NIST requests public comments on the release of Draft Special Publication 800-191, The NIST Definition of Fog Computing. Managing the data generated by Internet of Things (IoT) sensors is one of the biggest challenges faced when deploying an IoT system.  Traditional cloud-based IoT systems are challenged by the large scale, heterogeneity, and high latency witnessed in some cloud ecosystem. One solution is to decentralize applications, management, and data analytics into the network itself using a distributed and federated compute model.  This approach has become known as fog computing.  This document presents a formal definition of fog and mist computing and how they relate to cloud-based computing models for IoT.  This document further characterizes important properties and aspects of fog computing, including service models, deployment strategies, and provides a baseline of what fog computing is, and how it may be used.

Email comments to: sp800-191@nist.gov (Subject: "Comments on Draft SP 800-191")
Comments due by: September 21, 2017

As we push computers to "the edge" building an increasingly complex world of interconnected information systems and devices, security and privacy continue to dominate the national dialog. There is an urgent need to further strengthen the underlying systems, component products, and services that we depend on in every sector of the critical infrastructure--ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.

This update to NIST Special Publication 800-53 (Revision 5) responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable.

Revision 5 of this foundational NIST publication represents a one-year effort to develop the next generation security and privacy controls that will be needed to accomplish the above objectives. It includes changes to make the controls more consumable by diverse groups including, for example, enterprises conducting mission and business operations; engineering organizations developing systems and systems-of-systems; and industry partners building system components, products, and services. The major changes to the publication include:

• Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
• Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
• Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability.

Your feedback on this draft publication is important to us. We appreciate each contribution from our reviewers. The very insightful comments from the public and private sectors, nationally and internationally, continue to help shape the final publication to ensure that it meets the needs and expectations of our customers. Comments can be submitted to sec-cert@nist.gov. NIST anticipates producing the final draft of this publication in October 2017 and publishing the final version not later than December 29, 2017.

Email comments to: sec-cert@nist.gov (Subject: "Comments on Draft SP 800-53 Rev. 5")
Comments due by: September 12, 2017

NIST announces the public comment release of SP 800-56A Rev. 3 and SP 800-56C Rev. 1. SP 800-56A specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman (DH) and Menezes-Qu-Vanstone(MQV) key establishment schemes. Revision 3 approves the use of specific safe-prime groups of domain parameters for finite field DH and MQV schemes and requires the use of specific commonly used elliptic curves. In addition, all methods used for key derivation have been moved to SP 800-56C.

Email comments to: SP800-56a_comments@nist.gov (Subject: "Comments on Draft SP 800-56A Rev. 3")
Comments due by: November 6, 2017

NIST announces the public comment release of SP 800-56C Rev. 1 and SP 800-56A Rev. 3. SP 800-56C has been revised to include all key derivation methods currently included in SP 800-56A and SP 800-56B, Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography, in addition to the two-step key-derivation procedure currently specified in SP 800-56C. Note the change of title for SP 800-56C that reflects the inclusion of the additional key-derivation methods. SP 800-56C Revision 1 also includes the use of KMAC128 and KMAC256 as key-derivation primitives for the one-step key-derivation method.

Email comments to: 800-56C_Comments@nist.gov (Subject: "Comments on SP 800-56C Rev. 1")
Comments due by: November 6, 2017

NIST requests public comments on the release of Draft Special Publication 800-70 Revision 4, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. Using security configuration checklists to verify the configuration of information technology (IT) products and identify unauthorized configuration changes can minimize product attack surfaces, reduce vulnerabilities, and lessen the impact of successful attacks. To facilitate development of checklists and to make checklists more organized and usable, NIST established the National Checklist Program (NCP). This publication explains how to use the NCP to find and retrieve checklists, and it also describes the policies, procedures, and general requirements for participation in the NCP. 

Email comments to: checklists@nist.gov (Subject: "Comments on SP 800-70")
Comments due by: August 30, 2017

NIST requests comments on the release of Draft NISTIR 8176, Security Assurance Requirements for Linux Application Container Deployments.

Application Containers are slowly finding adoption in enterprise IT infrastructures. To address security concerns associated with deployment of application container platforms, NIST Special Publication 800-190 (2nd Draft), Application Container Security Guide, identified security threats to the components of the platform hosting the containers and related artifacts involved in building, storing and using container images. It has also proposed countermeasures for the following components: Hardware, Host OS, Container Runtime, Image, Registry and Orchestrator.

To implement the countermeasures one or more security solutions are needed. To assess the effectiveness of the security solutions implemented based on these recommendations, it is necessary to analyze them and outline the security assurance requirements they must satisfy to meet their intended objectives. This is the contribution of Draft NISTIR 8176. The focus is on application containers on Linux platforms.

The security solutions for which security assurance requirements have been derived cover the following areas:

1. Hardware-based root of trust providing integrity for boot process, 
2. Configuration options using host OS kernel features and kernel loadable modules, 
3. Protection measures for building and storing container images, and
4. Configuration options in Orchestrator tools used for rolling out a production infrastructure involving multiple containers and multiple hosts.

The public comment period closed on August 25, 2017
Questions? Send email to : NISTIR8176@nist.gov

This draft is intended to supersede SP 800-67 Revision 1, which limits the TDEA block cipher to apply the cryptographic protection (e.g., encrypt) to 2³² 64-bit blocks under one key bundle. The draft SP 800-67 Revision 2 further lowers this limit to 2²⁰ 64-bit data blocks per key bundle, following the announcement by NIST to update its guidance on the current use of TDEA.

Email comments to: sp800-67comments@nist.gov (Subject: "Comments on Draft SP 800-67 Revision 2")
Comments due by: October 2, 2017

NIST announces the second public comment release of Draft Special Publication 800-190, Application Container Security Guide. Application container technologies, better known as containers, are a form of operating system virtualization combined with application software packaging. Draft (2nd) SP 800-190 explains the security benefits and concerns associated with container technologies and makes practical recommendations for addressing the concerns when planning for, implementing, and maintaining containers.

The public comment period closed on August 11, 2017
Questions? Send email to : 800-190comments@nist.gov

NIST is seeking comments on NIST IR 8179, Criticality Analysis Process Model.  This publication describes a structured method of  prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss may present to those goals.

The public comment period closed on August 18, 2017
Questions? Send email to : nistir-8179-comments@nist.gov

NIST announces the public comment release of Draft Special Publication 800-193, Platform Firmware Resiliency Guidelines. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a computer system. This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks.  These draft guidelines promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and secure recovery from attacks. This document is intended to guide implementers, including system manufacturers and and component suppliers, on how to use these mechanisms to build a strong security foundation into platforms.

The public comment period closed on July 14, 2017
Questions? Send email to : sp800-193comments@nist.gov

[Updated 6/27/17: A spreadsheet is now available that maps SP 800-53 Rev. 4 controls to subcategories of the Cybersecurity Framework (v1.0).]

Draft NISTIR 8170 provides guidance on how the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) can be used in the U.S. Federal Government in conjunction with the current and planned suite of NIST security and privacy risk management publications. The specific guidance was derived from current Cybersecurity Framework use. To provide federal agencies with examples of how the Cybersecurity Framework can augment the current versions of NIST security and privacy risk management publications, this guidance uses common federal information security vocabulary and processes. 

NIST will engage with agencies to add content based on agency implementation, refine current guidance and identify additional guidance to provide the information that is most helpful to agencies. Feedback will also help to determine which Cybersecurity Framework concepts are incorporated into future versions of the suite of NIST security and privacy risk management publications. NIST would like feedback that addresses the following questions:

• How can agencies use the Cybersecurity Framework, and what are the potential opportunities and challenges?
• How does the guidance presented in this draft report benefit federal agency cybersecurity risk management?
• How does the draft report help stakeholders to better understand federal agency use of the Cybersecurity Framework?
• How does the draft report inform potential updates to the suite of NIST security and privacy risk management publications to promote an integrated approach to risk management?  
• Which documents among the suite of NIST security and privacy risk management publications should incorporate Cybersecurity Framework concepts, and where?
• How can this report be improved to provide better guidance to federal agencies?

The public comment period closed on June 30, 2017
Questions? Send email to : nistir8170@nist.gov

As the world rapidly embraces the Internet of Things, properly securing medical devices has grown challenging for most healthcare delivery organizations (HDOs).

That's because medical devices, such as infusion pumps, have evolved from standalone instruments that interacted only with the patient and a medical provider into devices that now connect wirelessly to a variety of systems, networks, and other platforms to enhance patient care, as part of the broader Internet of Medical Things (IoMT).

As a result, cybersecurity risks have risen. Wireless infusion pump ecosystems, which include the pump, the network, and the data stored in and on a pump, face a range of potential threats, such as unauthorized access to protected health information (PHI), changes to prescribed drug doses, and interference with a pump's intended function.

In collaboration with the healthcare community and manufacturers, the NCCoE developed cybersecurity guidance, draft NIST Special Publication 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, which uses standards-based, commercially available technologies and industry best practices to help HDOs strengthen the security of wireless infusion pumps within healthcare facilities. The draft guide is now open for public comment.  

The public comment period closed on July 7, 2017
Questions? Send email to : hit_nccoe@nist.gov

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Property Management Systems.

Hospitality organizations rely on Property Management Systems (PMS) for daily tasks, planning, and record keeping. As the operations hub, the PMS interfaces with several services and components within a hotel's IT system, such as Point-of-Sale (POS) systems, door locks, Wi-Fi networks, and other guest service applications. Adding to the complexity of the network, external business partners' components and services are also typically connected to the PMS, such as on-premise spas or restaurants, online travel agents, and customer relationship management partners or applications (on-premise or cloud-based). The numerous connections to and users of the PMS could provide a broader surface for attack by malicious actors. Improve the security of the PMS can help protect the business from network intrusions that might lead to data breaches and fraud. 

Based on industry research and in collaboration with hospitality industry stakeholders, the NCCoE is proposing a solution to better secure the PMS and its connections within a hotel's IT system that implements layers of security: point-to-point encryption, data tokenization, multifactor authentication for remote and partner access, network and user behavior analytics, and business-only usage restrictions.

Building on this collaboration with the hospitality business community and vendors of cybersecurity solutions, the NCCoE will explore methods to strengthen the security of the PMS and its connections and will develop an example implementation composed of open-source and commercially available components. This project will produce a NIST Cybersecurity Practice Guide--a publically available description of the solution and practical steps needed to effectively secure the PMS and its many connections within the hotel IT system.

The public comment period closed on May 31, 2017
Questions? Send email to : hospitality-nccoe@nist.gov

[Updated 6/27/17: Public comments on Profiles I and II are available below.]

NIST announces the draft whitepaper, Profiles for the Lightweight Cryptography Standardization Process. This document describes the first two profiles for NIST's lightweight cryptography project:

• Profile I provides authenticated encryption with associated data (AEAD) and hashing functionalities for both hardware- and software-oriented constrained environments.
• Profile II provides AEAD only in hardware-oriented constrained environments.

The final versions of these profiles will be the foundation of submission requirements for the first algorithms in NIST's lightweight cryptography portfolio.

The public comment period closed on June 16, 2017
Questions? Send email to : lightweight-crypto@nist.gov

A draft manufacturing implementation of the Cybersecurity Framework, or Profile, has been developed for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing "Target" Profile focuses on desired cybersecurity outcomes and can be used to identify opportunities for improving the current cybersecurity posture of a manufacturing system. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

The public comment period closed on April 17, 2017
Questions? Send email to : csf_manufacturing_profile@nist.gov

The National Cybersecurity Center of Excellence (NCCoE) is soliciting comments on NIST Cybersecurity Practice Guide (Draft) SP 1800-7, Situational Awareness for Electric Utilities. To improve the security of information and operational technology, including industrial control systems, energy companies need mechanisms to capture, transmit, analyze and store real-time or near-real-time data from these networks and systems. With such mechanisms in place, energy providers can more readily detect and remediate anomalous conditions, investigate the chain of events that led to the anomalies, and share findings with other energy companies. Obtaining real-time and near-real-time data from networks also has the benefit of helping to demonstrate compliance with information security standards.

Read the two-page fact sheet or download the revised Situational Awareness Project Description for more information on the project.

The public comment period closed on April 17, 2017
Questions? Send email to : energy_nccoe@nist.gov

NIST invites comments on Draft NISTIR 8139, Identifying Uniformity with Entropy and Divergence. 

Entropy models are frequently utilized in tests identifying either qualities of randomness or randomness uniformity of formal and/or observed distributions. The NIST Special Publications SP 800-22 and SP 800-90 (A, B, & C) discuss tests and methods leveraging both Shannon and min entropies. Shannon and min entropies represent two particular cases of Renyi entropy, which is a more general one-parameter entropy model. Renyi entropy insightfully unifies Hartley, Shannon, collision, and min entropies and belongs to the class of one-parameter entropy models, such as entropies named after Havrda-Charvat-Daroczy, Tsallis, Abe, and Kaniadakis. Renyi entropy along with the other members of the one parameter entropy models class can be in turn viewed as a case of the Sharma-Mittal entropy, which is a bi-parametric generalized entropy model. This NISTIR focuses on using Renyi and Tsallis entropy and divergence models to analyze similarities and differences between probability distributions of interest. The report introduces extensions for the traditional uniformity identification and measurement techniques that were proposed in the NIST SP 800-22 and SP 800-90 (A, B, & C). 
 

The public comment period closed on March 9, 2017
Questions? Send email to : Comments-IR-8139@nist.gov

On January 10, 2017, NIST released proposed updates to the Cybersecurity Framework. This draft Version 1.1 of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework, making it easier to use.  Updates were derived from feedback NIST received since the publication of Cybersecurity Framework Version 1.0, including responses to a December 2015 Request for Information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity, and discourse at Cybersecurity Framework Workshop 2016.  More information can be found at the Cybersecurity Framework site.

See the "Note to Reviewers on the Update and Next Steps" on pp. ii-iii for additional review guidance.

The public comment period closed on April 10, 2017
Questions? Send email to : cyberframework@nist.gov

De-identification removes identifying information from a dataset so that the remaining data cannot be linked with specific individuals. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing government data. Previously NIST published NISTIR 8053, De-Identification of Personal Information, which provided a survey of de-identification and re-identification techniques. This document provides specific guidance to government agencies that wish to use de-identification.

In developing the draft Privacy Risk Management Framework, NIST sought the perspectives and experiences of de-identification  experts both inside and outside the US Government.

Future areas of work will focus on developing metrics and tests for de-identification software, as well as working with industry and academia to make algorithms that incorporate formal privacy guarantees usable for government de-identification activities. Collected input will be used to correct technical errors and expand areas that are unclear.

The public comment period closed on December 31, 2016
Questions? Send email to : sp800-188-draft@nist.gov

NIST invites comments on Draft NIST SP 800-187, Guide to LTE Security. Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations. This document introduces high-level LTE concepts and discusses technical LTE security mechanisms in detail. Technical readers are expected to understand fundamental networking concepts and general network security. It is intended to assist those evaluating, adopting, and operating LTE networks, specifically telecommunications engineers, system administrators, cybersecurity practitioners, and security researchers.

The public comment period closed on December 22, 2016
Questions? Send email to : LTEsecurity@nist.gov

NIST announces the release of draft Special Publication 1800-6, Domain Name Systems-Based Electronic Mail Security. NIST welcomes your comments and feedback (see links below for clinks to all supporting documentation for this draft).

Both public and private sector business operations are heavily reliant on email exchanges, leading to concerns about email security and the use of email as an attack vector. Organizations are motivated by the need to protect the integrity of transactions containing financial and other proprietary information, and to protect the privacy of employees and clients. Cryptographic functions are usually employed to perform services such as authentication of the source of an email message, assurance that the message has not been altered by an unauthorized party, and to ensure message confidentiality. Most organizations rely on mail servers to provide security at an enterprise level in order to provide scalability and uniformity. However, many server-based email security mechanisms are vulnerable to attacks involving faked or fraudulent digital certificates, otherwise invalid certificates, and failure to actually invoke a security process as a result of connection to (or through) a fraudulent server. Even if there are protections in place, some attacks have been able to subvert email communication by attacking the underlying support protocols such as Domain Name Systems (DNS). Attackers can spoof DNS responses to redirect email servers and alter email delivery. DNS Security Extensions (DNSSEC) was developed to prevent this. DNSSEC protects against unauthorized modifications to network management information and host IP addresses. DNSSEC can also be used to provide an alternative publication and trust infrastructure for service certificates using the DNS-based Authentication of Named Entities (DANE) resource records.

SP 1800-6 describes several demonstrated security platforms using DNS, DNSSEC, and DANE for trustworthy email exchanges across organizational boundaries. The security platforms described provide reliable authentication of mail servers, digital signature and encryption of email, and reliable binding of cryptographic key certificates to sources and servers. The example solutions and architectures presented are based upon standards-based open-source and commercially available products.

The public comment period closed on December 19, 2016
Questions? Send email to : dns-email-nccoe@nist.gov

More and more, online service providers are struggling to find secure ways of verifying that their consumers are who they say they are while, at the same time, protecting their users' privacy. Some communities and organizations, that share common user bases and transaction types, are choosing to address these challenges by allowing their users to access multiple services through common login credentials. This approach -- known as federated identity management -- enables users to access multiple online organizations and services through shared authentication processes (instead of authenticating separately to each and every service provider).

This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. In Draft NISTIR 8149, Developing Trust Frameworks to Support Identity Federations, NIST aims to educate communities that are interested in pursuing federated identity management, and provide a resource for them as they create the agreements and other components that will make up their trust frameworks. It includes guidance on determining roles in an identity federation, on what to consider from a legal standpoint, and on understanding the importance of establishing and recognizing conformance. Additionally, this document is intended to standardize the language around identity federation and trust frameworks in order to promote their widespread adoption.

Submitting Comments:

Commenters are STRONGLY encouraged to publicly collaborate with the NIST team, and with other participants, via the NISTIR 8149 GitHub pages.

OR, for those of you who prefer, we have provided a PDF version of NISTIR 8149 and traditional comment matrix for your use.

All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue".

The public comment period closed on November 1, 2016
Questions? Send email to : trustframeworks@nist.gov

NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.

This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.

The public comment period closed on October 31, 2016
Questions? Send email to : nistir8138@nist.gov

[10/11/16 - The comment period has been extended to 11/10 (from 10/12).]

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Authentication for Law Enforcement Vehicle Systems.

Law enforcement vehicles often serve as mobile offices for officers. In-vehicle laptop(s) or other computer systems are used to access a wide range of software applications and databases hosted and operated by federal, state, and local agencies, with each typically requiring a different username and password. The operational environment presents unique security challenges, as officers must frequently leave the vehicle unattended, perhaps on short notice, and must be able to gain access to systems quickly, possibly while the vehicle is in motion. These needs discourage the use of screen locks and traditional single sign on solutions.

In collaboration with stakeholders, the NCCoE aims to demonstrate an integrated set of authentication mechanisms, improving system security, usability and safety. By integrating simplified identity and authentication technologies, based on proximity, biometrics, tokens, or other similar technologies, with readily available integrated reduced-sign-on (RSO) tools, law enforcement organizations can enhance mission effectiveness, improve officer safety, and, through more consistently applied security controls, reduce risk to sensitive back-end databases and systems. This project will also explore additional capabilities, such as proximity authentication, derived Personal Identity Verification (PIV) credentials, integration with FirstNet, and integration with vehicle drive-away protection and Computer Assisted Dispatch systems to indicate whether the officer is in the vehicle or not.

The public comment period closed on November 10, 2016
Questions? Send email to : lev-nccoe@nist.gov

The Mobile Threat Catalogue outlines a catalogue of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Threats are divided into broad categories, primarily focused upon mobile applications and software, the network stack and associated infrastructure, mobile device and software supply chain, and the greater mobile ecosystem. Each threat identified is catalogued alongside explanatory and vulnerability information where possible, and alongside applicable mitigation strategies.

Draft NISTIR 8144 provides background information on mobile information systems and their attack surface is provided to assist readers in understanding threats contained within the Mobile Threat Catalogue (see link below). The NISTIR also outlines the structure of the Mobile Threat Catalogue.

Mobile security engineers and architects can leverage these documents to inform risk assessments, build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for their mobile deployments.

The public comment period closed on October 12, 2016
Questions? Send email to : nistir8144@nist.gov

NIST invites comments on Draft NIST Internal Report (NISTIR) 8112, Attribute Metadata. This report proposes a schema intended to convey information about a subject's attribute(s) to allow for a relying party (RP) to:

• Obtain greater understanding of how the attribute and its value were obtained, determined, and vetted;
• Have greater confidence in applying appropriate authorization decisions to subjects external to the domain of a protected system or data;
• Develop more granular access control policies;
• Make more effective authorization decisions; and
• Promote federation of attributes.

The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual's ability to access protected resources. We opted to publish this document as a NISTIR in an effort to treat it as an implementers' draft, an approach common in the development lifecycle of many private sector standards and specifications. This allows the developer and policy community, in both the public and private sectors, to apply some or all of the metadata in this NISTIR on a volunteer basis, and provide us with practical feedback gained through implementation experience. As such, we will be maintaining the public issues page beyond the initial 60-day period to continually receive input and iteratively improve the document in anticipation of a second revision.

Submitting Comments

Commenters are STRONGLY encouraged to publicly collaborate with the team and other participants via the GitHub pages for NISTIR 8112. We have posted details on how to submit comments on GitHub. Additionally, we are providing a PDF for offline reading, as well as a traditional comment matrix for those that prefer this approach. 

All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue."

The public comment period closed on September 30, 2016
Questions? Send email to : nsticworkshop@nist.gov

NIST invites comments on two draft publications on the Security Content Automation Protocol (SCAP). The first is Special Publication (SP) 800-126 Revision 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. The second is SP 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3.

SP 800-126 Revision 3 and SP 800-126A collectively define the proposed technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification. SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of selected minor version updates of SCAP component specifications, as well as designated Open Vulnerability and Assessment Language (OVAL) platform schema versions.

The public comment period closed on August 19, 2016
Questions? Send email to : 800-126comments@nist.gov

NIST invites comments on two draft publications on the Security Content Automation Protocol (SCAP). The first is Special Publication (SP) 800-126 Revision 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. The second is SP 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3.

SP 800-126 Revision 3 and SP 800-126A collectively define the proposed technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification. SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of selected minor version updates of SCAP component specifications, as well as designated Open Vulnerability and Assessment Language (OVAL) platform schema versions.

The public comment period closed on August 19, 2016
Questions? Send email to : 800-126comments@nist.gov

The National Cybersecurity Center of Excellence (NCCoE) is seeking comments from industry on the challenges of identification, authentication, and authorization for devices in the Internet of Things (IoT) space; specifically requirements for authentication and authorization of autonomous non-person entities (NPE) found in smart home devices. Areas of interest include the following:

• models for the lifecycle of IoT and/or smart home devices;
• threat vectors and attack surfaces of smart home devices throughout their lifecycle;
• using commercially available technology, methods for the identification, authentication, and authorization of smart home devices including:
  • core requirements in addressing these three capabilities;
  • implementation challenges;
  • potential security weaknesses or gaps;
  • mechanisms for NPE-to-NPE, NPE-to-Network, and NPE-to-Cloud authentication;
  • mechanisms for binding device, APIs, and user identity with applicable authentication contexts;
  • privacy risks to individuals raised by improving smart home device identification and authentication;
  • mechanisms that enable improved identification and authentication of smart home devices while maintaining individuals' privacy;
• models for handling encryption on constrained devices; and
• business cases for the identification, authentication, and authorization of smart home devices for which the NCCoE could build a demonstrable solution.

Based upon community feedback on these topics, the NCCoE will consider instantiating a project to engage in building an example solution using commercially available technology.

Comments due: None--comments accepted on an ongoing basis.
Submit comments using the link below.

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Non-Credit Card, Sensitive Consumer Data.
 
Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email address, which can be used by various internal users and external partners to accelerate business operations and revenue. There has been an increase in the value of non-credit card, sensitive consumer data on the black market; however, there are relatively few regulations or standards specific to this topic in the consumer-facing/retail industry in the United States. As seen following high-profile data breaches in the healthcare sector, personally identifiable information (PII) is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual's PII sold at $20.
 
This project and its example solution will help secure non-credit card, sensitive consumer data through data masking and tokenization, coupled with fine-grained access control to improve the security of data transmitted and stored during commercial payment transactions, as well as data shared internally within a retail organization and externally with business partners.

The public comment period closed on June 3, 2016
Questions? Send email to : consumer-nccoe@nist.gov

NIST invites comments on the second draft of Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. This Recommendation specifies constructions for the implementation of RBGs. An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bit generator (NRBG). The constructed RBGs consist of DRBG mechanisms, as specified in SP 800-90A, and entropy sources, as specified in SP 800-90B.

On May 2-3, 2016, NIST hosted a workshop on Random Number Generation to discuss the SP 800-90 series of documents--specifically, SP 800-90B and SP 800-90C.

The public comment period closed on June 13, 2016
Questions? Send email to : rbg_comments@nist.gov

NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides information on the basics of data-centric system threat modeling so that organizations can use it as part of their risk management processes instead of relying solely on conventional "best practice" recommendations.

The public comment period closed on April 15, 2016
Questions? Send email to : 800-154comments@nist.gov

NIST requests public comments on Draft SP 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines. This document serves to provide a NIST-standard definition to application containers, microservices which reside in application containers and system virtual machines. Furthermore, this document explains the similarities and differences between a Services Oriented Architecture (SOA) and Microservices as well as the similarities and differences between System Virtual Machines and Application Containers.

The public comment period closed on March 18, 2016
Questions? Send email to : sec-cloudcomputing@nist.gov

NIST announces the second draft of Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. NIST is planning to host a workshop on Random Number Generation to discuss the SP 800-90 series, specifically, SP 800-90B and SP 800-90C. More information about the workshop is available at: http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm.

The specific areas where comments are solicited on SP 800-90B are:

• Post-processing functions (Section 3.2.2): We provided a list of approved post-processing functions. Is the selection of the functions appropriate?
• Entropy assessment (Section 3.1.5): While estimating the entropy for entropy sources using a conditioning component, the values of n and q are multiplied by the constant 0.85. Is the selection of this constant reasonable?
• Multiple noise sources: The Recommendation only allows using multiple noise sources if the noise sources are independent. Should the use of dependent noise sources also be allowed, and if so, how can we calculate an entropy assessment in this case?
• Health Tests: What actions should be taken when health tests raise an alarm? The minimum allowed value of a type I error for health testing is selected as 2-50. Is this selection reasonable?

The public comment period closed on May 9, 2016
Questions? Send email to : rbg_comments@nist.gov

NIST announces the release of Draft Special Publication (SP) 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), and requests public comments. It provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document also recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to federal government facilities and assets.

Revision 1 updates SP 800-116 to align with FIPS 201-2. High-level changes include:

• Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
• In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
  • Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms.
  • Addition of a new section (5.3.1) titled "Migrating Away from the Legacy CHUID Authentication Mechanism" to aid in the transition away from the CHUID + VIS authentication mechanism.
  • In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks.
  • Addition of a new appendix titled "Improving Authentication Transaction Times" to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK).
• Addition of a new section (5.4) titled "PIV Identifiers" and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS's access control list.
• In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice's "Vulnerability Assessment Report of Federal Facilities" document with the ISC's document titled "Risk Management Process for Federal Facilities" to aid deriving the security requirement for facilities.

The public comment period closed on March 1, 2016
Questions? Send email to : piv_comments@nist.gov

This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.

The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.

[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]

The public comment period closed on January 8, 2016
Questions? Send email to : nistir8060-comments@nist.gov

Mobile devices allow employees to access information resources wherever they are, whenever they need. The constant Internet access available through a mobile device's cellular and Wi-Fi connections has the potential to make business practices more efficient and effective. As mobile technologies mature, employees increasingly want to use mobile devices to access corporate enterprise services, data, and other resources to perform work-related activities. Unfortunately, security controls have not kept pace with the security risks that mobile devices can pose.

If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data. Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access to not only that data, but also any other data that the user is allowed to access from that mobile device. The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes. Despite the security risks posed by today's mobile devices, enterprises are under pressure to accept them due to several factors, such as anticipated cost savings and employees' demand for more convenience.

Solution

The NIST Cybersecurity Practice Guide, Mobile Device Security: Cloud and Hybrid Builds, demonstrates how commercially available technologies can meet your organization's needs to secure sensitive enterprise data accessed by and/or stored on employees' mobile devices.

In our lab at the National Cybersecurity Center of Excellence (NCCoE), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution.

We demonstrate how security can be supported throughout the mobile device lifecycle. This includes how to:

• configure a device to be trusted by the organization
• maintain adequate separation between the organization's data and the employee's personal data stored on or accessed from the mobile device
• handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company.

The public comment period closed on January 8, 2016
Questions? Send email to : mobile-nccoe@nist.gov

NIST's NCCoE program is excited to announce the release of the latest NIST Cybersecurity Practice Guide, "IT Asset Management" for the Financial Services sector. The document is a draft, and NIST welcomes your comments and feedback (see links below for comment form page).

What's the guide about?

Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Additionally, many financial organizations include subsidiaries, branches, third-party partners, and contractors as well as temporary workers and guests; tracking and managing hardware and software across these groups adds another layer of complexity.

To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to centrally monitor and gain deeper insight into their entire IT asset portfolio with an automated platform. Using open source and commercially available technologies, this example solution addresses questions such as "What operating systems are our laptops running?" and "Which devices are vulnerable to the latest threat?"

The example solution gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.

The public comment period closed on January 8, 2016
Questions? Send email to : financial_nccoe@nist.gov

NIST requests public comments on Draft NIST Cybersecurity Practice Guide 1800-3, Attribute Based Access Control.

Most businesses today use Role Based Access Control (RBAC) to assign access to networks and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly-perhaps within several systems. As organizations expand and contract, partner with external vendors or systems, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.

To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence (NCCoE) developed a reference design for an Attribute Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability, and security. In fact, Gartner recently predicted that "by 2020, 70% of enterprises will use attribute-based access control...as the dominant mechanism to protect critical assets, up from less than 5% today."

This newly available practice guide provides IT and security engineers with critical information they can use to recreate the example solution with the same or similar technologies. Our solution is guided by NIST standards and industry best practices.

The public comment period closed on December 4, 2015
Questions? Send email to : abac-nccoe@nist.gov

The NCCoE has released a draft the latest NIST Cybersecurity Practice Guide 1800-2, Identity and Access Management for Electric Utilities, and invites you to download the draft and provide feedback.

The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks. Additionally, many utilities run identity and access management (IdAM) systems that are decentralized and controlled by numerous departments. Several negative outcomes can result from this: an increased risk of attack and service disruption, an inability to identify potential sources of a problem or attack, and a lack of overall traceability and accountability regarding who has access to both critical and noncritical assets.

To help the energy sector address this cybersecurity challenge, security engineeres at the National Cybersecurity Center of Excellence (NCCoE) developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.

Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP). Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

The public comment period closed on October 23, 2015
Questions? Send email to : energy_nccoe@nist.gov

NIST announces the public comment period for Draft NIST Cybersecurity Practice Guide SP 1800-1, Securing Electronic Health Records on Mobile Devices.

The use of mobile devices in health care sometimes outpaces the privacy and security protections on those devices. Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person's health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions.

Cybersecurity experts at the National Cybersecurity Center of Excellence (NCCoE) collaborated with health care industry leaders and technology vendors to develop an example solution to show health care organizations how they can secure electronic health records on mobile devices. The guide provides IT implementers and security engineers with a detailed architecture so that they can recreate the security characteristics of the example solution with the same or similar technologies. Our solution is guided by relevant standards and best practices from NIST and others, including those in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The public comment period closed on September 25, 2015
Questions? Send email to : HIT_NCCoE@nist.gov

NIST announces the public comment release of NIST Internal Report (NIST IR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Over time, certain stylistic conventions regarding the authoring of SCAP 1.2 content have become best practices. They improve the quality of SCAP content in several ways, such as improving the accuracy and consistency of results, avoiding performance problems, reducing user effort, lowering content maintenance burdens, and enabling content reuse. This document has been created to capture the best practices and encourage their use by SCAP content authors and maintainers.

The public comment period closed on July 1, 2015
Questions? Send email to : NISTIR8058-comments@nist.gov

Draft NISTIR 8050 summarizes the Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy, held in collaboration with Stanford University, which brought together chief technology officers, information officers, and security executives to discuss the challenges their organizations and industries face in implementing advanced cybersecurity and privacy technologies.

The public comment period closed on July 17, 2015
Questions? Send email to : consumer-nccoe@nist.gov

NIST announces the public comment release of NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment. Server Virtualization (enabled by Hypervisor) is finding widespread adoption in enterprise data centers both for hosting in-house applications as well as for providing computing resources for cloud services. The hypervisor provides abstraction of all physical resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (each consisting of an O/S (called Guest O/S), Middleware and a set of Application programs) to be run on a single physical host (referred to virtualized host or hypervisor host).

Since the NIST publication of SP 800-125 (Guide to Security for Full Virtualization Technologies) in January 2011, both the feature set of hypervisors as well as the tools for configuration and administration of virtualized infrastructure spawned by the hypervisor has seen considerable increase. This has generated the need to develop security recommendations for secure deployment of hypervisor platforms. This special publication defines a focused set of twenty-two security recommendations (in terms of architectural choices and configuration settings), intended to ensure secure execution of tasks performed by the hypervisor components under the umbrella of five baseline functions.

The public comment period closed on November 10, 2014.

The public comment period closed on November 10, 2014
Questions? Send email to : mouli@nist.gov

NIST has produced a revised version of NIST Special Publication (SP) 800-85B, PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Part 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4.

NOTE: NIST has made a one-time change in the revision number of SP 800-85B (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-73-4.

The public comment period closed on September 5, 2014
Questions? Send email to : piv_comments@nist.gov

This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group, and aggregates, categorizes and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.

The public comment period closed on August 25, 2014
Questions? Send email to : nistir8006@nist.gov

NIST announces the public comment release of second draft of NIST Interagency Report (NISTIR) 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).

NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.

The public comment period closed on August 1, 2014
Questions? Send email to : nistir7924-comments@nist.gov

NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.

The public comment period closed on April 30, 2014
Questions? Send email to : sp80016-comments@nist.gov

NIST announces public comment release of NISTIR 7981, Mobile, PIV, and Authentication. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.

The public comment period closed on April 21, 2014
Questions? Send email to : piv_comments@nist.gov

The NIST Cloud Computing Security Working Group (NCC-SWG) issued Draft SP 500-299, NIST Cloud Computing Security Reference Architecture, in May 2013. See the NCC-SWG homepage for additional details.

NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.

The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.

The public comment period closed on December 14, 2012
Questions? Send email to : 800-164comments@nist.gov

NIST announces the public comment release of Draft Special Publication (SP) 800-94 Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.

The public comment period closed on August 31, 2012
Questions? Send email to : 800-94comments@nist.gov

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.

The public comment period closed on June 6, 2012
Questions? Send email to : asr-comments@nist.gov

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.

The public comment period closed on February 17, 2012
Questions? Send email to : fe-comments@nist.gov

NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of SCAP version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.

The public comment period closed on February 17, 2012
Questions? Send email to : 800-117comments@nist.gov

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.

The public comment period closed on February 17, 2012
Questions? Send email to : fe-comments@nist.gov

NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security's CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.

The public comment period closed on February 17, 2012
Questions? Send email to : fe-comments@nist.gov

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization -either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.

The public comment period closed on January 20, 2012
Questions? Send email to : 800-155comments@nist.gov