Security-relevant Standards Organizations

Organization Description

ABA


The American Bankers Association develops computer standards for financial and banking areas. The ABA is the Secretariat for X9, ANSI's Accredited Standards Committee for Financial Services. Standards developed by this committee focus on encryption and message authentication for financial institutions. The ABA also develops standards for personal identification numbers (PINs) and key management.

ANSI


The American National Standards Institute is the officially designated national standards organization in the United States and is the formal U.S. representative to ISO. ANSI does not develop its own standards, but is the clearinghouse for U.S. and international standards-for example, ASCII code, languages (e.g., C and FORTRAN), and communications protocols. ANSI committee are working on such security concerns as encryption and message authentication.

CBEMA


The Computer and Business Equipment Manufacturers Association develops standards in a variety of areas, including languages, graphics, and database technologies, and submits these standards to ANSI for approval as ANSI standards. CBEMA is the Secretariat for X3, ANSI's Accredited Standards Committee for Information Processing.

CCITT


The Comité Consultatif Internationale Telegraphique et Telephonique (International Telegraph and Telephone Consultative Committee) was established under the United Nations. It is responsible for the X.25 (packet-switched networks) and X.400 (electronic mail) standards and for other international communications standards. CCITT works with ISO on international standards for security.

ECMA


The European Computer Manufacturers Association is an association of approximately 50 European computer manufacturers. Its security groups are involved in developing standards for security in such areas as distributed interactive processing, distributed office applications, and open systems.

EIA


The Electronic Industries Association is a trade organization that has developed standards such as the RS-232 standard for terminals and computer connections.

IEEE


The Institute of Electrical and Electronic Engineers is a professional organization that develops standards and submits them for ANSI approval.
The IEEE 1003.1 standard, announced in 1988, is the official POSIX (Portable Operating System Interface for Computer Environments) standard for application portability in open systems. Along with many other POSIX standards efforts, it was developed in cooperation with the ISO (described below). Although the POSIX interface standard (also known as POSIX-1) is based on the UNIX system model, POSIX specifies how an interface must perform, not how it is implemented, so UNIX need not be the base operating system. POSIX.1 evolved in 1981 from /usr/group, the forerunner of UniForum, the Association of UNIX System Users. The /usr/group standard was an early attempt to specify a standard for a portable mechanism.
The IEEE 1003.1 standard has also been published by NIST (described below) as FIPS PUB 151 and by ISO (also described below) as ISO/IEC 9945-1.

IEEE has a number of committees, some of them security-related. The IEEE 1003.6 Security Extensions Committee grew out of UniForum's Technical Committee's Security Subcommittee. This committee is dedicated to developing standards for making a POSIX-compliant system a trusted system. Security subgroups are at work on security issues such as discretionary access control, mandatory access control, privileges, and audit trails, and standards are expected within the next few years.

IFIP The International Federation of Information Processing is a multinational federation of professional and technical organizations involved with computer and information processing. It was originally established under the auspices of UNESCO. IFIP has a number of committees. The Technical Committee 11 (TC-11) on Security and Protection in Information Systems does extensive work in proliferating security information internationally and in developing standards.

ISO The International Standards Organization (Organisation Internationale de Normalisation) founded in 1946, is an international organization composed of a number of national standards organizations. ISO's Open Systems Interconnection (OSI) basic reference model is a standard conceptual model for discussing data communications. ISO and other organizations are working on extending the OSI model to define security-related architectural elements.
Several groups within ISO are developing standards using cryptography as a mechanism for network security. Such standards will provide for data confidentiality, data integrity, peer entity authentication, access control, key distribution, and digital signatures.

MAP/TOP


The Manufacturing Automation Protocol/Technical Office Protocol is a consortium of factory automation users. Sponsored by General Motors (MAP) and Boeing (TOP), MAP/TOP has worked on pieces of ISO standards.

NCSC


The National Computer Security Center publishes the Rainbow Series of computer security standards for trusted systems, chief among them the Orange Book.
The NCSC sponsors the Trusted UNIX Organization, which consists of a group of vendors, including AT&T, involved in developing trusted UNIX systems. Security standards developed by TRUSIX will be POSIX-compliant.

NIST


The National Institute of Standards and Technology (formerly the National Bureau of Standards) specifies standards for many government-related products and procedures.
FIPS PUBs (Federation of Information Processing Standards publications) are written by NIST's National Computer Systems Laboratory (NCSL). FIPS PUBs are required standards for the acquisition of equipment and the processing of information by government agencies and contractors.

GOSIP (the Government Open Systems Interconnect Profile program) is sponsored by NIST with participation by a number of other government agencies. GOSIP specifies a set of data communications protocols based on the OSI model. All government agencies that buy networks must now comply with the GOSIP/OSI standard. In 1988, Version 1 of the GOSIP standard for networks and services was published as FIPS PUB 146. The standard is being revised to address security concerns and other issues.