|
CSRC
Homepage
CSRC Site Map
Search
CSRC:
CSD
Publications:
- Draft Publications
- Special
Publications
- FIPS Pubs
- ITL Security
Bulletins
- NIST IRs
CSD
Focus Areas:
- Cryptographic Standards
& Application
- Security Testing
- Security Research
/
Emerging
Technologies
- Security Management
&
Assistance
General
Information:
- Site
Map
- List of Acronyms
- Archived Projects
&
Conferences
- Virus Information
- National Vulnerability
Database
NIST's
National
Vulnerability Database:
|
|
Archives:
1998 | 1999 |
2000 | 2001 |
2002 |
2003 | 2004 |
2005 | 2006
| 2007 |
2003 News and Announcements
December:
- December 19, 2003 -- NIST
has completed the first draft of NIST
Special Publication 800-60, Guide for Mapping Types of Information and
Information Systems to Security Categories. The purpose of the
draft guideline is to assist Federal government agencies in identifying
information types and information systems and assigning impact levels
for confidentiality, integrity, and availability. Impact levels are based
on the security categorization definitions in FIPS 199, pre-publication
[go to drafts page]). The draft
Special Publication 800-60 is posted in two volumes. Volume
I [pdf] provides guidelines for identifying impact levels by type
and suggests impact levels for administrative and support information
common to multiple agencies. Volume
II [pdf] includes rationale for information type and impact level
recommen- dations and examples of recommendations for agency-specific
mission-related information. A goal of this document is to independently
define the impact level, that is, determine the impact level without considering
counter- measures or controls. (This is one area that we are continuing
to address. Comments and suggested approaches will be welcomed.) NIST
requests comments on the draft by February 20, 2004. Comments should
be addressed to 800-60_comments@nist.gov.
A government-only Workshop on the draft will beheld at NIST on 26 and
27 February 2004. Please e-mail elaine.frye@nist.gov
for Workshop details and registration information.
- December 19, 2003 -- NIST
has completed a draft
NIST IR 7056, Card Technology Development and Gap Analysis Interagency
Report (pdf format). This draft reports NIST activities in response
to the GAO report, dated January 2003 “Progress in Promoting Adoption
of Smart Card Technology” (GAO-03-144 report). The NIST IR includes
the proceedings of the 8-9 July 2003 Storage and Processor Card-Based
Technologies Workshop and reports the results of subsequent requirements
and capabilities survey activities. NIST requests comments on the draft
interagency report by January 30, 2004. Comment period is now CLOSED.
- December 15, 2003 -- INFORMATION
SECURITY AND PRIVACY ADVISORY BOARD: NEW MEMBERS
The Director of NIST recently appointed three new members to the Information
Security and Privacy Advisory Board to fill existing vacancies. The new
members are: Mr. Bruce A. Brody, Associate Deputy Assistant Secretary
for Cyber and Information Security at the U.S. Department of Veterans
Affairs; Ms. Rebecca C. Leng, Deputy Assistant Inspector General for Information
Technology and Computer Security with the U. S. Department of Transportation
and Dr. Howard A. Schmidt, Vice President and Chief Information Security
Officer with Ebay. A copy of their bios is available from the Board's
membership site http://csrc.nist.rip/ispab/membership.html
.
- December 9, 2003 -- The National
Institute of Standards and Technology (NIST) and General Services Administration
(GSA) are co-sponsoring the symposium entitled "Knowledge Based Authentication:
Is it Quantifiable" on February 9-10, 2004 in Gaithersburg,
Maryland.
Knowledge Based Authentication (KBA) is a useful tool to remotely authenticate
individuals who conduct business electronically with Federal agencies
or businesses infrequently. However, the complexity and interdependencies
of KBA solutions used to establish a remote user identity is difficult
to quantify. This symposium will explore KBA through panel discussions
of user requirements, KBA system models, and metrics to quantify information
sources, questions for challenges, analysis and scoring of responses,
and standards. Complete information on the 1½ day symposium can be found
at http://csrc.nist.rip/kba.
- December 1, 2003 -- NIST is
proposing a change
notice (pdf format) for FIPS 180-2, the Secure Hash Standard that
will specify an additional hash function, SHA-224, that is based on SHA-256.
NIST requests comments for the change notice by January 16, 2004. Comments
should be addressed to ebarker@nist.gov.
November:
- November 25, 2003 -- Today
NIST announced plans to hold a spam technology workshop on February 17,
2004 to examine technical topics related to spam including filtering at
the Internet/network and client sides (e.g., how to detect spam and how
to reduce it), input from standards bodies on relevant current activities,
Internet service providers' current and future plans to deal with spam,
and technical issues regarding the efficacy of proposals to create ''do
not spam'' lists. NIST is also interested in hearing about research challenges
to developing and measuring improvements in spam control and reduction
technology. Click
here for details.
- November 13, 2003 -- Building
Trust and Confidence in Voting Systems Symposium
As part of its responsibilities under the Help America Vote
Act of 2002 (HAVA), the Commerce Department's National Institute of Standards
and Technology (NIST) will hold a symposium on building trust and confidence
in voting systems at the agency's Gaithersburg, Md., headquarters on Dec.
10-11, 2003. The two-day event will bring together a host of people with
an interest in election technology, including federal, state and local
election officials; university researchers; independent testing laboratories;
election law experts; hardware and software vendors; and others concerned
about or involved with the latest developments in voting systems. Topics
to be covered include specification, testability, security, usability
and accessibility of voting systems. Information on the Building Trust
and Confidence in Voting Systems symposium can be found at http://vote.nist.gov.
October:
- October 10, 2003 -- NIST is
pleased to announce the release of 5 special publications (SP): SP 800-35,
Guide to Information Technology Security Services, SP 800-36, Guide to
Selecting Information Security Products, SP 800-42, Guideline on Network
Security Testing, SP 800-50, Building an Information Technology Security
Awareness and Training Program, and SP 800-64, Security Considerations
in the Information System Development Life Cycle.
To view or to download these 5 publications, please visit http:/csrc.nist.rip/publications/nistpubs/
September:
- September 17, 2003 -- The
Chief of NIST's Computer Security Division, Ed Roback, testified
today (.pdf) before the House Congressional Committee on Government
Reform, Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census. The Subcommittee held a hearing on "Exploring
Common Criteria: Can it Ensure that the Federal Government Gets Needed
Security in Software."
- September 17, 2003 -- NIST
has completed the final draft of FIPS Publication 199, Standards for
Security Categorization of Federal Information and Information Systems.
To view or to download the pre-publication final draft of FIPS Publication
199, please visit http://csrc.nist.rip/publications/drafts.html.
- September 12, 2003 -- Two
NIST Interagency Reports (NISTIR) has been released today.
The first, NISTIR 7030 "Picture Password: A Visual Login Technique
for Mobile Devices" describes a general-purpose mechanism for authenticating
a user to a PDA or other mobile device using image selection. Image selection
is a simple and natural way for users to authenticate, which has advantages
over passwords and other knowledge-based authentication mechanisms, particularly
on handheld devices.
The second NISTIR 7046 "A Framework for Multi-mode Authentication:
Overview and Implementation Guide" describes a general Multi-mode
Authentication Framework (MAF) for applying organizational security policies
to mobile devices. Policies are organized into distinct policy contexts
known as echelons, among which a user may transition. The approach is
aimed at helping users easily comply with their organization's security
policy, yet be able to exercise a significant amount of flexibility and
discretion.
To view or to download these two NISTIRs please visit http:/csrc.nist.rip/publications/nistir/
- September 11, 2003 -- Occasionally,
NIST will host IT security training classes at a severly reduced cost.
On September 24 - 26, we are hosting an MIS Training Institute class,
"Securing and Auditing Virtual Office Networks." The class,
which is at NIST in Gaithersburg, Maryland, will address issues we are
dealing with right now, such as dial-up access, small office/home high
speed Internet service, virtual private networks, mobile computing, and
wireless technology. A
copy of the course outline for more information can be obtained here by
clicking this link. The registration fee for the three day course
is $435.00.
- September 9, 2003 -- Deputy
Under Secretary of Commerce for Technology, Benjamin H. Wu, testified
before the House Congressional Committee on Government Reform, Subcommittee
on Technology, Information policy, Inptergovernmental Relations and the
Census. The hearing was entitled "Advancements
in Smart Cardf and Biometric Technology." Mr. Wu's tesimony focused
on NIST's efforts to promote smart card security and interoperability.
August:
- August 27, 2003 -- (posted
Sept. 2) NIST is requesting that public and private sector organizations,
on a voluntary basis, submit their information security practices for
inclusion on CSRC's new Public
/ Private Security Practices (PPSP) website. The PPSP site will complement
the existing CSRC Federal Agency
Security Practices (FASP) site. The broader sharing of such practices
can help enhance the overall performance of information security programs
and reduce costs from duplication of effort. For details on submitting
items, click here.
- August 5, 2003 -- NEW....The
newly released NIST InterAgency Report 6887-2003 Edition, Government Smart
Card Interoperability Specification (v2.1) is now available. GSC-ISv2.1
has expanded the government smart card architecture defined in GSC-ISv2.0
with the addition of an interface for contactless cards. GSC-ISv2.1 provides
a common contactless card interface and establishes the foundation for
achieving interoperability for both contact and contactless cards. A copy
of NISTIR 6887-2003 can be found at http://smartcard.nist.gov.
- August 1, 2003 -- The Cyber
Security Research and Development Act of 2002 tasks NIST to develop security
checklists containing settings for IT products used within the Federal
Government. To meet this challenging requirement, NIST proposes to solicit
from IT vendors, consortia, industry and government organizations, and
others in the public and private sector to produce additional checklists
and associated guidance material to NIST. These materials would then be
made available for display and downloading from CSRC. NIST will hold a
workshop to identify current and planned Federal government checklist
activities and related needs, existing and planned voluntary efforts for
building security checklists, and current industry capabilities for the
development of checklists and the associated templates that describe sets
of security configurations for IT products widely used in the United States
Government (USG) on September 25-26, 2003. Click
here for details.
July:
- July 25, 2003 -- Card
Technology Workshop Presentations: On July 8 and 9, 2003 the ITL
Computer Security Division hosted a workshop on multi technology card
issues. The workshop was organized to identify current and planned Federal
government activities, requirements, and issues for multi-technology cards.
Specifically, it examined general technical and business issues, existing
voluntary industry consensus standards, gap areas in standards coverage,
and industry capabilities in the field of ISO/IEC 7810-compliant storage
and processor card technologies. Copies of the presentation slides are
available at http://csrc.nist.rip/card-technology/.
The workshop was the initial step in a requirements definition effort.
Follow-on activities will include 1) publication of proceedings of the
workshop 2) identification of the gaps in standards coverage, and 3) identification
of the multi-technology composition issues. We invite comments on the
workshop or the follow-on topics. Please send comments to nist_workshop@bah.com.
- July 11, 2003 -- The General
Services Administration, in coordination with OMB, has published a
proposed E-Authentication policy for public comment. GSA is requiring
that agencies implement the E-Authentication Policy, which establishes
four assurance levels to create a Governmentwide standard framework for
determining what is required to access a particular Government transaction
online. Comments are being accepted through August 11.
June:
- June 30, 2003 -- The second
public draft of NIST
Special Publication 800-37, Guide for the Security Certification
and Accreditation of Federal Information Systems (.pdf file),
has been completed and is available for public comment. This document
is one of a series of security standards and guidelines being developed
by NIST's Computer Security Division in response to the Federal Information
Security Management Act of 2002. For additional information, please visit
the NIST Security Certification and Accreditation
Project web site.
- June 27, 2003 -- (UPDATED
information - workshop web pages & registration link provided) On
July 8 and 9, 2003, NIST will host
a workshop (link to workshop webpages) to identify current and planned
Federal government
(.pdf file) activities and related needs, general issues, existing voluntary
industry consensus standards, gap areas in standards coverage, and industry
capabilities in the field of storage and processor card technologies.
It is anticipated that the workshop will support development of a standards
roadmap, and a guideline on storage and processor card technologies to
include multitechnology composition issues. The goal of this initial workshop
is to develop and exchange information on the standards for and capabilities
of multitechnology storage and processor cards. The workshop will be open
to the public. Detailed
registration information can be found here. The registration fee will
be approximately $275 per person. The detailed agenda and supporting documentation
for the workshop is now
available.
- June 8, 2003 -- The Second
IT Security Capital Investment Planning Workshop will take place on
June 30, 2003. It is a repeat of the workshop that was held on June 4th.
Due to demand, this second workshop has been scheduled. This workshop
will focus on effectively integrating security into the capital planning
process. It will also provide participants with information on how to
best develop a comprehensive business case in support of IT security acquisitions
and investments.
- June 6, 2003 -- The Department
of Homeland Security has created the National Cyber Security Division
(NCSD) under the Department's Information Analysis and Infrastructure
Protection Directorate. The NCSD will provide for 24 x 7 functions, including
conducting cyberspace analysis, issuing alerts and warning, improving
information sharing, responding to major incidents, and aiding in national-level
recovery efforts. Read
more here.
- June 6, 2003 -- The National
Institute of Standards and Technology (NIST) has been developing a block
cipher mode of operation for message authentication. From the authentication
modes that were submitted to NIST for consideration, NIST initially selected
the RMAC algorithm and specified it in the draft NIST Special Publication
800-38B. In response to public comments on the draft, NIST posted a consultation
paper that proposed a revision of the draft that would focus on the EMAC
construction that underlies RMAC. In response to further public input,
NIST has decided to replace RMAC and EMAC altogether with the OMAC variation
of the XCBC algorithm.
The technical characteristics
of RMAC, EMAC, and XCBC are summarized in the consultation paper; the
rationale for the current decision is explained in a supplemental paper.
These two papers, and other information on the modes development effort,
are available through the modes home page, http://www.nist.gov/modes/.
NIST welcomes public comments
on the OMAC variation of the XCBC algorithm in advance of the formal public
comment period that will follow posting of the revised draft. Comments
may be submitted to EncryptionModes@nist.gov
by July 3, 2003.
- June 3, 2003 -- NIST's draft
of the "Guideline for Identifying an Information System as a National
Security System" (Draft Special Publication
800-59) is now available. The document provides guidelines for identifying
an information system as a national security system consistent with applicable
requirements for national security systems as specified in Title III to
Public Law 107-347, the Federal Information Systems Management Act of
2002 (FISMA).
May:
- May 7, 2003 -- The IT
Security Capital Investment Planning Workshop will take place
on June 4, 2003. This workshop will focus on effectively integrating security
into the capital planning process. It will also provide participants with
information on how to best develop a comprehensive business case in support
of IT security acquisitions and investments.
April:
- April 21, 2003 -- (UPDATED
information - workshop web pages & registration link provided) On
July 8 and 9, 2003, NIST will host
a workshop (link to workshop webpages) to identify current and planned
Federal government
(.pdf file) activities and related needs, general issues, existing voluntary
industry consensus standards, gap areas in standards coverage, and industry
capabilities in the field of storage and processor card technologies.
It is anticipated that the workshop will support development of a standards
roadmap, and a guideline on storage and processor card technologies to
include multitechnology composition issues. The goal of this initial workshop
is to develop and exchange information on the standards for and capabilities
of multitechnology storage and processor cards. The workshop will be open
to the public. Detailed
registration information can be found here. The registration fee will
be approximately $275 per person. The detailed draft agenda and supporting
documentation for the workshop will be posted at the NIST CSRC web site
by May 9, 2003.
- April 8, 2003 -- In response
to the public comments on the draft NIST Special Publication 800-38B,
a consultation paper summarizes the technical issues underlying the selection
of a block cipher based MAC and proposes to refocus the RMAC specification
in the draft to its underlying EMAC construction. A link to the consultation
paper is available at http://csrc.nist.rip/CryptoToolkit/modes/,
under the heading "NIST Recommendation for Modes." Further comments
on the draft SP 800-38B and the consultation paper may be submitted to
EncryptionModes@nist.gov
until May 5, 2003. Comment period is NOW CLOSED.
- April 4, 2003 -- SECOND
DRAFT Special Publication 800-50,
Building an Information Technology Security Awareness and Training Program
The second draft of
Special Publication 800-50, Building an Information Technology Security
Awareness and Training Program, is now available for public comment.
The publication provides detailed guidance on designing, developing,
implementing, and maintaining an awareness and training program within
an agency's IT security program. NIST welcomes your comments and suggestions
on this document. Please provide them directly to Mark Wilson
(sp800-50@nist.gov) by May 2,
2003. Comment period is NOW CLOSED.
March:
February:
- February 14, 2003 -- The White
House has released the National
Strategy to Secure Cyberspace. The purpose of the Strategy is to engage
and empower Americans to secure the portions of cyberspace that they own,
operate, control, or with which they interact.
January:
Last updated:
March 7, 2007
Page created: January 4, 2003
|
