CSRC Homepage
 
 CSRC Site Map

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

     Archives:
1998 | 1999 | 2000 | 2001 | 2002 |
2003 | 2004 | 2005 | 2006 | 2007 |

December:

• December 17 -- The President has signed the E-Government Act of 2002, which includes the Federal Information Security Management Act (FISMA). FISMA strengthens NIST's role to develop information security standards and guidelines for sensitive (unclassified) Federal government systems.

• December 3 -- A NOTE from the CSSPAB Board: Due to expected inclement weather the Board will conclude its meeting on Wednesday, December 4th. Click here for more information about the CSSPAB site or meeting.

November:

• November 22 -- NIST has released the Special Publication 800-43, Systems Administration Guidance for Windows 2000 Professional and the Special Publication 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices.

• November 21 -- NIST has released Special Publication 800-49 Federal S/MIME V3 Client Profile.

• November 14 -- NIST has been developing guidance on the continued use of DES. For further information, click here (pdf file).

• NOTE: REVISED November 5th --
  Background FAQ on ISO/IEC 17799:2000 Information Security Management, Code of Practice for Information Security Management (.pdf format) this is the revised version - November 2002 (original version published July 2001).

• November 5 -- The draft NIST Special Publication 800-38B specifying the RMAC algorithm has been updated to provide example vectors with the AES algorithm as the underlying block cipher.

October:

• October 28 -- Draft Special Publication, 800-37, Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems
   
  NIST has released a draft of a new cybersecurity guideline designed to help protect Federal sensitive systems. NIST Special Publication 800-37, "Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems" is being made available in draft for review and comment by federal agencies and other interested organizations. Under Office of Management and Budget (OMB) policy, responsible federal officials are required to make a security determination (called accreditation) to authorize placing IT systems into operation. In order for these officials to make sound, risk-based decisions, a security evaluation (known as certification) of the IT system is needed. The new NIST cybersecurity guideline 800-37 establishes standard processes (depending upon the sensitivity and exposure of the system) to verify the correctness and effectiveness of security controls to ensure adequate security. For additional information on the security certification and accreditation project and to download a copy of the document, go to: http://csrc.nist.rip/sec-cert.
   
  NIST welcomes public comments on the draft until January 31, 2003; comments may be sent to sec-cert@nist.gov.

• October 28 -- Draft NIST Special Publication 800-55, Security Metrics Guide for Information Technology Systems (.pdf) is now available for public comment.
  (NOTE: This DRAFT has now been finalized and has been released as a Special Publication on August 12, 2003 -- The URL above will take you to the Special Publication page where you can find SP 800-55.)
  The document provides advice on how an organization, through the use of metrics, may assess the adequacy of in-place security controls, policies, and procedures. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. Comments may be sent to marianne.swanson@nist.gov by 12/16/02.

• October 25 -- The Federal Trade Commission has created a new website for consumers and businesses as a source of information about computer security and safeguarding personal information. The site also contains information about the protection of kids' privacy on-line and introduces kids to Dewey, the E-Turtle.

• October 18 -- draft Special Publication, 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode

  In the draft Special Publication, 800-38B, Recommendation for Block Cipher Modes of Operation: the RMAC Authentication Mode, an algorithm called RMAC is specified for use with any NIST-approved block cipher algorithm, such as the Advanced Encryption Standard (AES) algorithm. RMAC entails the generation and use of a message authentication code (MAC) on given data, which can provide assurance of the authenticity of the source of data and therefore of the integrity of the data. Further information on the development of block cipher modes of operation is available at the modes home page http://csrc.nist.rip/encryption/modes/.

  NIST welcomes public comments on the draft until December 2, 2002; comments may be sent to EncryptionModes@nist.gov.

• October 9 -- NIST is pleased to announce the release of three computer security guidelines (in draft) addressing information technology (IT) security products, IT security services, and security considerations in Federal IT procurements, as described below. These are the latest additions to the set of NIST IT security guidelines developed by the NIST ITL Computer Security Division and available through CSRC.
   
  1. NIST Special Publication 800-36, Guide to Selecting IT Security Products
  NIST Special Publication 800-36, Guide to Selecting Information Technology Security Products, seeks to help organizations make informed decisions when selecting computer security products. The guide first defines broad security product categories and then specifies product types within those categories. This guide explains and provides a list of characteristics and pertinent questions an organization may wish to ask in the selection process (when an organization has determined it needs such technologies.) The publication will help organizations make informed decisions when procuring computer security products.
   
  NIST welcomes any comments on the document and is particularly interested in hearing additional questions that should be asked about the various products as well as additional product categories that should be covered. Comment period is closed.
   
  2. NIST Special Publication 800-35, Guide to IT Security Services
  NIST Special Publication 800-35, Guide to Information Technology Security Services is available. This publication provides assistance with selecting, implementing, and managing IT security services (when an organization has determined it needs such services.) It addresses the many issues surrounding the decision to implement a particular IT security service and IT security service arrangement (whether internal or external to the organization). It also provides specific questions to ask of the potential service provider.
   
  The guide discusses an IT security services life cycle by which IT security officials can select, implement, and manage IT security services. NIST is particularly interested in receiving examples of procurement language and statements of work (SOWs) that organizations can tailor to their own needs in developing service agreements with service providers. Also, NIST is particularly eager to hear additional considerations/questions to ask potential service providers as well as general comments about the phases and steps of the IT security services life cycle. Comment period is now closed.

• October 3 -- The National Institute of Standards and Technology (NIST) is releasing new guidelines for dealing with two of the most common sources of security problems: poorly configured Web servers and email systems. Special Publication 800-44, Guidelines on Securing Public Web Servers, and Special Publication 800-45, Guidelines on Electronic Mail Security, are part of a series of guidance developed by the NIST Computer Security Division and available through the Computer Security Resource Center (CSRC) Web site (http://csrc.nist.rip/publications/nistpubs/). NIST serves as the primary technical security resource for civilian agencies under the Computer Security Act of 1987.

  The two guides are intended primarily for a technical audience, such as systems administrators who are responsible for installing, configuring, and maintaining e-mail systems and public Web servers. The guides provide not only generic guidance on how to secure such systems, but also specific examples of applying the guidance to secure some of the most popular email and Web products, for both Microsoft Windows and Unix operating systems. To assist the reader, the guides also contain numerous pointers and references to related material.

  Any questions or comments can be sent to Wayne Jansen (jansen@nist.gov).

• October 1 -- The 2nd Symposium on Requirements Engineering for Information Security (SREIS 2002) "and" NIST System Security Requirements Seminar will be held on October 16-17, 2002. Two weeks left before the first public presentation of the concepts from the new NIST security certification and accreditation guidelines for IT systems.

September:

• September 18 -- NEW! The White House has released a DRAFT of the National Strategy to Secure Cyberspace for public review and comment. (Click here to view DRAFT -- pdf file, 2.36 Mb) Public comments may be sent to feedback@who.eop.gov . Comments must be submitted by November 18, 2002.

• September 12 -- Policy: Memorandum to Chief Information Officers,  From: Mark Forman, RE: Handling and Reporting Computer Security Incidents

• September 9 -- NIST is pleased to announce the final publication of four computer security guidelines: (click here to go to the Special Publications page to view complete list of NIST Special Publications)

  1. NIST Special Publication (SP) 800-46, Security for Telecommuting and Broadband Communications. This document is intended to assist those responsible --- users, system administrators, and management for telecommuting security, by providing introductory information about broadband communication security and policy, security of home office systems, and considerations for system administrators in the central office. It addresses concepts relating to the selection, deployment, and management of broadband communications for a telecommuting user. It also recommends a series of actions federal agencies can take to better secure their telecommuting resources.

  2. NIST Special Publication (SP) 800-47, Security Guide for Interconnecting Information Technology Systems. This publication provides advice for planning, establishing, maintaining, and terminating interconnections between information technology (IT) systems that are owned and operated by different organizations. The document describes benefits of interconnecting IT systems, defines the basic components of an interconnection, identifies methods and levels of interconnectivity, and discusses potential security risks. The document then presents a "life-cycle" approach for system interconnections, with an emphasis on security with recommended steps for completing each phase, emphasizing security measures to protect the systems and shared data.

  3. NIST Special Publication (SP) 800-40, Procedures for Handling Security Patches. Timely patching is critical to maintain the operational availability, confidentiality, and integrity of IT systems. However, failure to keep operating system and application software patched is the most common mistake made by information technology (IT) professionals. To help address this growing problem, this special publication recommends methods to help organizations develop an explicit and documented patching and vulnerability policy and apply a systematic, accountable, and documented process for handling patches. This document also covers areas such as prioritizing patches, obtaining patches, testing patches, and applying patches. Finally, it identifies and discusses patching and vulnerability resources and advises on using certain widely available security tools.

  4. NIST Special Publication (SP) 800-51, Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme. CVE is a dictionary of standard names for publicly known information technology (IT) system vulnerabilities that is widely supported in the public and private sectors. This publication recommends that federal agencies make use of the Common Vulnerabilities and Exposures (CVE) vulnerability naming scheme by 1) giving substantial consideration to the acquisition and use of security related IT products and services that are compatible with CVE; 2) monitoring their systems for applicable vulnerabilities listed in CVE; and 3) using CVE names in their descriptions and communications of vulnerabilities.

August:

• August 28 -- FIPS 180-2, the Secure Hash Standard (SHS) (.pdf), became a Federal standard on August 1, 2002 and was announced in a Federal Register Notice today (.pdf).
  
  This Standard specifies four secure hash algorithms - SHA-1, SHA-256, SHA-384, and SHA-512 - for computing a condensed representation of electronic data (message). When a message is input to a hash algorithm, the result is an output called a message digest. The message digests range in length from 160 to 512 bits, depending on the algorithm. Secure hash algorithms are typically used with other cryptographic algorithms, such as digital signature algorithms and keyed-hash message authentication codes, or in the generation of random numbers (bits). (To go to FIPS home page to see complete list of FIPS)

July:

• July 24 -- The DRAFT Special Publication 800-48, Wireless Network Security: 802.11, Bluetooth, and Handheld Devices (.pdf : 2,294,825 bytes) is available for public comment. The document examines the benefits and security risks of 802.11 Wireless Local Area Networks (WLAN), Bluetooth Ad Hoc Networks, and Handheld Devices such as Personal Digital Assistants (PDA). The document also provides practical guidelines and recommendations for mitigating the risks associated with these technologies. NIST is particularly interested in comments on the technical and operational countermeasure recommendations. Questions or comments on this document can be emailed to Tom Karygiannis at sp800-48@nist.gov. NIST will be accepting comments on this document until September 1, 2002. (Click this link to go to the DRAFTS page).

• July 19 -- The draft Special Publication 800-50, Building an Information Technology Security Awareness and Training Program is now available for public comment. The publication provides detailed guidance on designing, developing, implementing, and maintaining an awareness and training program within an agency's IT security program. NIST welcomes your comments and suggestions on this document. Please provide them directly to Mark Wilson (mark.wilson@nist.gov) by August 16, 2002. (Click this link to go to the DRAFTS page).

• July 10 -- The Automated Security Self-Evaluation Tool (ASSET) is now available to download. ASSET automates the process of completing a system security self-assessment. ASSET assists organizations in completing the self-assessment questionnaire contained in NIST SP 800-26, Security Self-Assessment Guide for Information Technology Systems.

June:

• June 27 -- NEW: NISTIR 6887, Government Smart Card Interoperability Specification (GSC-IS), v2.0, has been posted to smartcard.nist.gov The GSC-IS defines a comprehensive architectural framework for smart card interoperability.
  The GSC-IS framework, through the use of a common smart card service provider model, allows application programmers to access smart card services without being concerned about underlying implementation details. Click this link to go directly to the Smart Card document (.pdf format).

• June 18 -- The White House has announced the President's bill to create the Department of Homeland Security. Among the components slated to be transferred under the President's proposal is NIST's Computer Security Division.

• June 18 -- Peter G. Neumann of SRI received the 2002 Computer System Security Award, which is given annually by NIST and the National Security Agency. The award is granted for outstanding contributions toward the advancement of computer security technology and is generally considered the most prestigious award in the area of information security and assurance. Click here for details.

• June 11 -- The final version of NIST SP 800-34, "Contingency Planning Guide for Information Technology Systems" is now available. The document provides specific contingency planning recommendations for seven IT platforms and provides strategies and techniques common to all systems.

May:

• May 2 -- Mr. Benjamin Wu, Deputy Under Secretary of Commerce for Technology, testified today before Congress on H.R. 3844, the Federal Information Security Management Act of 2002. Testimony available here.

April:

• April 3 -- FIPS 198, The Keyed-Hash Message Authentication Code (HMAC) (.pdf), became a Federal standard on March 6, 2002 and was announced in a Federal Register Notice (.pdf) today. The standard describes a keyed-hash message authentication code (HMAC), a mechanism for message authentication using cryptographic hash functions. HMAC can be used with any iterative FIPS approved cryptographic hash function, in combination with a shared secret key. Go to the FIPS page for see more FIPS Publications.

• April 2 -- The draft Special Publication 800-45 Guidelines on Electronic Mail Security is available for public comment. The document is intended primarily for a technical audience. It provides detailed guidance on setting up and maintaining a secure email system, and includes pointers to related material. NIST seeks your comments and suggestions on the document. Please provide them directly to Wayne Jansen (jansen@nist.gov) by April 30, 2002.

• April 2 -- The draft NIST Special Publication 800-40, Procedures for Handling Security Patches, is available for public comment. This document describes and recommends the use of a systematic, accountable, and documented process for handling security patches and vulnerabilities. In addition, the document provides specific advice for obtaining, testing, distributing, and installing security patches. Please provide comments and suggestions to Peter Mell (peter.mell@nist.gov) by May 2, 2002.

March:

• March 29 -- The Computer Science and Telecommunications Board of the National Research Council (NRC) has recently issued Cybersecurity Today and Tomorrow. This report reaffirms insights from prior NRC reports relevant to cybersecurity. The unfortunate reality is that relative to the magnitude of the threat, our ability and willingness to deal with threats has, on balance, changed for the worse, making many of the analyses, findings, and recommendations of these reports all the more relevant, timely, and applicable today.

• March 6 -- Dr. Arden L. Bement, Jr., Director of NIST, today testified before the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations on the "Lessons Learned from the Government Information Security Reform Act of 2000. Click here to read his testimony.

February:

• February 28 -- The draft Guidelines on Securing Public Web Servers is available for public comment. The document is intended primarily for a technical audience. It provides detailed guidance on securely setting up and maintaining a public Web server, and includes pointers to related material. NIST seeks your comments and suggestions. Please provide them directly to Wayne Jansen (jansen@nist.gov). The comment period is now CLOSED.
   
• February 16 -- Industry Benefits From ITL's RBAC Research. To view article please click here (.pdf file).
   
• February 14 -- OMB has issued its first report to Congress on Agency IT security (.pdf format) as required by the Government Information Security Reform Act.
   
• February 4 -- Draft Special Publication 800-42, Guideline on Network Security Testing (.pdf file - 1,547,605 bytes), is now available for public comment. This document describes a methodology for using network-based tools for testing systems for vulnerabilities. The primary aim of the document is to help administrators and managers get started with a program for testing on a routine basis. The methodology recommends focusing first on those systems that are accessible externally, e.g., firewalls, web servers, etc., and then moving on to other systems as resources permit. The document includes many pointers to various testing applications and contains more detailed descriptions of several of the more popular test tools.

  NIST is particularly interested in comments regarding the testing schedules, especially the frequency of certain tests - are they realistic for your environment, should certain tests be run more frequently or less, do you recommend other types of tests or tools? Please send comments and questions to john.wack@nist.gov. Comment period is now CLOSED.

January:

• January 15 -- The draft NIST recommendation “Use of the CVE Vulnerability Naming Scheme Within its Acquired Products and Information Technology Security Procedures” advises agencies on the use of the Common Vulnerability and Exposures (CVE) vulnerability naming scheme. It recommends that agencies give substantial consideration to buying products and services compatible with the CVE naming scheme. The recommendation also advises agencies to periodically monitor their systems for vulnerabilities listed in the CVE vulnerability naming scheme. Agencies are also advised to use the CVE naming scheme in their communications and descriptions of vulnerabilities. You are invited to submit any comments you may have to both Peter Mell and Timothy Grance at peter.mell@nist.gov and timothy.grance@nist.gov by February 18, 2002. NOTE: Comment period is now CLOSED.

• January 15 -- The draft NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems" is available for public comment. The document provides instructions, recommendations, and considerations for government IT contingency planning. The information presented in this document addresses seven IT platform types and defines a seven-step contingency process that an agency may apply to develop and maintain a viable contingency planning program for their IT systems. The seven steps are designed to be integrated into each stage of the system development life cycle. Please provide any comments to Marianne Swanson at marianne.swanson@nist.gov by February 15, 2002. NOTE: Comment period is NOW CLOSED.

• January 15 -- The draft NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems" is available for public comment. The document provides instructions, recommendations, and considerations for government IT contingency planning. The information presented in this document addresses seven IT platform types and defines a seven-step contingency process that an agency may apply to develop and maintain a viable contingency planning program for their IT systems. The seven steps are designed to be integrated into each stage of the system development life cycle. Please provide any comments to Marianne Swanson at marianne.swanson@nist.gov by February 15, 2002. NOTE: Comment period is NOW CLOSED.

• January 4 -- NIST is pleased to announce Special Publication 800-41, Guidelines on Firewalls and Firewall Policy. This document contains an overview of recent developments in firewall technology, and guidance on configuring firewall environments. It discusses firewall access control, active content filtering, DMZs, and co-location with VPNs, web and email servers, and intrusion detection. It contains guidance on developing firewall policy and recommendations for administering firewalls. Lastly, it contains several appendices with links to other firewall-related resources and recommendations for configuring and operating firewalls.