Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)

CSRC News - 2017 & 2016

NIST Releases the Second Draft Special Publication 800-190, Application Container Security Guide
July 13, 2017

NIST announces the second public comment release of Draft Special Publication 800-190, Application Container Security Guide. Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Draft SP 800-190 explains the security concerns associated with container technologies and makes practical recommendations for addressing those concerns when planning for, implementing, and maintaining containers. Please submit comments to 800-190comments@nist.gov with "Comments on SP 800-190" in the subject line. The comment period closes on August 11, 2017.

Update to Current Use and Deprecation of TDEA
July 11, 2017

The Triple Data Encryption Algorithm (TDEA), also called Triple Data Encryption Standard (or 3DES), is specified in SP 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. Currently, the 3-key variant of the algorithm is allowed for encryption as specified in SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.

It is known that for a 64-bit block cipher like TDEA, a ciphertext collision will likely occur when about 2³² blocks are encrypted with a single key bundle. A collision in ciphertext blocks, once found, reveals information about the corresponding plaintext blocks. Moreover, the amount of data would have to be significantly below 2³² blocks for the probability of a collision to be very small. This security weakness motivated the requirement for the 128-bit block size in the development of the Advanced Encryption Standard (AES). AES is specified in FIPS 197, Advanced Encryption Standard (AES).

A security analysis and practical demonstration of attacks on TDEA in several real-world protocols, done by Karthikeyan Bhargavan and Gaëtan Leurent of Inria (Paris), available at https://sweet32.info/, provide evidence that the collision attack on TDEA represents a serious security vulnerability for many common uses of these protocols — including the HTTPS protocol for secure Internet connections. Moreover, the analysis shows that the security vulnerability remains serious unless more stringent limits are imposed on the amount of data that can be encrypted under a single 3-key bundle than the current data limit recommended by NIST in SP 800-67, Revision 1.

In response, NIST plans to reduce the maximum amount of plaintext allowed to be encrypted under a single TDEA 3-key bundle from 2³² to 2²⁰ (64-bit) blocks. This will be announced in the upcoming draft of SP 800-67 Revision 2, and NIST will seek comments on this reduction in the public review of that document.

In addition, NIST plans to disallow the algorithm for TLS, IPsec and possibly other protocols. TLS is discussed in SP 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations; draft revision 2 of SP 800-52 will be available for public comment in the near future. IPsec will be discussed in a new draft publication: SP 800-194, Cryptographic Recommendations for the Internet Security Protocol (IPsec) and Internet Key Exchange (IKE), which will also be available for public comment soon.

NIST urges all users of TDEA to migrate to AES as soon as possible.

NIST is developing a draft deprecation timeline for the 3-key variant of TDEA including a sunset date.

NIST requests comments on the current plan described in this announcement, including suggestions for the deprecation timeline.

Comments may be sent to TDEA_Deprecation@NIST.gov by 10/1/2017.

NIST Releases Draft NIST Interagency Report (NISTIR) 8179, Criticality Analysis Process Model
July 10, 2017

NIST is seeking comments on Draft NIST IR 8179, Criticality Analysis Process Model. This publication describes a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.

Comments may be submitted here or by sending an email to nistir-8179-comments@nist.gov. NIST is accepting comments through Aug. 18, 2017.

NIST Release Special Publication 800-192, Verification and Test Methods for Access Control Policies/Models
June 28, 2017

In Special Publication 800-192, it reviews methods for the verification for access control models and the testing of model implementations. SP 800-192 defined structures for AC models, and demonstrated the expressions of AC models and safety requirements in a specification language of a model checker. The document showed the use of black box and white box model checkers that verify the integrity, coverage, and confinement of the specified safety requirements against models. In addition, an efficient way of generating test cases for the implementation from a model as well as a method for detecting AC rule faults in real time are discussed.

NIST Release Special Publication 800-12 Revision 1, An Introduction to Information Security
June 23, 2017

NIST is pleased to announce the release of Special Publication 800-12 Revision 1, An Introduction to Information Security. Information security is a constantly growing and evolving science. This revision, while looking visibly different than the original, still follows the direction established when SP 800-12 was initially published. This publication serves as a starting-point for those new to information security as well as those unfamiliar with NIST information security publications and guidelines. The intent of this special publication is to provide a high-level overview of information security principles, introduce related concepts, and also to broadly discuss the security control families defined in NIST SP 800-53, Security and Privacy Controls for Systems and Organizations.

NIST Special Publication 800-63-3, Digital Identity Guidelines, is now final.
June 22, 2017

NIST has finalized Special Publication (SP) 800-63-3: Digital Identity Guidelines (4 parts): SP 800-63-3, and SP 800-63-3 A-C - those links provided below). After more than a year of work and tremendous support from industry stakeholders—contributors submitted 1400+ comments for review, and the web version of the publication drew 74,000+ unique visitors—NIST has released a suite of documents covering digital identity from initial risk assessment to deployment of federated identity solutions. Gone are the days of levels of assurance, replaced by more assurance parts designed to be more flexible. The SP suite has also been reorganized. SP 800-63-3 is the mothership—the starting point for all things digital identity and risk—with SP 800-63A, 800-63B, and 800-63C covering the various components of a digital identity system.

NIST Release NIST Interagency Report (NISTIR) 8011, Automation Support for Security Control Assessments (volume 1 and 2)
June 15, 2017

NIST is pleased to announce the final publication of NIST Interagency Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.

NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability.

NIST Release DRAFT Special Publication 800-193, Platform Firmware Resiliency Guidelines
May 30, 2017

NIST announces the public comment release of Draft Special Publication 800-193, Platform Firmware Resiliency Guidelines. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a computer system. This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. These draft guidelines promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and secure recovery from attacks. This document is intended to guide implementers, including system manufacturers and and component suppliers, on how to use these mechanisms to build a strong security foundation into platforms.

Email comments to: sp800-193comments@nist.gov
Comments due by: July 14, 2017

SP 800-193 Draft Document (PDF)
Comment Template

NIST Releases Draft Special Publication 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
May 15, 2017

As the world rapidly embraces the Internet of Things, properly securing medical devices has grown challenging for most healthcare delivery organizations (HDOs)........

Please visit the CSRC Drafts Publications page -- To see the full announcement & For more information regarding Draft Special Publication 1800-8 (Links to the draft document, link to where to send comments to, and link to the project page are provided).

Email comments to: hit_nccoe@nist.gov
Deadline to Submit Comments: July 7, 2017

The National Cybersecurity Center of Excellence (NCCoE) announces the Trusted Geolocation in the Cloud Building Block and seeks collaborators.
May 15, 2017

This building block is currently seeking technology vendors and service providers to participate in the development of multiple implementations. The Federal Register Notice for the Trusted Geolocation in the Cloud is published as of May 11, 2017 and will be open for 30 days. In that time the NCCoE hopes to receive feedback on the building block description as well solicit Letters of Interest from parties that wish to collaborate on the implementation. Download the Trusted Geolocation in the Cloud building block description for full details and the previous implementations have been published as NIST Interagency Report 7904. If you have any questions or suggestions, please email the team at trusted-cloud-nccoe@nist.gov.

NIST Releases Draft NIST Interagency Report (NISTIR) 8170, The Cybersecurity Framework: Implementation Guidance for Federal Agencies
May 15, 2017

Draft NISTIR 8170 provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. The specific guidance was derived from current Cybersecurity Framework use. To provide federal agencies with examples of how the Cybersecurity Framework can augment the current versions of NIST security and privacy risk management publications, this guidance uses common federal information security vocabulary and processes.

NIST will engage with agencies to add content based on agency implementation, refine current guidance and identify additional guidance to provide the information that is most helpful to agencies. Feedback will also help to determine which Cybersecurity Framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. NIST would like feedback that addresses the following questions:

How can agencies use the Cybersecurity Framework, and what are the potential opportunities and challenges?
How does the guidance presented in this draft report benefit federal agency cybersecurity risk management?
How does the draft report help stakeholders to better understand federal agency use of the Cybersecurity Framework?
How does the draft report inform potential updates to the suite of NIST security and privacy risk management publications to promote an integrated approach to risk management?
Which documents among the suite of NIST security and privacy risk management publications should incorporate Cybersecurity Framework concepts, and where?
How can this report be improved to provide better guidance to federal agencies?

Deadline to Submit Comments: June 30, 2017
Email comments to: nistir8170@nist.gov

NIST Publishes a Revised “Guide to Bluetooth Security”: Special Publication (SP) 800-121 Revision 2
May 8, 2017

NIST has released a second revision of NIST SP 800-121, Guide to Bluetooth Security. It provides information on the security capabilities of Bluetooth wireless technologies and makes recommendations for organizations to effectively secure them. Updates in this revision include an introduction to and discussion of Bluetooth 4.1 and 4.2 security mechanisms and recommendations, including Secure Connections for BR/EDR and low energy.

DHS Study on Mobile Device Security
May 8, 2017

The Department of Homeland Security (DHS) has submitted a report to Congress mandated by the Cybersecurity Act of 2015. The report details current and emerging threats to the Federal government’s use of mobile devices and recommends security improvements to the mobile device ecosystem. The "Study on Mobile Device Security" relied on significant input from mobile industry vendors, carriers, service providers and academic researchers. The DHS Science and Technology Directorate (S&T) led the study in coordination with the National Institute of Standards and Technology and its National Cybersecurity Center of Excellence alongside the Department of Defense and General Services Administration.

The study found that the threats to the Federal government’s use of mobile devices--smartphones and tablet computers running mobile operating systems—exist across all elements of the mobile ecosystem. These threats require a security approach that differs substantially from the protections developed for desktop workstations largely because mobile devices are exposed to a distinct set of threats, frequently operate outside of enterprise protections and have evolved independently of desktop architectures.

NIST announces the draft whitepaper “Profiles for the Lightweight Cryptography Standardization Process”.
April 26, 2017

NIST announces the draft whitepaper “Profiles for the Lightweight Cryptography Standardization Process”. This document describes the first two profiles for NIST’s lightweight cryptography project. Profile I provides authenticated encryption with associated data (AEAD) and hashing functionalities for both hardware-oriented and software-oriented constrained environments. Profile II provides AEAD only in hardware-oriented constrained environments.

The final versions of these profiles will be the foundation of submission requirements for the first algorithms in NIST’s lightweight cryptography portfolio.

Comments due by: June 16, 2017
For more details about this Draft Whitepaper, click to the above link to go to the CSRC Drafts Publications page for link to draft along with email address where to send comments.

Recent Cryptanalysis of FF3
April 12, 2017

Two researchers, Betül Durak (Rutgers University) and Serge Vaudenay (Ecole Polytechnique Fédérale de Lausanne), have given NIST early notification of a cryptanalytic attack on the FF3 technique for format-preserving encryption (FPE). The researchers gave a presentation of their work at the ESC 2017 Conference in January, and the details of the attack are expected to be published in the coming year. FF3 is specified and approved in NIST Special Publication 800-38G as a mode of operation of the Advanced Encryption Standard (AES) block cipher algorithm. NIST has concluded that FF3 is no longer suitable as a general-purpose FPE method.

Whether the attack might be practical to execute on any given implementation of FF3 depends on whether the attacker can obtain the ciphertexts (encrypted values) for a sufficient number of chosen plaintexts. The attacker would have to obtain the ciphertexts for a significant fraction of the possible plaintexts, under any single choice for the 8-byte "tweak" input, and also for a similar number of plaintexts under a second, related tweak. The attacker would have to choose most of the plaintexts adaptively, i.e., based on previously obtained information. If the attack succeeded, it would likely recover the encryption of any plaintext under any tweak.

The computational complexity of the attack depends mostly on the size of the domain, i.e., number of possible input data (not including the tweak) that the implementation is designed to encrypt. The size of the domain is denoted by radixⁿ in the FF3 specification. For the choice of attack parameters that minimizes the collection of data (specifically, to radix^11n/12 plaintext-ciphertext pairs), the number of computational steps would be radix^5n/2.

For example, if the confidential data are 9-digit decimal strings, like social security numbers, the number of steps would be approximately 2⁷⁵. Although in this case the level of computation might be prohibitive, FF3 clearly does not achieve the intended 128-bit security level. For any significantly smaller domains of confidential data--including the middle-six digits of credit card numbers, the format that FF3 was designed to encrypt--the level of computation for the attack might be practical for many attackers.

The researchers proposed a straightforward modification to FF3: require two particular bytes of the tweak to be set to zero, which in effect would reduce the size of the tweak from eight bytes to six bytes. Implementations that properly enforce this requirement should not be vulnerable to the attack. Alternative structures/conditions on the tweak might also preclude the attack.

NIST expects to revise Special Publication 800-38G after the details of the attack are published, either to change the FF3 specification, or to withdraw the approval of FF3. Comments on this decision may be submitted to EncryptionModes@nist.gov; a formal period of public comment will also be initiated when the draft revision is released.

NIST Requests Public Comments on Draft Special Publication (SP) 800-190, Application Container Security Guide
April 10, 2017

NIST announces the public comment release of Draft Special Publication (SP) 800-190, Application Container Security Guide. Application container technologies, better known as containers, are a form of operating system virtualization combined with application software packaging. Draft SP 800-190 explains the security benefits and concerns associated with container technologies and makes practical recommendations for addressing the concerns when planning for, implementing, and maintaining containers.

The public comment period closes May 18, 2017.

For a copy of the draft document and a template for submitting comments, visit http://csrc.nist.rip/publications/PubsDrafts.html#SP-800-190

Status of NIST SP 800-53, Revision 5
March 31, 2017

The planned release of NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Systems and Organizations (Initial Public Draft), on March 28 has been delayed. The publication is still undergoing internal review. We hope to be able to release the publication in the very near future. Here are a few highlights from the Notes to Reviewers that will give you a preview of what to expect in Revision 5--

" …This update to NIST Special Publication 800-53 embarks on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of systems, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and IoT devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.

Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes significant changes to make the controls more consumable by diverse groups including, for example, enterprises conducting mission and business operations; engineering organizations developing systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:

Making the security and privacy controls more outcome-based by changing the structure of the controls;
Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for systems and organizations;
Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
Eliminating the term information system and replacing it with the term system so the controls can be applied to any type of system including, for example, general purpose systems, cyber-physical systems, industrial/process control systems, and IoT devices;
Deemphasizing the federal focus of the publication to encourage greater use by nonfederal organizations;
Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
Incorporating new, state of the practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability…"

We will continue to keep you updated on the progress of the internal review and the anticipated release date.

NIST Released NISTIR 8114, Report on Lightweight Cryptography
March 30, 2017

NIST is pleased to announce the release of NISTIR 8114, Report on Lightweight Cryptography. This report provides an overview of lightweight cryptography, summarizes the findings of NIST's lightweight cryptography project, and outlines NIST's plans for the standardization of lightweight algorithms.

FINAL PUBLIC DRAFT Cybersecurity Framework Manufacturing Profile
March 20, 2017

A draft manufacturing implementation of the Cybersecurity Framework, or Profile, has been developed for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing "Target" Profile focuses on desired cybersecurity outcomes and can be used to identify opportunities for improving the current cybersecurity posture of a manufacturing system. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

Link to draft document & link to Comment Template Form is provided above (previous paragraph).

Public comment period: March 20, 2017 through April 17, 2017

Research Results on SHA-1 Collisions
February 24, 2017

On Thursday, February 23rd, Google announced that a team of researchers from the CWI Institute in Amsterdam and Google have successfully demonstrated an attack on the SHA-1 hash algorithm by creating two files that hash to the same value.

Their results further emphasize the need to migrate to stronger hash algorithms for digital signatures and other applications that require collision resistance.

NIST deprecated the use of SHA-1 in 2011 and disallowed its use for digital signatures at the end of 2013, based on both the Wang, et. al, attack and the potential for brute-force attack. To ensure that practitioners have secure and efficient hash algorithms to provide long-term security, NIST organized an international competition to select a new hash algorithm standard, SHA-3, which is specified in FIPS 202.

Government and industry have made great strides to migrate from SHA-1 to the stronger hash algorithms in the SHA-2 and SHA-3 families. Those who have not done so yet should migrate as soon as possible.

The work by the CWI-Google team is the culmination of over a decade of research into the SHA-1 algorithm, beginning with the groundbreaking paper by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu in 2005 that described the first cryptanalytic techniques capable of finding collisions with much less work than brute force. Cryptographers around the world continued to improve upon these techniques. The techniques used by this attack were developed by Marc Stevens, one of the members of the joint CWI-Google team.

While all of these researchers have made substantial contributions to the field of cryptography, today we recognize the work by these Google-CWI team members who made the challenging jump from theory to a practical demonstration of an attack:

Marc Stevens (CWI Amsterdam), Elie Bursztein (Google), Pierre Karpman (CWI Amsterdam), Ange Albertini (Google), Yarik Markov (Google), Alex Petit Bianco (Google), Clement Baisse (Google)
The research team has posted additional information at Shattered.io

The National Cybersecurity Center of Excellence (NCCoE) is soliciting comments on NIST Cybersecurity Practice Guide (Draft) SP 1800-7, Situational Awareness for Electric Utilities
February 16, 2017

To improve the security of information and operational technology, including industrial control systems, energy companies need mechanisms to capture, transmit, analyze and store real-time or near-real-time data from these networks and systems. With such mechanisms in place, energy providers can more readily detect and remediate anomalous conditions, investigate the chain of events that led to the anomalies, and share findings with other energy companies. Obtaining real-time and near-real-time data from networks also has the benefit of helping to demonstrate compliance with information security standards.

For more information regarding Draft SP 1800-7 visit either the CSRC Draft Publications page --OR-- Links to the Draft SP 1800-7 document can be found on the NIST NCCoE website
Deadline to submit Comments: April 17, 2017.
Click 1 of the 2 links above to get the Email address to send comments to.

NIST Released Draft Special Publication 800-63-3, Digital Identity Guidelines
January 30, 2017

The NIST/ITL Trusted Identities Group (TIG) is pleased to announce the Public Draft of Special Publication 800-63-3, Digital Identity Guidelines, available in four parts:
SP 800-63-3, Digital Identity Guidelines
SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing Requirements
SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management
SP 800-63C, Digital Identity Guidelines: Federation and Assertion

Note that the title of this Special Publication (SP) has changed. SP 800-63-2 title is "Electronic Authentication Guideline".and Draft SP 800-63-3 title is "Digital Identity Guidelines".

For more information regarding this Draft Special Publication, please visit the CSRC Draft Publications page.
Deadline to submit comments is: March 31, 2017.
Links to:
-- all 4 parts of this Draft Special Publication,
-- comment template,
-- email address where to forward comments/questions to, and
-- full details of this Draft Special Publication can be found on the Draft Special Publications page - see link above.

NIST Released Draft Special Publication 800-12 Revision 1, An Introduction to Information Security
January 23, 2017

NIST is pleased to announce the release of Draft Special Publication 800-12 Revision 1, An Introduction to Information Security, and invites public comments. Information security is a constantly growing and evolving science. With that, it is necessary to update the information from the original publication to stay current with information security terms and technology associated with operating systems in today’s complex computing environment. The authors encourage readers to comment on the draft, specifically to address areas where more information would be helpful to individuals looking to gain a better understanding of introductory information security principles. Additionally, suggestions for supplementary sections/topics are welcome to ensure this publication is as complete and thorough as possible. Feedback on this draft will be incorporated into the Revision 1 release, anticipated for Summer 2017.

Email Comments to: sp800-12-draft@nist.gov
Deadline to submit comments: February 22, 2017

NIST Released NIST Interagency Report (NISTIR) 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems
January 6, 2017

NISTIR 8062 introduces the concept of incorporating privacy as an integral attribute in the development of more trustworthy information systems through the application of systems engineering and risk management. In the NIST Internal Report, the authors consider concerns about how information technologies may affect privacy at individual and societal levels, leveraging systems engineering practices and tailoring them for the privacy space. They introduce a set of objectives for privacy engineering and a new model for assessing privacy risks in federal information systems. While this report is meant to be an introduction to the concepts, it includes a roadmap for future guidance on managing privacy risk to help agencies more effectively meet their obligations under various policies, including the Office of Management and Budget’s Circular A-130, which (as of July 2016) includes a new emphasis on the need for federal agencies to manage privacy risk. Agencies will need guidance on repeatable and measurable approaches to bridge the distance between privacy principles and their effective implementation in information systems; working through open and transparent processes, NIST will work with stakeholders to develop this guidance.

Would you Like to Serve on an Advisory Board? NIST invites & requests nominations of individuals for appointment to the Information Security and Privacy Advisory Board (ISPAB)
January 3, 2017

The National Institute of Standards and Technology (NIST) invites and requests nomination of individuals for appointment to nine existing Federal Advisory Committees: Board of Overseers of the Malcolm Baldrige National Quality Award, Judges Panel of the Malcolm Baldrige National Quality Award, Information Security and Privacy Advisory Board, Manufacturing Extension Partnership Advisory Board, National Construction Safety Team Advisory Committee, Advisory Committee on Earthquake Hazards Reduction, National Advisory Committee on Windstorm Impact Reduction, NIST Smart Grid Advisory Committee, and Visiting Committee on Advanced Technology. NIST will consider nominations received in response to this notice for appointment to the Committees, in addition to nominations already received. Registered Federal lobbyists may not serve on NIST Federal Advisory Committees

NIST Released Special Publication (SP) 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
December 23, 2016

NIST SP 800-185 specifies four types of SHA-3-derived functions: cSHAKE, KMAC, TupleHash, and ParallelHash, each defined for a 128- and 256-bit security strength. cSHAKE is a customizable variant of the SHAKE function, as defined in FIPS 202. KMAC (for KECCAK Message Authentication Code) is a pseudorandom function and keyed hash function based on KECCAK. TupleHash is a variable-length hash function designed to hash tuples of input strings without trivial collisions. ParallelHash is a variable-length hash function that can hash very long messages in parallel.

NIST Released Special Publication 800-184, Guide for Cybersecurity Event Recovery
December 22, 2016

NIST Public Affairs Office issued a press release in regard to this SP's release.

Special Publication 800-184, Guide for Cybersecurity Event Recovery, has been approved as final. In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management process es include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning by learning lessons from past events, including those of other organizations, helps to ensure the continuity of important mission functions. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning. It also provides an example scenario that demonstrates guidance and informative metrics that may be helpful for improving resilience of information systems.

NIST announces the release of Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This revision provides key updates to the original publication released in June 2015
December 20, 2016

Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is now available. The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations. The security requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

NIST Requests Comments on a 2nd Draft of Special Publication 800-188, De-Identification of Government Datasets
December 15, 2016

The second draft Special Publication 800-188, De-Identification of Government Datasets is now available for public comment. De-identification removes identifying information from a dataset so that the remaining data cannot be linked with specific individuals. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing government data. Previously NIST published NISTIR 8053, De-Identification of Personal Information, which provided a survey of de-identification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification.

In developing the draft Privacy Risk Management Framework, NIST sought the perspectives and experiences of de-identification experts both inside and outside the US Government.

Future areas of work will focus on developing metrics and tests for de-identification software, as well as working with industry and academia to make algorithms that incorporate formal privacy guarantees usable for government de-identification activities. Collected input will be used to correct technical errors and expand areas that are unclear.”

NIST announces the release of SP 800-179 Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
December 12, 2016

Special Publication 800-179 aims to assist IT professionals in securing Apple OS X 10.10 desktop and laptop systems within various environments. It provides detailed information about the security features of OS X 10.10 and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of OS X 10.10 systems in three types of environments: Standalone, Managed, and Specialized Security-Limited Functionality.

Additional project resources can be found at the following URL:
https://github.com/usnistgov/applesec

NIST Released Draft Special Publication (SP) 800-187, Guide to LTE Security for public comment
November 21, 2016

NIST invites comments on Draft NIST SP 800-187, Guide to LTE Security. Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations. This document introduces high-level LTE concepts and discusses technical LTE security mechanisms in detail. Technical readers are expected to understand fundamental networking concepts and general network security. It is intended to assist those evaluating, adopting, and operating LTE networks, specifically telecommunications engineers, system administrators, cybersecurity practitioners, and security researchers.

Email comments to: LTEsecurity@nist.gov (Subject: "Comments on Draft SP 800-187")
Comments due by: December 22, 2016

NIST Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
November 15, 2016

NIST announces the release of Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

Engineering-based approaches to solutions are essential to managing the growing complexity and interconnectedness of today’s systems—as exemplified by cyber-physical systems, systems-of-systems, and the Internet of Things. Managing the complexity of today’s systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness of the concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences. NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems—and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the system life cycle.

NIST Announce the Release of NISTIR 7621 Revision 1, Small Business Information Security: The Fundamentals
November 14, 2016

NIST released NISTIR 7621 Revision 1, Small Business Information Security: The Fundamentals. NIST developed this interagency report as a reference guideline about cybersecurity for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language..

NIST Public Affairs Office issued a press release about this NISTIR.

Draft Special Publication 800-181, NICE Cybersecurity Workforce Framework (NCWF) -- National Initiative for Cybersecurity Education (NICE)
November 2, 2016

NIST is pleased to release the draft NICE Cybersecurity Workforce Framework (NCWF) - a reference resource that will allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent. The framework provides a common language to categorize and describe cybersecurity work that will help organizations build a strong labor staff to protect systems and data.

The NCWF can be viewed as a cybersecurity workforce dictionary that will allow employers, educators, trainers, and those in the workforce to use consistent terms to describe cybersecurity work. It can serve as a reference resource to help organizations define and share information about the cybersecurity workforce in a detailed, consistent and descriptive way. NCWF was developed by the NIST-led National Initiative for Cybersecurity Education (NICE) with strong leadership from the U.S. Departments of Defense and Homeland Security and is the culmination of many years of collaboration between industry, government and academia.

In addition to helping organizations educate, recruit, train and retain a qualified cybersecurity workforce, the NCWF will serve as a building block for the development of training standards, as well as for individual career planning. Federal agencies will soon be using the NCWF to identify its cybersecurity workforce as called for by the Federal Cybersecurity Workforce Assessment in the Cybersecurity Act of 2015.

Authors of the draft NICE Cybersecurity Workforce Framework (NCWF), NIST SP 800-181, encourage readers to comment on the document, with an eye to ensuring that it applies to all cybersecurity workforce needs. Suggestions for new tasks and KSAs are encouraged so that the document will address all of our cybersecurity workforce needs.

Email comments to: ncwf@nist.gov (Subject: "Draft SP 800-181 Comments - NCWF")
Comments due by: January 6, 2017

Draft SP 800-181 Document (PDF)
Comment Template Form for Draft SP 800-181 (Excel)

Special Publication 800-53 Revision 5 Status Update
October 17, 2016

NIST SP 800-53 Revision 5 Status Update

DRAFT SP 800-121 Revision 2, Guide to Bluetooth Security is now available for Public Comment
October 17, 2016

NIST announces the release of Draft Special Publication 800-121 Revision 2 Guide to Bluetooth Security. This draft is the second revision to NIST SP 800-121, Guide to Bluetooth Security. Updates in this revision include an introduction to and discussion of Bluetooth 4.1, and 4.2 security mechanisms and recommendations, including Secure Connections for BR/EDR and low energy. Please submit comments to 800-121r2comments@nist.gov with "Comments on SP 800-121r2" in the subject line. The comment period closes on December 5, 2016.

NIST Released 2 Special Publications - both Approved as Final - Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) and
Special Publication 800-150,Guide to Cyber Threat Information Sharing
October 5, 2016

Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control (ABAC) standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies on various types of data services. However, the two standards differ with respect to the manner in which access control policies are specified and implemented. This document describes XACML and NGAC, and then compares them with respect to five criteria. The goal of this publication is to help ABAC users and vendors make informed decisions when addressing future data service policy enforcement requirements.
--AND--

Special Publication 800-150, Guide to Cyber Threat Information Sharing
NIST Announces the Release of Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing

SP 800-150 provides guidelines for establishing, participating in, and maintaining cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, the importance of building trust, the handling of sensitive information, and the automated exchange of cyber threat information. The goal of the publication is to provide guidelines that help improve cybersecurity operations and risk management activities through safe and effective information sharing practices. The guide is intended for computer security incident response teams (CSIRTs), system and network administrators, security staff, privacy officers, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and other stakeholders in cyber threat information sharing activities.

NIST Announce the Release of DRAFT NISTIR 8151, Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy
October 4, 2016

NIST invites comments on Draft NIST Interagency Report (NISTIR) 8151, Dramatically Reducing Software Vulnerabilities -- Report to the White House Office of Science and Technology Policy. The call for a dramatic reduction in software vulnerability is heard from numerous sources, recently from the February 2016 Federal Cybersecurity Research and Development Strategic Plan. The plan defines goals for reducing vulnerabilities in the near, mid and long term. This report addresses the first mid-term goal.

Email comments to: paul.black@nist.gov (Subject: "Comments on Draft NISTIR 8151")
Comments due by: October 18, 2016

NIST is pleased to announce the release of DRAFT NISTIR 8149, Developing Trust Frameworks to Support Identity Federations
October 3, 2016

DRAFT NISTIR 8149, Developing Trust Frameworks to Support Identity Federations is now available for public comment - (click link above to go to the CSRC Draft Publications page to learn more about this draft & for links to the draft document).
More and more, online service providers are struggling to find secure ways of verifying that their consumers are who they say they are while, at the same time, protecting their users' privacy. Some communities and organizations, that share common user bases and transaction types, are choosing to address these challenges by allowing their users to access multiple services through common login credentials. This approach -- known as federated identity management -- enables users to access multiple online organizations and services through shared authentication processes (instead of authenticating separately to each and every service provider).

This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. In Draft NISTIR 8149, Developing Trust Frameworks to Support Identity Federations, NIST aims to educate communities that are interested in pursuing federated identity management, and provide a resource for them as they create the agreements and other components that will make up their trust frameworks. It includes guidance on determining roles in an identity federation, on what to consider from a legal standpoint, and on understanding the importance of establishing and recognizing conformance. Additionally, this document is intended to standardize the language around identity federation and trust frameworks in order to promote their widespread adoption.

NIST Released Draft NISTIR 8138, Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities
September 30, 2016

DRAFT NISTIR 8138, Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities; aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
(A comment Template has been provided for use when submitting comments - Word file)

This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.

Email comments to: nistir8138@nist.gov (Subject: "Comments Draft NISTIR 8138")
Comments due by: October 31, 2016.

NIST Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
September 22, 2016

NIST announces the release of the final draft of Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

Engineering-based approaches to solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems—as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. Managing the complexity of today’s systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences. NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems—and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the system life cycle.

The final public draft of NIST Special Publication 800-160 represents a targeted update to the second public draft published in May 2016. As part of this update, some important long-term design decisions were taken that are reflected in the final draft. To ensure that the publication provides the utmost clarity and focus for our customers, several of the supporting appendices in the second public draft are being recast into their own publication. Special Publication 800-160 will become the flagship publication for the NIST Systems Security Engineering Initiative. The following supporting NIST publications will be developed and published in 2017 and beyond:

Special Publication 800-160A, Systems Security Engineering: Considerations for System Resilience in the Engineering of Trustworthy Secure Systems;
Special Publication 800-160B, Systems Security Engineering: Considerations for Software Assurance in the Engineering of Trustworthy Secure Systems; and
Special Publication 800-160C, Systems Security Engineering: Considerations for Hardware Assurance in the Engineering of Trustworthy Secure Systems.

The interaction of the Risk Management Framework with the life cycle processes in Special Publication 800-160, will be described in future updates to NIST Special Publication 800-37.

In addition to the scoping decisions described above, this update includes:

The incorporation of changes based on the comments received from the sixty-day public review;
The inclusion of additional International Standards in the references and related publications section; and
The inclusion of hyperlinks throughput the document to facilitate customer ease of use and more efficient access to key content.

The public comment period for this publication is September 22 through October 21, 2016.
Comments can be sent to: sec-cert@nist.gov.

Special Publication 800-160 will be finalized and published in December 2016.

NIST is Proud to Announce the Release of Special Publication 800-177, Trustworthy Email
September 16, 2016

Special Publication 800-177, Trustworthy Email; covers and gives recommendations for state of the art email security technologies to detect and prevent phishing and other malicious email messages. Most of these new technologies rely on publishing email infrastructure-related information in DNSSEC, a secure version of the established Domain Name System (DNS). The guide was written for email administrators and for those developing security policies for enterprise’s email infrastructure.

NIST Releases Baldrige Cybersecurity Excellence Builder for Public Comment
September 15, 2016

NIST has released a draft of the Baldrige Cybersecurity Excellence Builder, a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts. Public comments are requested on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldrige Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework.

Comments are due by December 15, 2016.

For further details and links, visit the CSRC Drafts Publications page.

DRAFT [Project Description] Authentication for Law Enforcement Vehicle Systems
September 13, 2016

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Authentication for Law Enforcement Vehicle Systems.

Please visit the CSRC Drafts page to see the full announcement, along with links to the draft project description document.

Email comments to: lev-nccoe@nist.gov
Comments due by: October 12, 2016.

NIST Released Draft NISTIR 8144, Assessing Threats to Mobile Devices & Infrastructure: the Mobile Threat Catalogue
September 12, 2016

NIST released DRAFT NISTIR 8144, Assessing Threats to Mobile Devices & Infrastructure: the Mobile Threat Catalogue. The Mobile Threat Catalogue outlines a catalogue of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Threats are divided into broad categories, primarily focused upon mobile applications and software, the network stack and associated infrastructure, mobile device and software supply chain, and the greater mobile ecosystem. Each threat identified is cataloged alongside explanatory and vulnerability information where possible, and alongside applicable mitigation strategies.

NISTIR 8144 provides background information on mobile information systems and their attack surface is provided to assist readers in understanding threats contained within the Mobile Threat Catalogue. The NISTIR also outlines the structure of the Mobile Threat Catalogue. The Mobile Threat Catalogue is a separate document located at the Computer Security Resource Center (CSRC).

Mobile security engineers and architects can leverage these documents to inform risk assessments, build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for their mobile deployments.

Email comments to: nistir8144@nist.gov (Subject: "Comments on Draft NISTIR 8144")
Comments due by: October 12, 2016

NIST Public Affairs Office also issued a press release on Draft NISTIR 8144.

Draft NISTIR 8144
Mobile Threat Catalogue (Draft) (Excel)

DRAFT White Paper - Cybersecurity Framework Manufacturing Profile
September 7, 2016

A draft manufacturing implementation of the Cybersecurity Framework ("Profile") has been developed to establish a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing "Target" Profile focuses on desired cybersecurity outcomes and can be used as a roadmap to identify opportunities for improving the current cybersecurity posture of a manufacturing system. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

Email comments to: csf_manufacturing_profile@nist.gov (Subject: "Draft CSF Manufacturing Profile")
Comments due by: November 4, 2016

Cybersecurity Framework Manufacturing Profile (Draft, PDF)
Comment Template (Excel)

The Information Security and Privacy Advisory Board (ISPAB) Welcomes New Member Patricia Hatter, Vice President and Chief Information Officer, Intel Security Group, Intel
August 26, 2016

See NIST's Public Affairs press release to read this announcement.
The next ISPAB meeting will be October 26, 27 and 28, 2016, at NIST Campus.

NIST Released Draft Special Publication 800-188, De-Identifying Government Datasets
August 25, 2016

NIST Requests Comments on a Draft Special Publication regarding the De-Identification of Government Datasets

De-identification removes identifying information from a dataset so that the remaining data cannot be linked with specific individuals. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing government data. Previously NIST published NISTIR 8053, De-Identification of Personal Information, which provided a survey of de-identification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification.

In developing the draft Privacy Risk Management Framework, NIST sought the perspectives and experiences of de-identification experts both inside and outside the US Government.

Future areas of work will focus on developing metrics and tests for de-identification software, as well as working with industry and academia to make algorithms that incorporate formal privacy guarantees usable for government de-identification activities.

Email comments to: sp800-188-draft@nist.gov (Subject: "Comments Draft SP 800-188")
Comments due by: September 26, 2016

Link to Draft SP 800-188 (PDF)
Link to Comment Template Form (.docx)

NIST announces the release of Special Publication (SP) 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies, and SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms.
August 23, 2016

These documents are intended to provide guidance to the Federal Government for using cryptography and NIST’s cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage.

Special Publication (SP) 800-175A provides guidance on the determination of requirements for using cryptography. It includes a summary of laws and regulations concerning the protection of the Federal Government’s sensitive information, guidance regarding the conduct of risk assessments to determine what needs to be protected and how best to protect that information, and a discussion of the relevant security-related documents (e.g., various policy and practice documents).

Special Publication (SP) 800-175B discusses the cryptographic methods and services available for the protection of the Federal Government’s sensitive information and provides an overview of NIST’s cryptographic standards (To Review Comments Received on Final Draft SP 800-175B).

NIST Released Special Publication 800-171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
August 16, 2016

Draft Special Publication 800-171, Revision 1, represents a limited update to the original publication released in June 2015. In particular, this update includes:

A clarification of the purpose and applicability statement;
Minor clarifications, additions, and adjustments to selected CUI requirements;
Guidance on the use of system security plans (SSPs) and plans of action and milestones (POAMs) to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations;
Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations;
Additional definitions and terms for the glossary; and
The implementation of hyperlinks to facilitate ease of use in navigating the document.

Both markup and clean copies of the draft publication are provided to facilitate a more efficient reviewing process. The feedback obtained from this public review will be incorporated into a final publication targeted for release in the Fall 2016.

Draft NIST SP 800-171, Revision 1 (PDF clean)
Draft NIST SP 800-171, Revision 1 (PDF markup)

Public comment period: August 16 through September 16, 2016. Comments can be sent to: sec-cert@nist.gov

NIST Released Draft NISTIR 8114, Report on Lightweight Cryptography
August 11, 2016

Draft NIST Interagency Report (NISTIR) 8114, Report on Lightweight Cryptography is now available for public comment. NIST-approved cryptographic standards were designed to perform well using general-purpose computers. In recent years, there has been increased deployment of small computing devices that have limited resources with which to implement cryptography. When current NIST-approved algorithms can be engineered to fit into the limited resources of constrained environments, their performance may not be acceptable. For these reasons, NIST started a lightweight cryptography project that was tasked with learning more about the issues and developing a strategy for the standardization of lightweight cryptographic algorithms. This report provides an overview of the lightweight cryptography project at NIST, and describes plans for the standardization of lightweight cryptographic algorithms.
Email comments to: lightweight-crypto@nist.gov (Subject: "Comments on Draft NISTIR 8114")
Comments due by: October 31, 2016

NIST Released Special Publication 800-182, 2015 Computer Security Division Annual Report
August 11, 2016

NIST is proud to announce the release of Special Publication 800-182, 2015 Computer Security Division Annual Report. This annual report provides major highlights and accomplishments that the NIST Computer Security Division had achieved during FY 2015 (from October 1, 2014 to September 30, 2015).

NIST Released 5 Publications During Week of August 1-5, 2016:
#1 NISTIR 8080, Usability and Security Considerations for Public Safety Mobile Authentication
#2 SP 800-46 Rev. 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
#3 SP 800-114 Rev. 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security
#4 Draft SP 800-185, SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash; and
#5 Draft NISTIR 8112, Attribute Metadata -- see below for details on all 5 documents
August 5, 2016

| NISTIR 8080 | SP 800-46 Rev. 2 | SP 800-114 Rev. 1 | Draft SP 800-185 | Draft NISTIR 8112 |

Publication #1: NIST Interagency Report (NISTIR) 8080
NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 8080, Usability and Security Considerations for Public Safety Mobile Authentication. In the near future, mobile devices used by first responders will access the forthcoming Nationwide Public Safety Broadband Network (NPSBN) via long term evolution (LTE) technology. Although the NPSBN will offer first responders the ability to access new data and mobile applications in the field, it is important to evaluate the impact of mobile authentication on security and usability. NISTIR 8080 explores mobile authentication technologies for public safety networks. The overarching goal of this work is analyzing which authentication solutions are the most appropriate and usable for first responders using mobile devices in operational scenarios in the field. Although first responders work in a variety of disciplines, this report is focused on the Fire Service, Emergency Medical Services (EMS), and Law Enforcement.

Publication #2 and #3: Special Publication (SP) 800-46 Revision 2 & SP 800-114
NIST announces the release of two Special Publications (SPs) on telework and bring your own device (BYOD) security: SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, and SP 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security. Organizations are increasingly threatened, attacked, and breached through compromised telework devices used by their employees, contractors, business partners, and vendors. These publications make recommendations for organizations (in SP 800-46 Revision 2) and users (in SP 800-114 Revision 1) to improve their telework and BYOD security practices.

Publication #4: DRAFT SP 800-185
SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash

DRAFT NIST SP 800-185 specifies four types of SHA-3-derived functions: cSHAKE, KMAC, TupleHash, and ParallelHash, each defined for a 128- and 256-bit security level. cSHAKE is a customizable variant of the SHAKE function, as defined in FIPS 202. KMAC (for KECCAK Message Authentication Code) is a pseudorandom function and keyed hash function based on KECCAK. TupleHash is a variable-length hash function designed to hash tuples of input strings without trivial collisions. ParallelHash is a variable-length hash function that can hash very long messages in parallel.

Email comments to: SP800-185@nist.gov(Subject: "Draft SP 800-185 Comments")
Comments due by: September 30, 2016

Publication #5: DRAFT NISTIR 8112

NIST invites comments on Draft NIST Internal Report (NISTIR) 8112, Attribute Metadata. This report proposes a schema intended to convey information about a subject's attribute(s) to allow for a relying party (RP) to:

Obtain greater understanding of how the attribute and its value were obtained, determined, and vetted;
Have greater confidence in applying appropriate authorization decisions to subjects external to the domain of a protected system or data;
Develop more granular access control policies;
Make more effective authorization decisions; and
Promote federation of attributes.

Please visit the CSRC Draft Publications page to learn more about this draft, plus there are links to get the draft document and comment template form, along with an email address to submit comments or questions.

Deadline to submit comments: September 30, 2016.

Post-Quantum Cryptography: Proposed Requirements and Evaluation Criteria
August 3, 2016

The National Institute of Standards and Technology (NIST) has published a Federal Register Notice (https://federalregister.gov/a/2016-18150) requesting comments on a proposed process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms. Current algorithms are vulnerable to attacks from large-scale quantum computers.

The purpose of the notice is to solicit comments on the draft minimum acceptability requirements, submission requirements, evaluation criteria, and evaluation process of candidate algorithms from the public, the cryptographic community, academic/research communities, manufacturers, voluntary standards organizations, and Federal, state, and local government organizations so that their needs can be considered in the process of developing new public-key cryptography standards.

For the draft requirements and evaluation criteria, visit http://www.nist.gov/pqcrypto.
Comments due: September 16, 2016
Send comments to: pqc-comments@nist.gov

A public listserv for announcements and discussion is also available; see http://csrc.nist.rip/groups/ST/post-quantum-crypto/email_list.html.

NIST Announce the Release of Special Publication 800-183, Network of 'Things'
July 28, 2016

NIST announces the release of Special Publication (SP) 800-183, Networks of ‘Things’. SP 800-183 offers an underlying and foundational understanding of the Internet of Things (IoT) based on the realization that IoT involves sensing, computing, communication, and actuation. The material presented here is generic to all distributed systems that employ IoT technologies (i.e., ‘things’ and networks). By having an understanding as to what IoT represents, building IoT-based systems and researching security and reliability concerns of IoT can be accelerated. SP 800-183 is targeted at computer scientists, IT managers, networking specialists, and networking and cloud computing software engineers who are seeking guidance into how best to leverage this new distributed computing paradigm. It also offers IT and software professionals with a common vocabulary from which discuss this technology.

NIST Public Affairs Office issued a press release of this Special Publication.

NIST Released 2 Draft Special Publications on the Security Content Automation Protocol (SCAP) -- DRAFT Special Publication 800-126 & DRAFT Special Publication 800-126A
July 18, 2016

NIST invites comments on two draft publications on the Security Content Automation Protocol (SCAP). The first is Special Publication 800-126 Revision 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. The second is Special Publication (SP) 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3. (Links to the 2 Draft Publications and to the comment template form can be found below).

SP 800-126 Revision 3 and SP 800-126A collectively define the proposed technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification. SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of selected minor version updates of SCAP component specifications, as well as designated Open Vulnerability and Assessment Language (OVAL) platform schema versions.

Email comments on both publications to 800-126comments@nist.gov (Subject: "Comments Draft SP 800-126).

Comments are due by August 19, 2016.

* Link to DRAFT SP 800-126 Revision 3
* Link to DRAFT SP 800-126A
* Link to Comment Template (.doc) - can use same comment template to comment on both drafts.

NIST Released Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals
June 23, 2016

NIST invites comments on Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist. This publication assists IT professionals in securing Apple OS X 10.10 desktop and laptop systems within various environments. It provides detailed information about the security features of OS X 10.10 and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of OS X 10.10 systems in three types of environments: Standalone, Managed, and Specialized Security-Limited Functionality.

Public comment period ends: August 15, 2016.
Email comments to: 800-179comments@nist.gova (Subject: "Comments on Draft SP 800-179"), preferably using the Comment Template Form (Excel file).

NIST Released Summary of Cybersecurity Framework Workshop 2016
June 9, 2016

NIST published a summary of observations from Cybersecurity Framework Workshop 2016 held at NIST in Gaithersburg, Maryland on 6 and 7 April 2016. The summary highlights areas of agreement between workshop participants and respondents to the most recent request for information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity. The summary also outlines next steps for NIST and recommended actions for Framework stakeholders.

You can view the document here.

NIST Public Affairs Office issued a press release on the summary of the April 2016 Cybersecurity Framework workshop.

Special Publication 800-166, Derived PIV Application and Data Model Test Guidelines
June 7, 2016

NIST announces the release of Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines. SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials.

NIST Released DRAFT Special Publication 800-184, Guide for Cybersecurity Event Recovery
June 6, 2016

NIST is proud to announce the release of Draft Special Publication 800-184, Guide for Cybersecurity Event Recovery. The purpose of this document is to support federal agencies in a technology-neutral way in improving their cyber event recovery plans, processes, and procedures. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning. It also provides an example scenario that demonstrates guidance and informative metrics that may be helpful for improving resilience of the information systems.

There is a Comment Template Form (Excel file) that can be used to submit comments for Draft SP 800-184.

The public comment period closes on July 11, 2016.
Please email comments to: csf-recover@nist.gov.

NIST Announce Release of NISTIR 8135, Identifying and Categorizing Data Types for Public Safety Mobile Applications: Workshop Report
June 1, 2016

NIST is proud to announce the release of NISTIR 8135, Identifying and Categorizing Data Types for Public Safety Mobile Applications: Workshop Report. This report summarizes the findings of a workshop held by the Association of Public-Safety Communications (APCO), in cooperation with FirstNet and the Department of Commerce held on June 2nd 2015. The workshop's goal was to identify different types of data that will be used by mobile applications on the nation's first National Public Safety Broadband Network. Approximately 50 participants, hailing from fire and emergency medical services (EMS), law enforcement, the telecom industry, federal and local government, and academia provided input to the workshop

NIST Released DRAFT NISTIR 8136, Mobile Application Vetting Services for Public Safety
June 1, 2016

NIST is pleased to announce the release of DRAFT NISTIR 8136, Mobile Application Vetting Services for Public Safety. The creation of the nation's first public safety broadband network (FirstNet) will require the vetting of mobile apps to ensure they meet public safety's cyber security requirements. It will be beneficial for the public safety community to leverage the mobile application vetting services and infrastructures that already exist. The purpose of this document is to be an informal survey of existing mobile application vetting services and the features these services provide. It also relates these features for their applicability to the public safety domain. This document is intended to aid public safety organizations when selecting mobile application vetting services for use in analyzing mobile applications. Comments Due by June 30, 2016

NIST Released Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export
May 23, 2016

NIST is pleased to announce the release of Special Publication 800-156, Representation of PIV Chain-of-Trust for Import and Export. The document provides the data representation of a chain-of-trust record for the exchange of records between PIV Card issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behalf of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.

NIST announce a public preview of Special Publication 800-63-3: Digital Authentication Guideline
May 11, 2016

NIST is proud to announce a public preview of Special Publication 800-63-3: Digital Authentication Guideline, which is currently in development. This preliminary draft contains new changes based on what we have learned from experts, industry stakeholders, and NSTIC pilots since our last version was published. See a brief synopsis of the SP 800-63-3 development effort. We welcome your substantive feedback on this draft document via our GitHub site. After development is complete, the public draft will be posted on CSRC for a traditional public comment period. As always, thank you for your participation—we look forward to making this document even better with your input!

NIST Released Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
May 4, 2016

NIST announces the release of second draft Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

NIST Public Affairs Office published a press release of this draft (SP 800-160).

The United States has developed incredibly powerful and complex systems—systems that are inexorably linked to the economic and national security interests of the Nation. The complete dependence on those systems for mission and business success in both the public and private sectors, including the critical infrastructure, has left the Nation extremely vulnerable to hostile cyber-attacks and other serious threats. With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and threats to federal, state, and local governments, the military, businesses, industry, and the critical infrastructure, the need for trustworthy secure systems has never been more important.

Engineering-based approaches to solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems—as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. Managing the complexity of today’s systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences.

NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems—and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the life cycle. The public comment period for this publication is May 4 through July 1, 2016. Comments can be sent to: sec-cert@nist.gov.

NIST Released NISTIR 8105, Report on Post-Quantum Cryptography
April 28, 2016

NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 8105, Report on Post-Quantum Cryptography. NIST Public Affairs Office issued a press release in regards to announcing the release of this NISTIR.

This Report shares NIST’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.

The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. In recent years, there has been a substantial amount of research on quantum computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.

NIST Released NISTIR 8040, Measuring the Usability and Security of Permuted Passwords on Mobile Platforms
April 27, 2016

NIST has published NIST Interagency Report (NISTIR) 8040, Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. Password entry on mobile devices significantly impacts both usability and security, but there is a lack of usable security research in this area, specifically for complex password entry. This document proposes a measurement method for quantifying the effects on security resulting from optimizing the usability of password entry specifically for constrained input environments, i.e., the mobile touchscreen. A set of Python scripts for the experiments the NIST/ITL research team conducted on entropy loss are made publicly available.

The Information Security and Privacy Advisory Board welcome New Chair
April 26, 2016

A new chair was appointed to the National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board (ISPAB).

The new chair is Christopher Boyer, Assistant Vice President for Global Public Policy, AT&T Services Inc., where he is responsible for the company’s strategic policy positions related to cybersecurity, and develop strategic policy positions related to cybersecurity. He will assume the role and responsibilities of the Chair from the current chair on May 1, 2016. Mr. Boyer was appointed as an ISPAB member in June 2012, and his term will end on June 10, 2020.

The ISPAB was originally created by the Computer Security Act of 1987 (P.L. 100- 235) as the Computer System Security and Privacy Advisory Board, and amended by Public Law 107-347, The E-Government Act of 2002, Title III, The Federal Information Security Management Act (FISMA) of 2002. The statutory objectives of the Board include identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy. The next ISPAB meeting will be held on June 15-17, 2016, in Washington, D.C. ISPAB meetings are open to the public. For more information, see http://csrc.nist.rip/groups/SMA/ispab/meetings.html.

NIST Released the final version of NISTIR 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
April 25, 2016

NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting and continuous monitoring of IT software assets.

NIST requests comments on the second draft of Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing
April 21, 2016

NIST requests comments on the Second Draft of Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. This draft provides guidelines for establishing, participating in, and maintaining cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, the importance of building trust, the handling of sensitive information, and the automated exchange of cyber threat information. The goal of the publication is to provide guidelines that help improve cybersecurity operations and risk management activities through safe and effective information sharing practices. The guide is intended for computer security incident response teams (CSIRTs), system and network administrators, security staff, privacy officers, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and other stakeholders in cyber threat information sharing activities.

A comment template is available for submitting comments.
The public comment period for the publication closes on May 24, 2016.
Email comments to sp800-150comments@nist.gov .

NIST Released the final version of "Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access"
April 21, 2016

NIST announces the final release of the best practices guide for Personal Identity Verification (PIV)-enabled privileged access. The paper is in response to the Office of Management and Budget (OMB)’s October 2015 Cybersecurity Strategy and Implementation Plan (and included in the Cyber National Action Plan (CNAP), requiring Federal agencies to use PIV credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user authentication and provides best practices for agencies to implement PIV authentication for privileged users.

NIST Releases the Second Draft of SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions
April 13, 2016

NIST invites comments on the second draft of Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. This Recommendation specifies constructions for the implementation of RBGs. An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bit generator (NRBG). The constructed RBGs consist of DRBG mechanisms, as specified in SP 800-90A, and entropy sources, as specified in SP 800-90B.

On May 2-3, 2016, NIST will host a workshop on Random Number Generation to discuss the SP 800-90 series of documents--specifically, SP 800-90B and SP 800-90C.

Please send comments to rbg_comments@nist.gov (Subject: "Comments on Draft SP 800-90C"), preferably using the comment template provided.
Comments are due by Monday, June 13, 2016 at 5:00PM EDT.

NIST’s SP 800 series publications are available at: http://csrc.nist.rip/publications/PubsSPs.html.

NIST Releases SP 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
April 13, 2016

Special Publication (SP) 800-85A-4 provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification, and SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object;

Tests for populating these newly added data objects in the PIV Card Application;
Tests to verify the on-card biometric comparison mechanism;
Tests to verify the correct behavior of secure messaging and the virtual contact interface; and
Tests to verify that the PIV Card Application enforces PIN length and format requirements.

NIST’s SP 800 series publications are available at: http://csrc.nist.rip/publications/PubsSPs.html.

NIST Announces Release of Draft NISTIR 8071, LTE Architecture Overview and Security Analysis
April 12, 2016

NIST requests comments on Draft NIST Internal Report (NISTIR) 8071, LTE Architecture Overview and Security Analysis. Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations. This document introduces high-level LTE concepts and discusses technical LTE security mechanisms in detail. Technical readers are expected to understand fundamental networking concepts and general network security. It is intended to assist those evaluating, adopting, and operating LTE networks, specifically telecommunications engineers, system administrators, cybersecurity practitioners, and security researchers.

Email comments to: nistir8071@nist.gov (a comment template is available).

Comments due by Wednesday, June 1, 2016.

NIST requests comments on Draft Special Publication (SP) 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies
April 5, 2016

NIST requests comments on Draft Special Publication (SP) 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government. SP 800-175A provides guidance on the determination of requirements for using cryptography. It includes a summary of the laws and regulations concerning the protection of the Federal government’s sensitive information, guidance regarding the conduct of risk assessments to determine what needs to be protected and how best to protect that information, and a discussion of the relevant security-related documents (e.g., various policy and practice documents). Please provide comments on SP 800-175A by Monday, May 9, 2016. Comments may be sent to SP800-175@nist.gov, with “Comments on SP 800-175A” as the subject.

NIST Released NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process
March 31, 2016

NIST announces the release of NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This document describes the principles, processes and procedures behind our cryptographic standards development efforts. The final version reflects the disposition of public comments received on two earlier versions, and will serve as the basis to guide NIST’s future cryptographic standards and guidelines activities. It will be reviewed and updated every five years, or more frequently if a need arises, to help ensure that NIST fulfills its role and responsibilities for producing robust, effective cryptographic standards and guidelines.

Please see this announcement for additional information. NIST Public Affairs Office also released a press release covering the release of NISTIR 7977.

NIST Released the Second Draft of Special Publication 800-177, Trustworthy Email
March 29, 2016

NIST requests comments on the second draft of Special Publication (SP) 800-177, Trustworthy Email. This draft is a complimentary guide to NIST SP 800-45 Guidelines on Electronic Mail Security and covers protocol security technologies to secure email transactions. This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP. This guide is written for the federal agency email administrator, information security specialists and network managers, but contains general recommendations for all enterprise email administrators.

The public comment period April 29th, 2016.
Email comments to SP800-177@nist.gov

NIST Released Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
March 29, 2016

NIST is pleased to announce the release of Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. This publication specifies and approves the FF1 and FF3 encryption modes of operation of the AES algorithm.

The previously approved encryption modes are not designed for non-binary data such as Social Security numbers (SSNs); in particular, the decimal representation of an encrypted SSN might consist of more than nine digits, so it would not look like an SSN.

By contrast, format-preserving encryption (FPE) methods such as FF1 and FF3 are designed for data that is not necessarily binary. In particular, given any finite set of symbols, like the decimal numerals, a method for FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format, including the length, as the original data. Thus, an FPE-encrypted SSN would be a sequence of nine decimal digits.

FPE modes facilitate the retrofitting of encryption technology to existing devices or software, where a conventional encryption mode might not be feasible. In particular, database applications may not support changes to the length or format of data fields.

More generally, FPE can support the “sanitization” of databases, i.e., the targeting of encryption to personally identifiable information (PII), such as SSNs. The encrypted SSNs could still serve as an index to facilitate statistical research, perhaps across multiple databases. An important caveat to this application of FPE is that re-identification is sometimes feasible through the analysis of the unencrypted data and other information.

The commercial impetus comes from the payments industry, where FPE methods have already been deployed in merchants’ credit card readers. NIST is also considering for approval a third mode from that industry, the extension/revision of the VAES3 mode, which was named FF2 in the draft SP 800-38G that was released for public comment. This revision of FF2 is listed by the name “DFF” at the modes development page, at http://csrc.nist.rip/groups/ST/toolkit/BCM/modes_development.html.

NIST received patent disclosures that are claimed to apply to FPE modes. Letters of Assurance to NIST regarding the licensing of these patents are available at http://csrc.nist.rip/groups/ST/toolkit/BCM/current_modes.html.

NIST Public Affairs Office issued a press release about SP 800-38G.

NIST Announce the Release of 2 Draft Special Publications:
(1) Special Publication 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security &
(2) Draft Special Publication 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security
March 14, 2016

NIST requests public comments on two draft Special Publications (SPs) on telework and BYOD security: Draft SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, and Draft SP 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security. Organizations are increasingly threatened, attacked, and breached through compromised telework devices used by their employees, contractors, business partners, and vendors. These publications make recommendations for organizations (in SP 800-46 Revision 2) and users (in SP 800-114 Revision 1) to improve their telework and BYOD security practices.

The public comment period for both publications closes on April 15, 2016.

Send comments on Draft SP 800-46 Revision 2 to 800-46comments@nist.gov with "Comments SP 800-46" in the subject line.
Send comments on Draft SP 800-114 Revision 1 to 800-114comments@nist.gov with "Comments SP 800-114" in the subject line.

Links to Draft SP 800-46 Rev. 2 and Draft SP 800-114 Rev. 1
Links to Draft SP 800-46 Rev. 2	Links to Draft SP 800-114 Rev. 1
SP 800-46 Rev. 2 (PDF)	SP 800-114 Rev. 1 (PDF)
Comment Template SP 800-46 Rev. 2 (Excel)	Comment Template SP 800-114 Rev. 1 (Excel)

NIST Announce the Release of Draft Special Publication 800-154, Guide to Data-Centric System Threat Modeling
March 14, 2016

NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides information on the basics of data-centric system threat modeling so that organizations can use it as part of their risk management processes instead of relying solely on conventional "best practice" recommendations.

The public comment period for the publication closes on April 15, 2016.

Send comments on Draft SP 800-154 to 800-154comments@nist.gov with "Comments SP 800-154" in the subject line.

Link to Draft SP 800-154 document (PDF)
Link to Comment Template for Draft SP 800-154 (Excel)

NIST Released Draft SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
March 11, 2016

NIST requests comments on Special Publication 800-175B,Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one’s own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST’s cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016. Comments may be sent to SP800-175@nist.gov, with “Comments on SP 800-175B” as the subject.

NIST Released SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection
March 7, 2016

NIST announces the release of final version of NIST Special Publication 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. VMs constitute the primary resource to be protected in a virtualized infrastructure, since they are the compute engines on which business/mission critical applications of the enterprise are run. Further, since VMs are end-nodes of a virtual network, the configuration of virtual network forms an important element in the security of VMs and their hosted applications. The virtual network configuration areas considered for VM protection in this document are – Network Segmentation, Network Path Redundancy, Firewall Deployment Architecture and VM Traffic Monitoring. The configuration options in each of these areas are analyzed for their advantages and disadvantages and security recommendations are provided.

NIST Special Publication 800-53 Revision 5, Pre-Draft Call for Comments
February 23, 2016

Recognizing the importance of maintaining the relevance and currency of Special Publication (SP) 800-53, NIST will update Revision 4 to Revision 5 during calendar year 2016 beginning with this pre-draft request for comments. NIST seeks the input of SP 800-53 customers to ensure Revision 5 will continue to deliver a comprehensive security and privacy control set that addresses current threats, technologies, and environments of operation while remaining functional and usable.

Please respond by April 1st 2016 to the call for comments to sec-cert@nist.gov.

To learn more, please visit the link below.

SP 800-53 Rev. 5 PRE-Draft Call for Comments

Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), Comment Period Has Been Extended
February 19, 2016

The comment period for Draft Special Publication 800-116 Revision 1 has been extended, and now closes at 5:00 EST (US and Canada) on March 1, 2016

NIST Announces the Release of DRAFT Special Publication 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines
February 18, 2016

NIST requests public comments on DRAFT SP 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines. This document serves to provide a NIST-standard definition to application containers, microservices which reside in application containers and system virtual machines. Furthermore, this document explains the similarities and differences between a Services Oriented Architecture (SOA) and Microservices as well as the similarities and differences between System Virtual Machines and Application Containers.

Link to Draft SP 800-180 (PDF)
Link to Comment Template (Excel)

The public comment period will close on: March 18, 2016.

Send comments using the this template to sec-cloudcomputing@nist.gov with “Comments SP 800-180” in the subject line.

NIST Announces Release of Draft NISTIR 8103, Advanced Identity Workshop on Applying Measurement Science in the Identity Ecosystem: Summary and Next Steps
February 17, 2016

On January 12-13, 2016 the Applied Cybersecurity Division (ACD) in the National Institute of Standards and Technology’s (NIST) Information Technology Laboratory hosted the “Applying Measurement Science in the Identity Ecosystem” workshop to discuss the application of measurement science to digital identity management. Draft NISTIR 8103 summarizes the concepts and ideas presented at the workshop and serves as a platform to receive feedback on the major themes discussed at that event.

Link to Draft NISTIR 8103 (PDF)
Comment Template to use to submit comments to Draft NISTIR 8103 (Excel)

Comments on NISTIR 8103 should be emailed to NSTICworkshop@nist.gov.
The comment period closes on March 31st, 2016.

NIST Announces Release of DRAFT NISTIR 8063, Internet of Things (IoT) Trustworthiness
February 16, 2016

NIST requests public comments on DRAFT NISTIR 8063, Primitives and Elements of Internet of Things (IoT) Trustworthiness. This report describes research on creating a vocabulary, namely primitives and elements, for composing IOT. This report presents five primitives and six elements that form a design catalogue that can support trustworthiness. We envision their application to use cases, ontologies, formalisms, and other methods to specific IOT projects. These primitives apply well to systems with large amounts of data, scalability concerns, heterogeneity concerns, temporal concerns, and elements of unknown pedigree with possible nefarious intent. These primitives form the basic building blocks for a Network of ‘Things’ (NoT), including the Internet of Things (IoT). We see this as early research and earnestly seek feedback on the merits, utility, and feasibility of such a vocabulary.

The public comment period will close on: March 17, 2016.

Send comments and/or questions to iot@nist.gov with “Comments NISTIR 8063” in the subject line.

NIST announces release of Draft Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines for public comment
February 8, 2016

Draft SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. Draft SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials.

The public comment period closes on: March 14, 2016.
Send comments to piv_derived@nist.gov with “Comments on Draft SP 800-166” in the subject line.

The links for the Draft document and the comment template are given below:
Draft SP 800-166 - – Draft Document
Comment Template – - Excel file

A NIST Draft Whitepaper titled "Best Practices for Privileged User PIV Authentication" is available for public comment.
February 5, 2016

This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users.

The public comment period closes on: March 4, 2016.
Send comments to csip-pivforprivilege@nist.gov with “Comments on PIV Credential for privileged use” in the subject line.

Best Practices for Privileged User PIV Authentication
Comment Template (Excel)

NIST Announce the Release of DRAFT NISTIR 8105, Report on Post-Quantum Cryptography for Public Comment
February 3, 2016

NIST requests public comments on DRAFT NISTIR 8105, Report on Post-Quantum Cryptography. In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. This Internal Report shares the National Institute of Standards and Technology (NIST)’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.

The public comment period will close on: March 9, 2016.
Send questions to NISTIR8105-comments@nist.gov with “Comments NISTIR 8105” in the subject line.

NIST Released DRAFT NISTIR 8011, Automation Support for Security Control Assessments -
Volume 1: Overview
Volume 2: Hardware Asset Management -
now available for public comment.
February 2, 2016

The National Institute of Standards and Technology (NIST) is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.

NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.

Link to Volume 1: Overview
Link to Volume 2: Hardware Asset Management

-OR- you can get to this draft with 2 volumes from the CSRC Draft Publications page.

Public comment period is open through March 18, 2016. Please submit public comments to sec-cert@nist.gov. Comments are accepted in any desired format.

Special Publication 800-57, Part 1 Revision 4 has been approved as final.
January 28, 2016

NIST announces the completion of Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Public comments received during the review of this document are provided here.

NIST Released NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements
January 28, 2016

NIST announces the final release of NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. This document defines the test requirements that products must satisfy in order to be awarded an SCAP 1.2 validation. A list of changes is provided in the Summary of Changes section of the document

DRAFT SP 800-90 Series: Random Bit Generators
Recommendation for the Entropy Sources Used for Random Bit Generation
January 27, 2016

NIST announces the second draft of Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. NIST is planning to host a workshop on Random Number Generation to discuss the SP 800-90 series, specifically, SP 800-90B and SP 800-90C. More information about the workshop is available at: http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm.

The specific areas where comments are solicited on SP 800-90B are:

Post-processing functions (Section 3.2.2): We provided a list of approved post-processing functions. Is the selection of the functions appropriate?
Entropy assessment (Section 3.1.5): While estimating the entropy for entropy sources using a conditioning component, the values of n and q are multiplied by the constant 0.85. Is the selection of this constant reasonable?
Multiple noise sources: The Recommendation only allows using multiple noise sources if the noise sources are independent. Should the use of dependent noise sources also be allowed, and if so, how can we calculate an entropy assessment in this case?
Health Tests: What actions should be taken when health tests raise an alarm? The minimum allowed value of a type I error for health testing is selected as 2-50. Is this selection reasonable?

NIST Public Affairs Office published a news release regarding the second Draft SP 800-90B.

NIST requests comments on the revised (second) Draft SP 800-90B by 5:00PM EST on May 9, 2016. Please submit comments on Draft SP 800-90B using the comments template form (Excel Spreadsheet) to rbg_comments@nist.gov with “Comments on Draft SP 800-90B” in the subject line.

NIST Released NIST Interagency Report (NISTIR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research
January 22, 2016

NIST announces the final release of NIST Interagency Report (NISTIR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research. This report documents proof of concept research performed by NIST to determine how DPCs could be used to PIV-enable mobile devices and provide multi-factor authentication for an organization's mobile device users. This report captures DPC requirements, proposes an architecture that supports these requirements, and describe how this architecture could be implemented and operated.

Influence the Future of Cybersecurity Education—Join the NICE Working Group
January 21, 2016
Addressing the nation’s rapidly increasing need for cybersecurity employees, the National Initiative for Cybersecurity Education (NICE) is seeking members from the public and private sectors and academia to join its new working group and encourages interested individuals to participate in a kickoff teleconference the afternoon of January 27, 2016.

See the press release and NICE Working Group page for more details.

NIST, Computer Security Resource Center

CSRC News - 2017 & 2016

See news archive for previous years (2015-2011).