CSRC Homepage
 
 CSRC Site Map

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

     Archives:
1998 | 1999 | 2000 | 2001 | 2002 |
2003 | 2004 | 2005 | 2006 | 2007 |

December:

• December 14 -- NIST has recently developed the draft NIST Special Publication Security for Telecommuting and Broadband Communications. (NOTE: This Special Publication is now a FINAL Special Publication 800-46 and can be found on CSRC's Special Publications page.) This document is intended to assist those responsible users, system administrators, and management for telecommuting security, by providing introductory information about broadband communication security and policy, security of home office systems, and considerations for system administrators in the central office. It addresses concepts relating to the selection, deployment, and management of broadband communications for a telecommuting user. We would greatly appreciate receiving any comments you may have! Please provide them directly to Rick Kuhn by January 18, 2002.

• December 14 -- The draft Guide for Interconnecting Information Systems (NOTE: This draft is now a FINAL Special Publication 800-47 and is available to view/download from the CSRC's Special Publications page) is available for public comment. The document provides guidance for planning, establishing, maintaining, and terminating interconnections between information systems that are owned and operated by different organizations. We seek your comments and suggestions. We especially seek your comments on the steps for planning and establishing an interconnection, based on readers' experiences. Furthermore, we are interested in receiving comments on the memorandum of understanding/agreement development guide contained in the document. Please address your comments to Timothy Grance and Joan Hash by January 18, 2002.

• December 10 -- In SP 800-38A 2001 ED, Recommendation for Block Cipher Modes of Operation, five modes of operation are specified for use with any FIPS-approved block cipher algorithm, such as the Advanced Encryption Standard (AES) algorithm. Each of the five modes can provide confidentiality for electronic data. Further information on this special publication and the development of modes of operation is available at the modes home page.

• December 4 -- FIPS 197, Advanced Encryption Standard (AES) (.pdf) became a Federal standard on November 26, 2001 and was announced in a Federal Register Notice (.pdf) and in a press release today. AES was developed to replace the Data Encryption Standard (DES) in a multi-year effort that began in 1997. The AES specifies a cryptographic algorithm that can be used to protect electronic data by encrypting (enciphering) and decrypting (deciphering) information. Details of the development process are available on the AES home page.

November:

• November 5 -- NIST has worked with SANS to provide an enhanced top 20 vulnerability list (http://www.sans.org/top20.htm). The original list produced by SANS/FBI contained 20 important vulnerability areas with reference to over 140 specific vulnerabilities. The specific vulnerability references were not hyperlinked to associated vulnerability information. We remedied this deficiency by providing a version that links each of the 140 specific vulnerabilities to the associated vulnerability entry in the NIST ICAT Metabase (http://icat.nist.gov).

October:

• October 16, 2001 -- The White House announced that the President has signed an Executive Order on Critical Infrastructure Protection in the Information Age, which establishes the President's Critical Infrastructure Protection Board and a set of subcommittees.

• October 9 -- A change notice for FIPS 186-2, Digital Signature Standard (DSS) (.pdf file), has been made available that addresses key sizes and random number generation. This change notice replaces the item that was posted on August 3, 2001, Recommendations Regarding Federal Information Processing Standard (FIPS) 186-2, Digital Signature Standard (DSS).

• October 8 -- The Second Modes of Operation Workshop was held on August 24, 2001, in Goleta, CA; links to the workshop presentations and to a summary report are available here.

• October 3 -- A draft of the Guide to Firewall Selection and Policy Recommendations (NOTE: This draft is NOW a FINAL Special Publication 800-41 document and can be viewed/downloaded from the CSRC's Special Publications page) is now available for public comment. This document is intended for technical managers in the firewall and network security areas, but it would also prove useful to those wishing to know more about firewall technology and recommended policies. We are particularly interested in any comments regarding the policy section of the document and the appendix of policy recommendations, e.g., is it understandable, are the policies realistic, should they be modified? Comments and questions are requested by November 10, 2001 and may be addressed to john.wack@nist.gov.
  

• October 2 -- NIST has completed the FY01 Critical Infrastructure Grants Program competition. We selected 9 proposals from the 133 submitted and awarded $5M. Additional details can be found on the Grants page.

• October 2 -- NIST is pleased to announce the Vulnerability and Threat Portal. This resource provides links to government vulnerability and threat resources in addition to security news, most popular vulnerabilities, and vulnerability statistics.

September:

• September 10 -- NIST has released Special Publication 800-26, "Security Self-Assessment Guide for IT Systems." This self-assessment guide utilizes an extensive questionnaire containing specific control objectives and techniques against which an unclassified system or group of interconnected systems can be tested and measured.

August:

July:

• July 27 -- The draft "Recommendation for Block Cipher Modes of Operation" is available for public comment. The recommendation updates the modes in FIPS 81 for use with any FIPS-approved block cipher, and specifies the counter mode. Comments and questions may be addressed to EncryptionModes@nist.gov. The deadline for the submission of comments is August 31, 2001.

• July 26 -- The US National Security Agency (NSA) with the cooperation of the other government agencies and industry partners just released several guides to assist the Windows 2000 user community secure Windows 2000.

• July 26 -- NIST's Information Technology Laboratory and Advanced Technology Program, the National Security Agency, the DoD Biometric Management Office, and the General Services Administration's Federal Technology Service, Center for Smart Card Solutions are proud to announce and sponsor the 2001 Biometric Consortium Conference. The conference will be held September 12-14, 2001 in Orlando. (was cancelled)

• July 11 -- Announcing proposed changes to FIPS 186-2, Digital Signature Standard (DSS) and request for Comments. NIST is proposing that the Implementation Schedule of FIPS 186-2 be modified to extend the transition period for the acquisition of equipment implementing FIPS 186-2 from July 2001 to December 2002. This will enable agencies to continue to acquire commercial products based on PKCS #1. NIST also proposes that the Applications section of FIPS 186-2 be modified to clarify that implementations of PKCS #1 (version 1.5 or higher) may be used during the transition period. Comments may be sent to FIPS186@nist.gov. The notice appeared in the July 11, 2001, FEDERAL REGISTER, Volume 66, Number 133, page 36254.

• July 11 -- Call for Nominations of Members on the Computer System Security and Privacy Advisory Board. NIST invites and requests nominations of individuals for appointment to the Computer System Security and Privacy Advisory Board, which are due by August 15, 2001. More information, including membership duties, is available here.

• July 3 -- NIST has developed a Frequently Asked Questions list regarding ISO/IEC 17799:2000 Information Security Management, Code of Practice for Information Security Management. The document provides background about the document, its development, and current status.

• July 3 -- OMB Memorandum M-01-24 dated June 22, 2001 and entitled "Reporting Instructions for the Government Information Security Reform Act." These instructions will assist agencies in reporting the results of their annual system and program reviews by agency CIOs and program officials and independent evaluations by the agency Inspectors General.

June:

• June 27 -- FIPS 140-2 has been announced in the Federal Register and is now available. Also go to the FIPS publications (PUBS) page to access FIPS 140-2 and other FIPS PUBS.

• June 21 -- Ever wonder about the risks and threats to the nation's systems, networks and critical infrastructures? The CIA's National Intelligence Officer for Science and Technology recently testified before Congress on such risks from hackers, national governments, hactivists, industrial spies, organized crime, terrorists, etc. Read the testimony here.

• June 4 -- NIST is developing Special Publication 800-30, Risk Management Guide (link will take you to Draft publications page) to provide a common, thorough foundation for use in the development of detailed risk management guidance and procedures. Public review is considered an important part of the NIST recommendation process.
  
  Any comments you have, along with suggestions for improvement, can be sent to gary.stoneburner@nist.gov by August 15, 2001.

• June 1 -- NIST recently announced the Draft Federal Information Processing Standard (FIPS) 180-2, Secure Hash Standard (SHS), for public review and comment. The comment period expires on August 28, 2001.

May:

• May 29 -- NIST has released Special
  Publication 800-27, Engineering Principles for Information Technology (IT) Security (EP-ITS) to provide a list of system-level, technical security principles to be considered in the design, development, and operation of an information system.

• May 21 -- The American National Standards Institute’s (ANSI) Information Systems Standards Board (ISSB), the National Committee for Information Technology Standards (NCITS), the Data Interchange Standards Association (DISA), the Center for Global Standards Analysis (CGSA), the Cyberspace Policy Institute (CPI) and Info-Structure Security Dialogue (ISSD) are proud to announce the First Standards Coordination Conference.
  
  This one-day (July 17th, 2001, 9:00 a.m.-5:00 p.m.) conference to be held at the National Institute of Standards & Technology in Gaithersburg, MD will focus on one of the hottest subjects in information standards today -- Computer Security and Personal Authentication Standards. Topics to be covered include encryption and digital signature, personal authentication, and Internet security. A preliminary agenda is available and registration information is available here.

• May 16 -- There has been a revision made to NIST Special Publication 800-22: A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications, (originally published: October 2000)
   
  This document was revised on: 5-15-2001 There is an Errata sheet for originally published version. To view the revised SP 800-22 and Errata sheet document

• May 9 -- Computer Security Expert Assist Team (CSEAT). (UPDATED: Feb. 2004 -- The CSEAT program changed its name to PRISMA (Program Review for Information Security Management). The CSEAT is a team of computer security experts located in the Computer Security Division of the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST). The CSEAT helps Federal agencies protect their information systems in accordance with directives on critical infrastructure protection and applicable statutes. These directives identify the Federal government as one of the critical infrastructures requiring protection to ensure continued functioning of government, society, and the economy in the face of natural, inadvertent, or purposeful disruptions.
  

April:

• April 25 -- The comment period for the draft FIPS for a Keyed-Hash Message Authentication Code (HMAC) closed on April 5th.

• April 13 -- Critical Infrastructure Protection Grants Program. NIST invites proposals from eligible organizations for funding projects under the Critical Infrastructure Protection Grants Program (CIPGP). In order to provide satisfactory infrastructure security, additional research must be conducted on unique infrastructure security problems. The United States Government has sponsored considerable research in the area of computer security for military and intelligence systems. Some of this research applies to the critical infrastructure problem, but much remains to be done. The new grants program, administered by NIST, will target infrastructure IT security issues applicable to civilian and commercial systems.

March:

• March 27 -- NIST announces the Second Modes of Operation Workshop for August 24, 2001, in Goleta, CA. Further information is available at the modes home page.

• March 22 -- Nine newly designated Centers for Academic Excellence in Information Assurance Education were announced by the National Security Agency. They join the list of fourteen other universities across the United States who have been awarded this distinction. All of these universities passed vigorous examinations for quality in information assurance education.

• March 21 -- NIST has completed two draft guidance documents that are available for review:
   
  A) The first, on public key technology (PKI) and the Federal PKI, was developed to assist decision-makers in determining if a PKI is appropriate for their agency, and how PKI services can be deployed most effectively. The document provides a brief overview of issues related to the emerging Federal PKI, and its implementation within government agencies. It also reviews the risks and benefits of various PKI components, and some of the tradeoffs that are possible in the implementation and operation of PKIs within the Federal government (NOTE: This draft has been FINALIZED by Special Publications 800-32, that can be viewed/downloaded on the CSRC's Special Publications page).
  Any questions e-mail Rick: kuhn@nist.gov.

  B) The second, on guidance on active content and mobile code, addresses the security risks and informed IT security decision making on the application of active content technologies. The document provides background information on markup languages and other World Wide Web technologies involving active content, discusses generic threats, reviews risks drawn from past exploits involving technology-related vulnerabilities, and identifies available countermeasures. Both high-level and detailed recommendations are provided as well (NOTE: This draft document has been FINALIZED as a Special Publication 800-28 which can be viewed/downloaded from CSRC's Special Publications page). Any questions e-mail Wayne Jansen: wjansen@nist.gov.

• March 8 -- We are pleased to announce that the NIST draft Special Publication, "Self-Assessment Guide for Information Technology Systems" is now available for review. (NOTE: This draft document has been FINALIZED as Special Publication 800-26 and can be viewed/downloaded from CSRC's Special Publications page) This self-assessment guide utilizes an extensive questionnaire containing specific control objectives against which a system or group of interconnected systems can be tested and measured.
  Any questions e-mail: marianne.swanson@nist.gov.

• March 8 -- The National Infrastructure Protection Center has issued an advisory on "E-Commerce Vulnerabilities." The FBI has continued to observe hacker activity targeting victims associated with e-commerce or e-finance/banking businesses. In many cases, the hacker activity had been ongoing for several months before the victim became aware of the intrusion. The NIPC emphasizes the recommendation that all computer network systems administrators check relevant systems and consider applying the updated patches as necessary, especially for systems related to e-commerce or e-banking/financial businesses. Click here for further info and patch information. A list of all NIPC warnings is located here.

February:

• February 28 -- NIST has announced that it is soliciting public comments on the Draft FIPS for the AES. (NOTE: The draft FIPS for AES has been FINALIZED as a FIPS Publication 197, and can be viewed/downloaded from CSRC's FIPS publications page) The 90-day comment period will close on May 29, 2001. Copies of the Draft FIPS and other information related to the AES are available at the AES home page.

• February 28 -- (Position offer now CLOSED) NIST's Computer Security Division is soliciting applications for two Group Manager positions to supervise the Security Management and Assistance Group and the Security Testing and Metrics Group. See NIST/01-1271B/C, NIST/01-1271A/C, and NIST/01-1270/CA for details. If you want to help lead NIST's security efforts, please apply!

• February 26 -- The Critical Infrastructure Assurance Office has posted the "Report of the President of the United States on the Status of Critical Infrastructure Protection Activities (January 2001)."

• February 12 -- NIST has prepared the Engineering Principles for Information Technology (IT) Security (EP-ITS) to present a list of system-level security principles to be considered in the design, development, and operation of an information system.
  E-mail gary.stoneburner@nist.gov for any questions.

• February 12 -- NIST has recently completed a draft guidance document on Intrusion Detection systems, (now a Special Publication document). This guidance document is intended to assist Federal agencies and others as a primer in intrusion detection, developed for those who need to understand what security goals intrusion detection mechanisms serve, how to select and configure intrusion detection systems for their specific system and network environments, how to manage the output of intrusion detection systems, and how to integrate intrusion detection functions with the rest of the organizational security infrastructure. E-mail Peter Mell for questions.

• February 7 -- (Position offer now CLOSED) NIST's Computer Security Division has vacancies available to assist in the development of security guidelines and also to staff the new NIST's Computer Security Expert Assist Team (CSEAT). NIST/01-1104/CA, NIST/01/1066A/C, and NIST/01-1066B/C. If you are a security expert looking to make a difference in protecting Federal systems, please consider applying!

• February 7 -- NIST's Computer Security Division has vacancies available to assist in the development of security guidelines and also to staff the new NIST's Computer Security Expert Assist Team (CSEAT). See NIST vacancies announcements NIST/01-1104/CA, NIST/01/1066A/C, and NIST/01-1066B/C. If you are a security expert looking to make a difference in protecting Federal systems, please consider applying!

• February 7 -- The Critical Infrastructure Assurance Office has developed a Frequently Asked Questions list regarding the new Federal Cyber Service: Scholarship for Service (SFS) program. The SFS program makes awards to institutions (rather than directly to individuals) that establish a competitive process whereby qualified students apply for the scholarships.

January:

• January 31 -- The General Accounting Office issued a report to Congress dated January 2001 addressing major management challenges and program risks. This 2001 Performance and Accountability Series and High Risk Series contains a government-wide perspective report as well as separate reports on 21 agencies covering each cabinet department, independent agencies and the U.S. Postal Service.

• January 29 -- The National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), partners in the National Information Assurance Partnership (NIAP), invite interested parties to attend a Government-Industry IT Security Forum on March 7, 2001 (Indianapolis, IN) to discuss potential public and private sector strategies for the development of security requirements and specifications needed for the protection of government, business and personal computing and real-time control systems. This Forum will help bring national attention to the concept of security requirements definition and its importance in developing a more secure information infrastructure within the United States. More info.

• On September 25 -- Jacob Lew, Director of OMB issued a memorandum that provided guidance on implementing the Electronic Signatures in Global and National Commerce Act (E-SIGN). E-SIGN eliminates legal barriers to the use of electronic technology to form and sign contracts, collect and store documents, and send and receive notices and disclosures.

• January 16 -- OMB Director, Jacob Lew issued a memorandum that provided guidance on implementing the Government Information Security Reform Act (in .pdf format). The guidance focuses on unclassified Federal systems and addresses only those areas of the legislation that introduce new or modified requirements. It also refers to some of the Act's provisions for national security systems.

• January 5 -- NIST has published for comment a draft Federal Information Processing Standard for the Keyed-Hash Message Authentication Code (HMAC). The draft specifies an algorithm for applications requiring message authentication, which is achieved through construction of a message authentication code based upon a crypto hash function. It allows for authentication of both the source of a message and its integrity. Click here for details.

• January 3 -- The U.S. Department of the Treasury has published policies and practices for the use of electronic transactions and authentication techniques in Federal payments and collections. Click here for details.