statutory responsibilities (under the Computer Security Act of 1987 and the Information Technology Management Reform Act of 1996, specifically 15 U.S.C. 278 g-3 (a)(5)). This is not a guideline within the meaning of (15 U.S.C. 278 g-3 (a)(3)).
These guidelines are for use by federal organizations which process sensitive information. They are consistent with the requirements of Office of Management and Budget (OMB) Circular A-130, Appendix III.
This document may be used by nongovernmental organizations on a voluntary basis. It is not subject to copyright.
Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding upon federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, the Director of the OMB, or any other federal official.
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
