CSRC Homepage
 
 CSRC Site Map

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
   - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

     Archives:
1998 | 1999 | 2000 | 2001 | 2002 |
2003 | 2004 | 2005 | 2006 | 2007 |

December:

• December 29 -- HSPD-12 Public Meeting - January 19, 2005 - Agenda information now available

• December 29 -- HSPD-12 Public Meeting - January 19, 2005 -- A second session has been formed, from 1:00-4pm. Due to the number of responses from individuals interested in attending this meeting, there will a second meeting in the afternoon at the same location. The afternoon session will cover the same topics. Because of space limitations, attendees may only attend one session. Attendees registered for the morning session, may not switch sessions. If you are on the waiting list, you will receive email confirmation; there is no need to contact NIST.

• December 29 -- HSPD-12 Public Meeting - January 19, 2005 - Meeting information now available (The meeting has reached capacity and is now full. All people registering now will be put on a waiting list)

November:

• November 15 -- NIST has completed the final version of Special Publication 800-72, entitled Guidelines on PDA Forensics. The document was developed to help organizations evolve appropriate policies and procedures for dealing with PDA forensics and to provide forensic specialists with a background on the technology, tools, and principles involved. The intended audience ranges from response team members handling a computer security incident, to organizational security officials investigating an employee-related situation, to forensic examiners involved in criminal investigations.

• November 8 -- NIST is pleased to announce the first public drafts of Federal Information Processing Standard 201 (FIPS 201), Personal Identity Verification for Federal Employees and Contractors, and Special Publication 800-73 (SP 800-73), Integrated Circuit Card for Personal Identity Verification. These publications are being published in response to Homeland Security Presidential Directive #12 of August 27, 2004. The comment periods for FIPS 201 and SP 800-73 public drafts will be 45 days, ending on December 23rd, 2004. Please direct all comments and questions to DraftFips201@nist.gov.

October:

September:

• September 29, 2004 -- NIST is pleased to announce the first public draft of Special Publication 800-52, Guidelines on the Selection and Use of Transport Layer Security. This document is a guideline for implementing Transport Layer Security in the Federal Government to protect sensitive information. Care must be taken when selecting cryptographic mechanisms for authentication, confidentiality, and message integrity, as some choices are non-compliant with Government standards, or may pose security risks. The comment period for this document will be 30 days, ending on November 1st, 2004. Please direct all comments and questions to Matthew J. Fanto at matthew.fanto@nist.gov.

• September 28, 2004 -- NIST has completed the second public draft of Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This draft guideline provides a recommended set of security controls for low, moderate, and high impact information systems based upon the system's FIPS 199 security categorization. Final publication is anticipated o/a January 31, 2005. Special Publication 800-53, when finalized, will serve as NIST interim guidance on security controls for federal information systems until December 2005, which is the statutory deadline to publish minimum standards for all non-national security systems. Comments may be sent to sec-cert@nist.gov until November 30, 2004.

• September 27, 2004 -- There were some minor edits made for clarification purposes to NIST Special Publication 800-63, Recommendation for Electronic Authentication document. The revised .pdf document can be downloaded / viewed from the NIST Special Publications page.

• September 16, 2004 -- On November 9 and 10 2004, the Federal Trade Commission and National Institute of Standards and Technology will co-sponsor a Summit of Email Authentication at the Federal Trade Commission Satellite Building in Washington DC. The purpose of the Summit is facilitate discussions and encourage the development, testing, evaluation and implementation of domain-level authentication systems as a way to better filter spam. The summit is open to the public.

• September 10, 2004 -- In response to the President's approval of Homeland Security Presidential Directive #12, NIST is undertaking an effort to develop a FIPS for Personal Identification Verification. Details are available here. Also, a conference regarding this project has been announced for October 7, 2004.

• September 10, 2004 -- NIST is proud to announce the release of NIST Interagency Report 7100 Personal Digital Assistants (PDA) Forensic Tools:An Overview and Analysis. Digital handheld devices, such as Personal Digital Assistants (PDAs), are becoming more affordable and commonplace in the workplace. When handheld devices are involved in a crime or other incident, forensic examiners require tools that allow the proper retrieval and speedy examination of information present on the device. This report gives an overview of current forensic software, designed for acquisition, analysis, reporting of data discovered on PDAs, and an understanding of their capabilities and limitations.

August:

• August 25, 2004 -- Researchers have recently announced they have discovered a new way to break a number of cryptographic hash algorithms. Click here to read NIST's brief comments on recent cryptanalytic attacks on secure hashing functions and the continued security provided by SHA-1. SHA-1 is one of the hash functions specified in the Secure Hash Standard, Federal Information Processing Standard 180-2.

• August 25, 2004 -- NIST invites and requests nominations of individuals for appointment to the Information Security and Privacy Advisory Board (ISPAB). The call for nominations can be found here. The Board advises the Director of NIST, the Secretary of Commerce and the Director of OMB on information security matters.

• August 19, 2004 -- On October 6 and 7, 2004: NIST, with co-sponsorship from Department of Homeland Security (DHS) and the National Cyber Security Partnership's Coordinating Committee, will hold a Common Criteria Users' Forum (CCUF) at Crowne Plaza Hotel located at 14th and K Street, NW, Washington, DC. The CCUF complements and supplements two studies that address issues related to the use of the Common Criteria and to the U.S. NIAP process that implements Common Criteria. These studies are: 1) the ongoing NIAP Review (sponsored by DoD & DHS) and 2) the completed National Cyber Security Partnership Technical Standards Task Force Report on Common Criteria. Common Criteria related stakeholders, including customers, vendors, Common Criteria evaluators and NIAP representatives, are invited to attend the Common Criteria Users' Forum.

• August 12, 2004 -- NIST, with sponsorship from the Department of Homeland Security (DHS), has produced Draft NIST Special Publication 800-70: Security Configuration Checklists Program for IT Products to facilitate the development and dissemination of security configuration checklists ("benchmark settings.") The Cyber Security Research and Development Act of 2002 tasks NIST to "develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government." Such checklists, when combined with well-developed guidance, leveraged with high-quality security expertise, vendor product knowledge, operational experience, and accompanied with tools, can markedly reduce the vulnerability exposure of an organization. This publication is intended for users and developers of IT product security configuration checklists. This publication is intended for users and developers of IT product security configuration checklists. For checklist users, this document gives an overview of the NIST Checklist Program, explains how to retrieve checklists from NIST's repository, and provides general information about threat models and baseline technical security policies for associated operational environments. For checklist developers, the publication sets forth the policies, procedures, and general requirements for participation in the NIST Checklist Program. In the winter, we expect to launch a web site for checklist distribution.
   
  Comments may be sent to checklists@nist.gov by September 30, 2004. Comment period is NOW closed.

• August 6, 2004 -- (November 2004 - Special Publication 800-72 is NOW a final Special Publication document) NIST has prepared the draft Special Publication 800-72, entitled Guidelines on PDA Forensics, and is requesting public comment on its contents. The document was developed to help organizations evolve appropriate policies and procedures for dealing with PDA forensics and to provide forensic specialists with a background on the technology, tools, and principles involved. The intended audience ranges from response team members handling a computer security incident to organizational security officials investigating an employee-related situation to forensic examiners involved in criminal investigations. NIST requests comments by September 3, 2004. Comment period is NOW closed. Questions can be emailed to PDAforensics@NIST.Gov.

July:

• July 27, 2004 -- NIST has determined that the strength of the (single) Data Encryption Standard (DES) algorithm is no longer sufficient to adequately protect Federal government information. As a result, NIST proposes to withdraw FIPS 46-3, which specifies the DES, and two related standards. Future use of DES by Federal agencies is to be permitted only as a component function of the Triple Data Encryption Algorithm (TDEA; see NIST Special Publication 800-67). TDEA may be used for the protection of Federal information; however, NIST encourages agencies to implement the faster and stronger algorithm specified by FIPS 197, Advanced Encryption Standard (AES) instead. Comments must be must be received on or before September 9, 2004. Comment period is NOW closed.
   
  For questions please forward them to: descomments@nist.gov

June:

• June 16, 2004 -- The U.S. General Accounting Office has recently published "Technology Assessment -- Cybersecurity for Critical Infrastructure Protection." Click here to read the report. (.pdf file)

• June 15, 2004 -- NIST's Computer Security Division is proud to announce the release of NIST Interagency Report 7111 - Computer Security Division 2003 Annual Report.

• June 10, 2004 -- The National Institute of Standards and Technology today published NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. NIST Special Publication 800-60 is one of several key documents being developed by NIST to support the implementation of the Federal Information Security Management Act (FISMA) of 2002. The purpose of the guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199. Special Publication 800-60 is posted in two volumes. Volume I [pdf] provides guidelines for identifying impact levels by type and suggests management and support information types common to multiple agencies. Volume II [pdf] includes examples of mission-based information types and suggests provisional impact levels for both management and support and mission-based information types. Rationale for impact level recommendations, exceptions to recommended levels, and legislative and regulatory requirements for protection of specific information types are also provided in Volume II. NIST Special Publication 800-60 is available on the CSRC Special Publications page. A complete description of the NIST FISMA Implementation Project is also available.

May:

• May 12, 2004 -- The National Institute of Standards and Technology today published guidelines on the security certification and accreditation of federal information systems. NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems", is one of several key documents being developed by NIST to support the implementation of the Federal Information Security Management Act (FISMA) of 2002. The new guidelines provide a standardized approach for assessing the effectiveness of the management, operational, and technical security controls in an information system and for determining the business or mission risk to an agency's operations and assets brought about by the operation of that system. NIST Special Publication 800-37 is available on the CSRC Special Publications page. A complete description of the NIST FISMA Implementation Project is also available at: . http://csrc.nist.rip/sec-cert

• May 12, 2004 -- The newly released NIST Special Publication 800-67 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, is now available. NIST SP 800-67 specifies the Triple Data Encryption Algorithm (TDEA), including its primary component cryptographic engine, the Data Encryption Algorithm (DEA). This recommendation precisely defines the mathematical steps required to cryptographically protect data using TDEA and to subsequently process such protected data. When implemented in an SP 800-38 series-compliant mode of operation and in a FIPS 140-2 compliant cryptographic module, TDEA may be used by Federal organizations to protect sensitive unclassified data. A copy of NIST SP 800-67 can be found on the NIST Special Publications web page.

• May 12, 2004 -- NIST Computer Security Division has recently completed a draft of NIST Special Publication 800-66, An Introductory Resource Guide for Implementation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, for public comment. The guidance is intended to assist in identifying available NIST guidance which can provide useful reference material in addressing the HIPAA security standards. In addition, for federal agencies subject to both the Federal Information Security Management Act (FISMA) and HIPAA, it provides a cross-mapping between the two sets of requirements to assist agencies in not doing double work since the two sets of requirements overlap. The draft is available on the CSRC Drafts Publications page. NIST is requesting comments by July 15, 2004. Comments should be addressed to sec-hipaa@nist.gov

• May 12, 2004 -- NIST Special Publication 800-38C Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality has been finalized. This Recommendation specifies the Counter with Cipher Block Chaining-Message Authentication Code (CCM) mode, an authenticated encryption mode of the Advanced Encryption Standard (AES) algorithm. Information on this special publication and the development of modes of operation is available at the modes home page.

• May 6, 2004 -- NIST is pleased to announce a Briefing Day for Special Publication 800-37, "Guide for the Security Certification and Accreditation of Federal Information Systems" on Thursday, June 3, 2004, from 9:00 A.M. until 12:30 P.M. in the Green Auditorium, NIST Main Campus, Gaithersburg, Maryland. The purpose of the Briefing day is to provide federal agencies with the latest information on the implementation of NIST Special Publication 800-37. The target audience for the briefing day is Chief Information Officers (CIO), Senior Agency Information Security Officers (SAISO), and Inspectors General (IG). In addition to detailed presentations on the NIST FISMA project and Special Publication 800-37, representatives from OMB will be in attendance to provide the latest policy guidance on the implementation of the special publication. Attendance at the Briefing Day is by invitation ONLY and limited to federal employees holding CIO, SAISO, or IG positions. The number of participants is limited to three per agency or major organizational component. Participants must be pre-registered. Electronic registration may be done at: http://www.nist.gov/conferences, click on View Upcoming NIST Conferences, and then scroll down to the June 3, 2004 Briefing Day. There is no registration fee for this event. The registration contact is Angela Ellis, (301) 975-3881, angela.ellis@nist.gov, fax 301-948-2067.

• May 3, 2004 -- DRAFT Special Publication 800-58 : Security Considerations for Voice Over IP Systems
  This publication explains the challenges of VOIP security for agency and commercial users of VOIP, and outlines steps needed to help secure an organization's VOIP network. Comments are requested by June 18, 2004 and can be submitted to Rick Kuhn, at sp800-58@nist.gov

April:

• April 22, 2004 -- The newly released NIST InterAgency Report 7056, Card Technology Developments and Gap Analysis Interagency Report, is now available. NIST IR 7056 is based on the proceedings of the July 8 and 9, 2003 Storage and Processor Card-based Technologies Workshop. The report summarizes Federal government storage and processor card requirements expressed at the workshop, current capabilities offered by the vendor community, and technical and policy implementation issues raised at the workshop. A copy of NISTIR 7056 can be found on the NIST Interagency Report Publications web page.

• April 6, 2004 -- (updated May 2004 - Special Publication 800-37 is NOW a final Special Publication document) NIST has completed the pre-publication final draft of Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems and invites public comment. NIST requests comments by April 21, 2004. Comments should be addressed to sec-cert@nist.gov. Comment period is NOW CLOSED.

March:

• March 29, 2004 -- (updated June 2004 - Special Publication 800-60 is NOW a final Special Publication document) NIST has completed the second draft of NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The second draft incorporates suggestions made by participants in the 26 and 27 February inter-agency workshop on SP 800-60. The purpose of the draft guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199. The draft Special Publication 800-60 is posted in two volumes. Volume I provides guidelines for identifying impact levels by type and suggests management and support information types common to multiple agencies. Volume II includes examples of mission-based information types and suggests provisional impact levels for both management and support and mission-based information types. Rationale for information type and impact level recommendations is also provided in Volume II. NIST requests comments on the draft by May 1, 2004. Comments should be addressed to:
  800-60_comments@nist.gov. Comment period is NOW CLOSED.

• March 16, 2004 -- Deputy Under Secretary of Commerce for Technology Ben Wu testified today before Congress on NIST's activities to implement its assignments to develop standards and guidelines in the Federal Information Security Management Act of 2002.

• March 4, 2004 -- (updated May 2004 - Special Publiation 800-67 is NOW a final document) NIST has completed a draft of Special Publication 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher and invites public comment. NIST requests comments by April 15. Comments should be addressed to wbarker@nist.gov. Comment period is NOW closed.

February:

• February 28, 2004 -- A new version of FIPS 180-2, Secure Hash Standard (SHS), is available. This version contains a change notice that specifies SHA-224 and discusses truncation of the hash function output in order to provide interoperability.

• February 10, 2004 -- The Secretary of Commerce has approved FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. The FIPS Publication 199 addresses one of the requirements specified in the Federal Information Security Management Act (FISMA) of 2002 by providing security categorization standards for information and information systems. Security categorization standards provide a common framework and method for expressing security. They promote the effective management and oversight of information security programs, including the coordination of information security efforts throughout the civilian, national security, emergency preparedness, homeland security, and law enforcement communities. Such standards also enable consistent reporting to OMB and Congress on the adequacy and effectiveness of information security policies, procedures, and practices. A copy of the standard can be obtained at: http://csrc.nist.rip/publications/fips/.

January:

• January 29, 2004 -- The Department of Commerce has formed an IPv6 Task Force to study deployment issues. The Task Force has published an RFC (Request for Comments) in the January 21, 2004 Federal Register, inviting interested parties to comment on a variety of IPv6-related issues. The RCF is available here; the press announcement is available here. The deadline for comments is March 8, 2004.

• January 29, 2004 -- (updated June 2004 -- Special Publication 800-63 is NOW a final publication, not a draft) NIST has completed the draft NIST Special Publication 800-63, Recommendation for Electronic Authentication. E-authentication is the remote authentication of individual people over a network for the purpose of electronic government and commerce. This recommendation provides technical guidance in the implementation of electronic authentication to allow an individual person to remotely authenticate his or her identity to a Federal IT system. It supplements OMB guidance, E-Authentication Guidance for Federal Agencies that defines four levels of authentication in terms of the likely consequences of an authentication error. Special Publication 800-63 states specific technical requirements for each of the four levels of assurance in the following areas: identity proofing and registration, tokens, remote authentication mechanisms and assertion mechanisms. NIST requests comments on the draft document by March 15, 2004. Please address your comments to: eauth-comment@nist.gov. Comment period is NOW closed.

• January 22,2004 -- NIST-ITL’s Computer Security Division is holding five workshops on important cybersecurity related topics over the course of the next few months:
  1. "Knowledge Based Authentication: Is it Quantifiable" on February 9-10, 2004 (in conjunction with GSA)
  2. "Spam Technology" February 17, 2004 (in conjunction with NIST-ITL’s Advanced Network Technologies Division)
  3. Workshop (government only) on the Draft of NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, (updated June 2004 -- Special Publication 800-60 is NOW a final document) February 26, 2004; repeated on February 27, 2004; Please e-mail elaine.frye@nist.gov for Workshop details and registration information.
  4. Workshop on the Draft of NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, March 8, 2004; The draft of 800-53 is available here.   Here is the NIST Conference and Facilities electronic registration page
  5. Third Annual Public Key Infrastructure R&D Workshop, April 12-14, 2004 (in conjunction with NIH and Internet 2)

• January 21, 2004 -- (updated June 2004 -- this document is NOW a Final Publication and can be found on our CSRC Special Publications page) DRAFT Special Publication 800-27 Rev A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST has completed Revision A of NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security). In response to public comments received after the release of the original document, Revision A updates SP 800-27 by grouping principles into categories to facilitate understanding and use. NIST requests comments on the draft revision by March 20, 2004. Comment period is NOW closed.

• January 16, 2004 -- NIST is pleased to announce the completion of NIST Special Publication (SP) 800-61, Computer Security Incident Handling Guide. The Federal Information Security Management Act of 2002 directed NIST to produce this publication. This publication seeks to help both established and newly formed incident response teams respond effectively and efficiently to a variety of incidents. More specifically, this publication discusses the following items: 1) organizing a computer security incident response capability, 2) establishing incident response policies and procedures, 3) structuring an incident response team, and 4) handling incidents from initial preparation through the post-incident lessons learned phase. Additionally, it discusses these steps (prevention, preparation, containment, eradication, and recovery) for handling a range of incidents, such as denial of service, malicious code, unauthorized access, inappropriate usage, and multiple component incidents and potential scenarios to examine in preparation for major incidents. SP 800-61 supercedes SP 800-3, Establishing a Computer Security Incident Response Capability (CSIRC). To view or to download this publication please visit our Special Publications page.