507 lines
24 KiB
Plaintext
507 lines
24 KiB
Plaintext
|
Management Guide to the Protection of Information
|
|||
|
Resources
|
|||
|
|
|||
|
National Institute of Standards and Technology
|
|||
|
The National Institute of Standards and Technology (NIST), is
|
|||
|
responsible for developing standards, providing technical
|
|||
|
assistance, and conducting research for computers and related
|
|||
|
systems. These activities provide technical support to
|
|||
|
government and industry in the effective, safe, and
|
|||
|
economical use of computers. With the passage of the Computer
|
|||
|
Security Act of 1987 (P.L. 100-235), NIST's activities also
|
|||
|
include the development of standards and guidelines needed to
|
|||
|
assure the cost-effective security and privacy of sensitive
|
|||
|
information in Federal computer systems. This guide represents
|
|||
|
one activity towards the protection and management of sensitive
|
|||
|
information resources.
|
|||
|
|
|||
|
Acknowledgments
|
|||
|
This guide was written by Cheryl Helsing of Deloitte, Haskins &
|
|||
|
Sells in conjunction with Marianne Swanson and Mary Anne Todd,
|
|||
|
National Institute of Standards and Technology.
|
|||
|
|
|||
|
Executive Summary
|
|||
|
Today computers are integral to all aspects of operations within
|
|||
|
an organization. As Federal agencies are becoming critically
|
|||
|
dependent upon computer information systems to carry out their
|
|||
|
missions, the agency executives (policy makers) are recognizing
|
|||
|
that computers and computer-related problems must be understood
|
|||
|
and managed, the same as any other resource. They are beginning
|
|||
|
to understand the importance of setting policies, goals, and
|
|||
|
standards for protection of data, information, and computer
|
|||
|
resources, and are committing resources for information security
|
|||
|
programs. They are also learning that primary responsibility for
|
|||
|
data security must rest with the managers of the functional areas
|
|||
|
supported by the data.
|
|||
|
|
|||
|
All managers who use any type of automated information resource
|
|||
|
system must become familiar with their agency's policies and
|
|||
|
procedures for protecting the information which is processed and
|
|||
|
stored within them. Adequately secure systems deter, prevent, or
|
|||
|
detect unauthorized disclosure, modification, or use of
|
|||
|
information. Agency information requires protection from
|
|||
|
intruders, as well as from employees with authorized computer
|
|||
|
access privileges who attempt to perform unauthorized actions.
|
|||
|
Protection is achieved not only by technical, physical and
|
|||
|
personnel safeguards, but also by clearly articulating and
|
|||
|
implementing agency policy regarding authorized system use to
|
|||
|
information users and processing personnel at all levels. This
|
|||
|
guide is one of three brochures that have been designed for a
|
|||
|
specific audience. The "Executive Guide to the Protection of
|
|||
|
Information Resources" and the "Computer User's Guide to the
|
|||
|
Protection of Information Resources" complete the series.
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
Executive Summary iv
|
|||
|
Introduction 1
|
|||
|
Purpose of Guide 1
|
|||
|
The Risks 1
|
|||
|
Responsibilities 2
|
|||
|
Information Systems Development 5
|
|||
|
Control Decisions 5
|
|||
|
Security Principles 5
|
|||
|
Access Decisions 7
|
|||
|
Systems Development Process 7
|
|||
|
Computer Facility Management 9
|
|||
|
Physical Security 9
|
|||
|
Data Security 11
|
|||
|
Monitoring and Review 11
|
|||
|
Personnel Management 13
|
|||
|
Personnel Security 13
|
|||
|
Training 14
|
|||
|
For Additional Information 15
|
|||
|
|
|||
|
Introduction
|
|||
|
|
|||
|
Purpose of this Guide
|
|||
|
This guide introduces information systems security concerns and
|
|||
|
outlines the issues that must be addressed by all agency managers
|
|||
|
in meeting their responsibilities to protect information systems
|
|||
|
within their organizations. It describes essential components of
|
|||
|
an effective information resource protection process that applies
|
|||
|
to a stand alone personal computer or to a large data processing
|
|||
|
facility.
|
|||
|
|
|||
|
The Risks
|
|||
|
Effort is required by every Federal agency to safeguard
|
|||
|
information resources and to reduce risks to a prudent level.
|
|||
|
The spread of computing power to individual employees via
|
|||
|
personal computers, local-area networks, and distributed
|
|||
|
processing has drastically changed the way we manage and control
|
|||
|
information resources. Internal controls and control points that
|
|||
|
were present in the past when we were dealing with manual or
|
|||
|
batch processes have not been established in many of today's
|
|||
|
automated systems. Reliance upon inadequately controlled computer
|
|||
|
systems can have serious consequences, including:
|
|||
|
|
|||
|
Inability or impairment of the agency's ability to perform its
|
|||
|
mission
|
|||
|
|
|||
|
Inability to provide needed services to the public
|
|||
|
|
|||
|
Waste, loss, misuse, or misappropriation of funds
|
|||
|
|
|||
|
Loss of credibility or embarrassment to an agency
|
|||
|
|
|||
|
To avoid these consequences, a broad set of information security
|
|||
|
issues must be effectively and comprehensively addressed.
|
|||
|
Responsibilities
|
|||
|
All functional managers have a responsibility to implement the
|
|||
|
policies and goals established by executive management for
|
|||
|
protection of automated information resources (data, processes,
|
|||
|
facilities, equipment, personnel, and information). Managers in
|
|||
|
all areas of an organization are clearly accountable for the
|
|||
|
protection of any of these resources assigned to them to enable
|
|||
|
them to perform their duties. They are responsible for
|
|||
|
developing, administering, monitoring, and enforcing internal
|
|||
|
controls, including security controls, within their assigned
|
|||
|
areas of authority. Each manager's specific responsibilities will
|
|||
|
vary, depending on the role that manager has with regard to
|
|||
|
computer systems.
|
|||
|
|
|||
|
Portions of this document provide more detailed information on
|
|||
|
the respective security responsibilities of managers of computer
|
|||
|
resources, managers responsible for information systems
|
|||
|
applications and the personnel security issues involved.
|
|||
|
However, all agency management must strive to:
|
|||
|
|
|||
|
Achieve Cost-Effective Security
|
|||
|
The dollars spent for security measures to control or contain
|
|||
|
losses should never be more than the projected dollar loss if
|
|||
|
something adverse happened to the information resource.
|
|||
|
Cost-effective security results when reduction in risk through
|
|||
|
implementation of safeguards is balanced with costs. The greater
|
|||
|
the value of information processed, or the more severe the
|
|||
|
consequences if something happens to it, the greater the need
|
|||
|
for control measures to protect it.
|
|||
|
The person who can best determine the value or importance of
|
|||
|
data is the functional manager who is responsible for the data.
|
|||
|
For example, the manager responsible for the agency's budget
|
|||
|
program is the one who should establish requirements for the
|
|||
|
protection of the automated data which supports the program. This
|
|||
|
manager knows better than anyone else in the organization what
|
|||
|
the impact will be if the data is inaccurate or unavailable.
|
|||
|
Additionally, this manager usually is the supervisor of most of
|
|||
|
the users of the data.
|
|||
|
|
|||
|
It is important that these trade-offs of cost versus risk
|
|||
|
reduction be explicitly considered, and that management
|
|||
|
understand the degree of risk remaining after selected controls
|
|||
|
are implemented.
|
|||
|
|
|||
|
Assure Operational Continuity
|
|||
|
With ever-increasing demands for timely information and greater
|
|||
|
volumes of information being processed, the threat of information
|
|||
|
system disruption is a very serious one. In some cases,
|
|||
|
interruptions of only a few hours are unacceptable. The impact
|
|||
|
due to inability to process data should be assessed, and actions
|
|||
|
should be taken to assure availability of those systems
|
|||
|
considered essential to agency operation. Functional management
|
|||
|
must identify critical computer applications and develop
|
|||
|
contingency plans so that the probability of loss of data
|
|||
|
processing and telecommunications support is minimized.
|
|||
|
|
|||
|
Maintain Integrity
|
|||
|
Integrity of information means you can trust the data and the
|
|||
|
processes that manipulate it. Not only does this mean that errors
|
|||
|
and omissions are minimized, but also that the information system
|
|||
|
is protected from deliberate actions to wrongfully change the
|
|||
|
data. Information can be said to have integrity when it
|
|||
|
corresponds to the expectations and assumptions of the users.
|
|||
|
|
|||
|
Assure Confidentiality
|
|||
|
Confidentiality of sensitive data is often, but not always, a
|
|||
|
requirement of agency systems. Privacy requirements for personal
|
|||
|
information is dictated by statute, while confidentiality of
|
|||
|
other agency information is determined by the nature of that
|
|||
|
information, e.g., information submitted by bidders in
|
|||
|
procurement actions. The impact of wrongful disclosure must be
|
|||
|
considered in understanding confidentiality requirements.
|
|||
|
|
|||
|
Comply with Applicable Laws and Regulations
|
|||
|
As risks and vulnerabilities associated with information systems
|
|||
|
become better understood, the body of law and regulations
|
|||
|
compelling positive action to protect information resources
|
|||
|
grows. OMB Circular No. A-130, "Management of Federal
|
|||
|
Information Resources" and Public Law 100-235, "Computer Security
|
|||
|
Act of 1987" are two documents where the knowledge of these
|
|||
|
regulations and laws provide a baseline for an information
|
|||
|
resource security program.
|
|||
|
|
|||
|
Information Systems Development
|
|||
|
This section describes the protective measures that should be
|
|||
|
included as part of the design and development of information
|
|||
|
processing application systems. The functional manager that is
|
|||
|
responsible for and will use the information contained in the
|
|||
|
system, must ensure that security measures have been included and
|
|||
|
are adequate. This includes applications designed for personal
|
|||
|
computers as well as large mainframes.
|
|||
|
|
|||
|
Control Decisions
|
|||
|
The official responsible for the agency function served by the
|
|||
|
automated information system has a critical role in making
|
|||
|
decisions regarding security and control. In the past, risk was
|
|||
|
often unconsciously accepted when such individuals assumed the
|
|||
|
computer facility operators were taking care of security. In
|
|||
|
fact, there are decisions to be made and security elements to be
|
|||
|
provided that cannot be delegated to the operator of the system.
|
|||
|
In many cases, the user or manager develops the application and
|
|||
|
operates solely.
|
|||
|
|
|||
|
The cost of control must be balanced with system efficiency and
|
|||
|
usability issues. Risk must be evaluated and cost-effective
|
|||
|
controls selected to provide a prudent level of control while
|
|||
|
maximizing productivity. Controls are often closely connected
|
|||
|
with the system function, and cannot be effectively designed
|
|||
|
without significant understanding of the process being automated.
|
|||
|
|
|||
|
Security Principles
|
|||
|
There are some common security attributes that should be present
|
|||
|
in any system that processes valuable personal or sensitive
|
|||
|
information. System designs should include mechanisms to enforce
|
|||
|
the following security attributes.
|
|||
|
|
|||
|
Identification and Authentication of Users
|
|||
|
Each user of a computer system should have a unique
|
|||
|
identification on the system, such as an account number or other
|
|||
|
user identification code. There must also be a means of verifying
|
|||
|
that the individual claiming that identity (e.g., by typing in
|
|||
|
that identifying code at a terminal) is really the authorized
|
|||
|
individual and not an imposter. The most common means of
|
|||
|
authentication is by a secret password, known only to the
|
|||
|
authorized user.
|
|||
|
|
|||
|
Authorization Capability Enforcing the Principle of Least
|
|||
|
Possible Privilege
|
|||
|
Beyond ensuring that only authorized individuals can access the
|
|||
|
system, it is also necessary to limit the users access to
|
|||
|
information and transaction capabilities. Each person should be
|
|||
|
limited to only the information and transaction authority that is
|
|||
|
required by their job responsibilities. This concept, known as
|
|||
|
the principle of least possible privilege, is a long-standing
|
|||
|
control practice. There should be a way to easily assign each
|
|||
|
user just the specific access authorities needed.
|
|||
|
|
|||
|
Individual Accountability
|
|||
|
From both a control and legal point of view, it is necessary to
|
|||
|
maintain records of the activities performed by each computer
|
|||
|
user. The requirements for automated audit trails should be
|
|||
|
developed when a system is designed. The information to be
|
|||
|
recorded depends on what is significant about each particular
|
|||
|
system. To be able to hold individuals accountable for their
|
|||
|
actions, there must be a positive means of uniquely identifying
|
|||
|
each computer user and a routinely maintained record of each
|
|||
|
user's activities.
|
|||
|
|
|||
|
Audit Mechanisms
|
|||
|
Audit mechanisms detect unusual events and bring them to the
|
|||
|
attention of management. This commonly occurs by violation
|
|||
|
reporting or by an immediate warning to the computer system
|
|||
|
operator. The type of alarm generated depends on the seriousness
|
|||
|
of the event.
|
|||
|
|
|||
|
A common technique to detect access attempts by unauthorized
|
|||
|
individuals is to count attempts. The security monitoring
|
|||
|
functions of the system can automatically keep track of
|
|||
|
unsuccessful attempts to gain access and generate an alarm if the
|
|||
|
attempts reach an unacceptable number.
|
|||
|
|
|||
|
Performance Assurance
|
|||
|
A basic design consideration for any information system should
|
|||
|
be the ability to verify that the system is functioning as
|
|||
|
intended. Systems that are developed without such design
|
|||
|
considerations are often very difficult to independently audit or
|
|||
|
review, leading to the possibility of unintended results or
|
|||
|
inaccurate processing.
|
|||
|
|
|||
|
Recoverability
|
|||
|
Because Federal agencies can potentially be heavily dependent on
|
|||
|
a computer system, an important design consideration is the
|
|||
|
ability to easily recover from troublesome events, whether minor
|
|||
|
problems or major disruptions of the system. From a design point
|
|||
|
of view, systems should be designed to easily recover from minor
|
|||
|
problems, and to be either transportable to another backup
|
|||
|
computer system or replaced by manual processes in case of major
|
|||
|
disruption or loss of computer facility.
|
|||
|
|
|||
|
Access Decisions
|
|||
|
Once the automated system is ready to use, decisions must be
|
|||
|
made regarding access to the system and the information it
|
|||
|
contains. For example, many individuals require the ability to
|
|||
|
access and view data, but not the ability to change or delete
|
|||
|
data. Even when computer systems have been designed to provide
|
|||
|
the ability to narrowly designate access authorities, a
|
|||
|
knowledgeable and responsible official must actually make those
|
|||
|
access decisions. The care that is taken in this process is a
|
|||
|
major determining factor of the level of security and control
|
|||
|
present in the system. If sensitive data is being transmitted
|
|||
|
over unprotected lines, it can be intercepted or passive
|
|||
|
eavesdropping can occur. Encrypting the files will make the data
|
|||
|
unintelligible and port protection devices will protect the files
|
|||
|
from unauthorized access, if warranted.
|
|||
|
|
|||
|
Systems Development Process
|
|||
|
All information systems software should be developed in a
|
|||
|
controlled and systematic manner according to agency standards.
|
|||
|
The quality and efficiency of the data processed, and the
|
|||
|
possible reconfiguration of the system can all be affected by an
|
|||
|
inadequate development process. The risk of security exposures
|
|||
|
and vulnerabilities is greatly reduced when the systems
|
|||
|
development process is itself controlled.
|
|||
|
|
|||
|
Computer Facility Management
|
|||
|
Functional managers play a critical role in assuring that agency
|
|||
|
information resources are appropriately safeguarded. This section
|
|||
|
describes the protective measures that should be incorporated
|
|||
|
into the ongoing management of information resource processing
|
|||
|
facilities. As defined in OMB Circular No. A-130, "Management of
|
|||
|
Federal Information Resources," the term "information technology
|
|||
|
facility" means an organizationally defined set of personnel,
|
|||
|
hardware, software, and physical facilities, a primary function
|
|||
|
of which is the operation of information technology. This
|
|||
|
section, therefore applies to any manager who houses a personal
|
|||
|
computer, mainframe or any other form of office system or
|
|||
|
automated equipment.
|
|||
|
|
|||
|
Physical Security
|
|||
|
Information cannot be appropriately protected unless the
|
|||
|
facilities that house the equipment are properly protected from
|
|||
|
physical threats and hazards. The major areas of concern are
|
|||
|
described below.
|
|||
|
|
|||
|
Environmental Conditions
|
|||
|
For many types of computer equipment, strict environmental
|
|||
|
conditions must be maintained. Manufacturer's specifications
|
|||
|
should be observed for temperature, humidity, and electrical
|
|||
|
power requirements.
|
|||
|
|
|||
|
Control of Media
|
|||
|
The media upon which information is stored should be carefully
|
|||
|
controlled. Transportable media such as tapes and cartridges
|
|||
|
should be kept in secure locations, and accurate records kept of
|
|||
|
the location and disposition of each. In addition, media from an
|
|||
|
external source should be subject to a check-in process to ensure
|
|||
|
it is from an authorized source.
|
|||
|
|
|||
|
Control of Physical Hazards
|
|||
|
Each area should be surveyed for potential physical hazards.
|
|||
|
Fire and water are two of the most damaging forces with regard to
|
|||
|
computer systems. Opportunities for loss should be minimized by
|
|||
|
an effective fire detection and suppression mechanism, and
|
|||
|
planning reduces the danger of leaks or flooding. Other physical
|
|||
|
controls include reducing the visibility of the equipment and
|
|||
|
strictly limiting access to the area or equipment.
|
|||
|
|
|||
|
Contingency Planning
|
|||
|
Although risks can be minimized, they cannot be eliminated. When
|
|||
|
reliance upon a computer facility or application is substantial,
|
|||
|
some type of contingency plan should be devised to allow critical
|
|||
|
systems to be recovered following a major disaster, such as a
|
|||
|
fire. There are a number of alternative approaches that should be
|
|||
|
evaluated to most cost-effectively meet the agency's need for
|
|||
|
continuity of service.
|
|||
|
|
|||
|
Configuration Management
|
|||
|
Risk can be introduced through unofficial and unauthorized
|
|||
|
hardware or software. Another key component of information
|
|||
|
resource management is ensuring only authorized hardware and
|
|||
|
software are being utilized. There are several control issues to
|
|||
|
be addressed.
|
|||
|
|
|||
|
Maintaining Accurate Records
|
|||
|
Records of hardware/software inventories, configurations, and
|
|||
|
locations should be maintained and kept up-to-date.
|
|||
|
|
|||
|
Complying with Terms of Software Licenses
|
|||
|
Especially with microcomputer software, illegal copying and
|
|||
|
other uses in conflict with licensing agreements are concerns.
|
|||
|
The use of software subject to licensing agreements must be
|
|||
|
monitored to ensure it is used according to the terms of the
|
|||
|
agreement.
|
|||
|
|
|||
|
Protecting Against Malicious Software and Hardware
|
|||
|
The recent occurrences of destructive computer "viruses" point
|
|||
|
to the need to ensure that agencies do not allow unauthorized
|
|||
|
software to be introduced to their computer environments.
|
|||
|
Unauthorized hardware can also contain hidden vulnerabilities.
|
|||
|
Management should adopt a strong policy against unauthorized
|
|||
|
hardware/software, inform personnel about the risks and
|
|||
|
consequences of unauthorized additions to computer systems, and
|
|||
|
develop a monitoring process to detect violations of the policy.
|
|||
|
|
|||
|
Data Security
|
|||
|
Management must ensure that appropriate security mechanisms are
|
|||
|
in place that allow responsible officials to designate access to
|
|||
|
data according to individual computer users' specific needs.
|
|||
|
Security mechanisms should be sufficient to implement individual
|
|||
|
authentication of system users, allow authorization to specific
|
|||
|
information and transaction authorities, maintain audit trails as
|
|||
|
specified by the responsible official, and encrypt sensitive
|
|||
|
files if required by user management.
|
|||
|
|
|||
|
Monitoring and Review
|
|||
|
A final aspect of information resource protection to be
|
|||
|
considered is the need for ongoing management monitoring and
|
|||
|
review. To be effective, a security program must be a continuous
|
|||
|
effort. Ideally, ongoing processes should be adapted to include
|
|||
|
information protection checkpoints and reviews. Information
|
|||
|
resource protection should be a key consideration in all major
|
|||
|
computer system initiatives.
|
|||
|
|
|||
|
Earlier, the need for system audit trails was discussed. Those
|
|||
|
audit trails are useful only if management regularly reviews
|
|||
|
exception items or unusual activities. Irregularities should be
|
|||
|
researched and action taken when merited. Similarly, all
|
|||
|
information-related losses and incidents should be investigated.
|
|||
|
|
|||
|
A positive benefit of an effective monitoring process is an
|
|||
|
increased understanding of the degree of information-related risk
|
|||
|
in agency operations. Without an ongoing feedback process,
|
|||
|
management may unknowingly accept too much risk. Prudent
|
|||
|
decisions about trade-offs between efficiency and control can
|
|||
|
only be made with a clear understanding of the degree of inherent
|
|||
|
risk. Every manager should ask questions and periodically review
|
|||
|
operations to judge whether changes in the environment have
|
|||
|
introduced new risk, and to ensure that controls are working
|
|||
|
effectively.
|
|||
|
|
|||
|
Personnel Management
|
|||
|
Managers must be aware that information security is more a
|
|||
|
people issue than a technical issue. Personnel are a vital link
|
|||
|
in the protection of information resources, as information is
|
|||
|
gathered by people, entered into information resource systems by
|
|||
|
people, and ultimately used by people. Security issues should be
|
|||
|
addressed with regard to:
|
|||
|
People who use computer systems and store information in the
|
|||
|
course of their normal job responsibilities
|
|||
|
People who design, program, test, and implement critical or
|
|||
|
sensitive systems
|
|||
|
People who operate computer facilities that process critical or
|
|||
|
sensitive data
|
|||
|
|
|||
|
Personnel Security
|
|||
|
From the point of hire, individuals who will have routine access
|
|||
|
to sensitive information resources should be subject to special
|
|||
|
security procedures. More extensive background or reference
|
|||
|
checks may be appropriate for such positions, and security
|
|||
|
responsibilities should be explicitly covered in employee
|
|||
|
orientations. Position descriptions and performance evaluations
|
|||
|
should also explicitly reference unusual responsibilities
|
|||
|
affecting the security of information resources.
|
|||
|
|
|||
|
Individuals in sensitive positions should be subject to job
|
|||
|
rotation, and work flow should be designed in such a way as to
|
|||
|
provide as much separation of sensitive functions as possible.
|
|||
|
Upon decision to terminate or notice of resignation, expedited
|
|||
|
termination or rotation to less sensitive duties for the
|
|||
|
remainder of employment is a reasonable precaution.
|
|||
|
|
|||
|
Any Federal computer user who deliberately performs or attempts
|
|||
|
to perform unauthorized activity should be subject to
|
|||
|
disciplinary action, and such disciplinary action must be
|
|||
|
uniformly applied throughout the agency. Any criminal activity
|
|||
|
under Federal or state computer crime laws must be reported to
|
|||
|
law enforcement authorities.
|
|||
|
|
|||
|
Training
|
|||
|
Most information resource security problems involve people.
|
|||
|
Problems can usually be identified in their earliest stages by
|
|||
|
people who are attuned to the importance of information
|
|||
|
protection issues. A strong training program will yield large
|
|||
|
benefits in prevention and early detection of problems and
|
|||
|
losses. To be most effective, training should be tailored to the
|
|||
|
particular audience being addressed, e.g., executives and policy
|
|||
|
makers; program and functional managers; IRM security and audit:
|
|||
|
ADP management and operations; end users.
|
|||
|
|
|||
|
Most employees want to do the right thing, if agency
|
|||
|
expectations are clearly communicated. Internal policies can be
|
|||
|
enforced only if staff have been made aware of their individual
|
|||
|
responsibilities. All personnel who access agency computer
|
|||
|
systems should be aware of their responsibilities under agency
|
|||
|
policy, as well as obligations under the law. Disciplinary
|
|||
|
actions and legal penalties should be communicated.
|
|||
|
|
|||
|
|
|||
|
For Additional Information
|
|||
|
|
|||
|
National Institute Of Standards and Technology
|
|||
|
Computer Security Program Office, A-216 Technology
|
|||
|
Gaithersburg, MD 20899
|
|||
|
(301) 975-5200
|
|||
|
|
|||
|
For further information on the management of information
|
|||
|
resources, NIST publishes Federal Information Processing
|
|||
|
Standards Publications (FIBS PUBS). These publications deal with
|
|||
|
many aspects of computer security, including password usage, data
|
|||
|
encryption, ADP risk management and contingency planning, and
|
|||
|
computer system security certification and accreditation. A list
|
|||
|
of current publications is available from:
|
|||
|
Standards Processing Coordinator (ADP)
|
|||
|
National Computer Systems Laboratory
|
|||
|
National Institute of Standards and Technology
|
|||
|
Technology Building, B-64
|
|||
|
Gaithersburg, MD 20899
|
|||
|
Phone: (301) 975-2817
|
|||
|
|