go to NIST home page go to CSRC home page go to Focus Areas page go to Publications page go to Advisories page go to Events page go to Site Map page go to ITL home page CSRC home page link
header image with links

 CSRC Homepage
 
 CSRC Site Map

   Search CSRC:

 CSD Publications:
   - Draft Publications
   - Special Publications
   - FIPS Pubs
   - ITL Security Bulletins
   - NIST IRs

 CSD Focus Areas:
   - Cryptographic Standards
       & Application
   - Security Testing
   - Security Research /
       Emerging Technologies
   - Security Management
       & Assistance

 General Information:
   - Site Map
   - List of Acronyms
    - Archived Projects
        & Conferences
   - Virus Information
   - National Vulnerability
        Database

 News & Events  
   - Federal News
   - Security Events

 Services For the: 
   - Federal Community
   - Vendor
   - User
   - Small/Medium
     Businesses

 Links & Organizations
   - Academic
   - Government
   - Professional
   - Additional Links

 NIST's National
 Vulnerability Database:
Search for Vulnerabilities
Enter vendor, software, or keyword

1998 News Archive image

     Archives:
1998 | 1999 | 2000 | 2001 | 2002 |
2003 | 2004 | 2005 | 2006 | 2007 |

2006 News and Announcements

December:

  • December 29, 2006: NIST announces the release of the security control baseline annexes for Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. Annex 1 contains the baseline security controls and assurance requirements for low-impact information systems; Annex 2 contains the baseline security controls and assurance requirements for moderate-impact information systems; and Annex 3 contains the baseline security controls and assurance requirements for high-impact information systems.
  • December 21, 2006: NIST announces the release of Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. This publication provides the first major update for the security controls selection and specification guidance since February 2005. Important changes to the Media Protection, Certification, Accreditation, and Security Assessments, and Identification and Authentication families are included in the update as well as new guidance on updating security controls and the use of external information systems.
  • December 6, 2006: NIST announces the release of Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications . This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the private key, and assurance of the identity of the key pair owner.
  • December 5, 2006: On January 10th, 2007 there will be a NIST Information Security Seminar Series that will be held at the Department of Commerce: Herbert C. Hoover Bldg Auditorium. Click here to view the announcement flyer.

November:

  • November 7, 2006: NIST is proud to announce the release of Special Publication 800-100, Information Security Handbook: A Guide for Managers. This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
     
    The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics.

October:

  • October 20, 2006: An attack has been found on some implementations of RSA digital signatures using the padding scheme for RSASSA-PKCS1-v1_5 as specified in Public Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Standard-2002. A statement discussing the attack is available. A similar attack could also be applied to implementations of RSA digital signatures as specified in American National Standard (ANS) X9.31. Note that this attack is not on the RSA algorithm itself, but on improper implementations of the signature verification process.
  • October 6, 2006: NIST is pleased to announce the release of Draft of the Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006.

September:

  • September 29, 2006: NIST announces the release of the following draft and final publications:

         1. Draft SP 800-54, Border Gateway Protocol Security
         2. Draft SP 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
          3. Draft SP 800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems

    These 3 draft SPs, summaries, and dates for public comments can be found at CSRC Draft Publications page (or click document title link from above).

    The 4 final publications are:

         1. SP 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
         2. SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
         3. SP 800-92, Guide to Computer Security Log Management
         4. NISTIR 7316, Assessment of Access Control Systems

    SP 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist, provides advice primarily to experienced Windows XP administrators on securing Windows XP Home Edition computers for home users, such as telecommuting Federal employees. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event. The publication contains step-by-step directions that can be performed by experienced administrators, and also a short set of instructions that end users can follow to implement the most essential security protections.

    SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, provides guidance on maintaining information technology (IT) plans, such as contingency and computer security incident response plans, in a state of readiness so that organizations can effectively respond to and manage adverse situations involving IT. Maintaining these plans includes training IT personnel to fulfill their roles and responsibilities, having plans exercised to validate policies and procedures, and having systems tested to ensure their operability. SP 800-84 assists organizations in designing, developing, conducting, and evaluating test, training, and exercise events so that they can maximize their ability to prepare for, respond to, manage, and recover from disasters that may affect their missions.

    SP 800-92, Guide to Computer Security Log Management, provides detailed information on developing, implementing, and maintaining effective log management practices throughout an enterprise. It includes guidance on establishing a centralized log management infrastructure, which includes hardware, software, networks, and media. It also discusses the log management processes that should be put in place at an organization-wide level, including the definition of roles and responsibilities and the creation of feasible logging policies. Guidance is also provided on log management at the individual system level, such as configuring log generating sources, supporting logging operations, performing log data analysis, and managing long-term data storage.

    NISTIR 7316, Assessment of Access Control Systems, provides organizations with background information on access control policies, models, and mechanisms to assist them in securing their computer applications. NISTIR 7316 introduces access control terminology and provides an overview of major access control policies and mechanisms. It then discusses the capabilities, limitations, and qualities of the mechanisms that are embedded for each policy. It also provides information on the broader applications of access control mechanisms for distributed systems, and it proposes possible measurements for the quality of a mechanism.
  • September 14, 2006: NIST Draft Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, is now available for a three week public comment period. This document is a revision for the earlier version of February 1, 2006. The changes include incorporation of the published errata document, clarification on performance testing and certification procedures, and caution regarding fingerprint minutiae generation. Additional typographical fixes and aesthetic changes have been incorporated in this document. To learn more about this Draft Publication, please visit the CSRC Drafts Publications page.
  • September 11, 2006: NIST is pleased to announce the release of NIST Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. This document provides requirements for PIV card readers in the area of performance and communications characteristics to foster interoperability. Requirements for the contact and contactless card readers for both physical and logical access control systems are provided in this document. The requirements are for the PIV readers designed to read end-point cards.
  • September 6, 2006: The Biometric Consortium Conference (BC2006) will be held September 19-21, 2006 at the Baltimore Convention Center (Baltimore, Maryland). BC2006 will address the important role that biometrics can play in the identification and verification of individuals in this age of heightened security and privacy by examining biometric-based solutions for homeland security (airport security, travel documents, visas, border control, prevention of ID theft) as well as the utilization of biometrics in other applications such as point of sale and large-scale enterprise network environments. BC2006 will provide a forum to address biometric research, recent technology advancements, government initiatives, adoption of biometric standards and biometrics and security.

August:

  • August 31, 2006: NIST announces that the following draft Special Publications (SP) are now available for public comment: 1) SP 800-45A, Guidelines on Electronic Mail Security, 2) SP 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems, 3) SP 800-95, Guide to Secure Web Services, and 4) SP 800-101, Guidelines on Cell Phone Forensics. These draft publications and requested dates for comments can be found on the CSRC Draft Publications page.
     
    Additionally, NIST announces the final publication of NIST SP 800-88, Guidelines for Media Sanitization. It provides information on techniques to remove data from a wide variety of media types and a decision matrix to determine which technique is best. It also recommends that organizations first determine the confidentiality of the information and then decide how to dispose of the media. SP 800-88 describes the three most common methods of sanitizing media: 1) clearing using software or hardware products to overwrite storage space on the media with nonsensitive data; 2) purging magnetic media through degaussing, which is exposure to a strong magnetic field to disrupt the magnetically encoded information; and 3) destroying the media through a variety of methods ranging from shredding to melting and incineration. The publication recommends techniques for sanitizing a wide range of commonly used media using all three methods.
     
    NIST is also pleased to announce the final release of SP 800-86, Guide to Integrating Forensic Techniques into Incident Response. The publication is intended to help organizations in handling computer security incidents and troubleshooting some information technology (IT) operational problems by providing practical guidance on performing computer and network forensics. SP 800-86 describes the processes for performing effective forensics activities in support of incident response, and it provides advice regarding different data sources, including files, operating systems, network traffic, and applications. Several scenarios involving the use of forensic techniques are also included as the basis for tabletop exercises.
  • August 1, 2006: NIST is pleased to announce the release of draft Special Publication (SP) 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. SP 800-69 provides guidance to home users, such as telecommuting Federal employees, on improving the security of their home computers that run Windows XP Home Edition. Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event such as an attack against the computer, a hardware failure, or human error. The publication contains detailed step-by-step directions for securing Windows XP Home Edition computers that can be performed by experienced Windows XP Home Edition users.
     
    NIST requests comments on NIST SP 800-69 by August 31, 2006. Please submit comments to itsec@nist.gov with "Comments SP800-69/XPHome" in the subject line.

July:

  • July 28, 2006: NIST is pleased to announce the release of Draft Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a two week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. The comment period closes at 5:00 EST on Friday, August 11th, 2006. Please visit the DRAFTs Publications page to learn more about this draft..
  • July 27, 2006: NIST is pleased to announce the release of NIST SP 800-85B, PIV Data Model Conformance Test Guidelines. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules, PIV card issuers, and entities performing conformance tests.
  • July 26, 2006: NIST is pleased to announce the release of Special Publication 800-53, Revision 1 (Second Public Draft), Recommended Security Controls for Federal Information Systems. SP 800-53, Revision 1 is available for a one-month public comment period. The comment period closes on August 25, 2006. To obtain a copy of this draft document, please visit the Draft Publications page.

June:

  • June 7, 2006: The Draft Special Publication 800-100, Information Security Handbook: A Guide for Managers is available for public comment at the Drafts Publications page. NIST requests public comments on the draft until August 07, 2006; comments may be sent to handbk-100@nist.gov. Check out the Drafts page for more details about this draft.
  • June 5, 2006: NIST is pleased to announce the release of draft Special Publication (SP) 800-97, Guide to IEEE 802.11i: Robust Security Networks. SP 800-97 provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network (WLAN) security. IEEE 802.11i provides security enhancements over the previous 802.11 security method, Wired Equivalent Privacy (WEP), which has several well-documented security deficiencies. IEEE 802.11i introduces a range of new security features that are designed to overcome the shortcomings of WEP. This document explains these security features and provides specific recommendations to ensure the security of the WLAN operating environment. It gives extensive guidance on protecting the confidentiality and integrity of WLAN communications, authenticating users and devices using several methods, and incorporating WLAN security considerations into each phase of the WLAN life cycle. The document complements, and does not replace, NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices.
     
    NIST requests comments on NIST SP 800-97 by July 7, 2006. Please submit comments to 800-97comments@nist.gov with "Comments SP800-97/802.11i" in the subject line.

May:

  • May 25, 2006: NIST Special Publication 800-85B, PIV Data Model Conformance Test Guidelines, is now available for a four week public comment period. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules and entities issuing PIV cards. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_Comments@nist.gov with "Comments on Public Draft SP 800-85B" in the subject line. The comment period closes at 5:00 EST on June 22, 2006. Go to the Drafts page for more details..
  • May 23, 2006: NIST is pleased to announce the release of Preliminary Draft of the Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a three week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. The comment period closes at 5:00 EST on Tuesday, June 13th, 2006. Go to the Drafts page for more details..
  • May 16, 2006: NIST is pleased to announce the release of NIST Special Publication 800-81, Secure Domain Name System (DNS) Deployment Guide. This publication seeks to assist organizations in the secure deployment of Domain Name System (DNS) services in an enterprise. It discusses the threats, security objectives, and relevant security approaches. Finally, it makes specific recommendation on securely configuring DNS and associated mechanisms. The publication can be obtained at the Special Publications page.

April:

  • April 21, 2006: The second public draft of NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems is now available for public comment at the draft publications page. The document provides a comprehensive listing of methods and procedures to assess the effectiveness of security controls in federal information systems. Assessment procedures have been developed for each security control and control enhancement in NIST Special Publication 800-53 with the rigor and intensity of assessments aligned with the impact levels in FIPS 199. NIST requests public comments on the draft until July 31, 2006. Comments may be sent to sec-cert@nist.gov.
  • April 20, 2006: The draft Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication is available for public comment at the Draft Publications page. The document specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of the Advanced Encryption Standard (AES) algorithm. GCM provides assurance of confidentiality of data using a variation of the Counter mode of operation for encryption. GCM provides assurance of authenticity of the confidential data using a universal hash function that is defined over a binary Galois (i.e., finite) field. GCM can also provide authentication assurance for additional data that is not encrypted.
     
    NIST requests public comments on the draft until June 5, 2006; comments may be sent to EncryptionModes@nist.gov.
  • April 18, 2006: NIST is pleased to announce a new draft document, SP 800-92, Guide to Computer Security Log Management. Many logs within an organization may contain records related to computer security events. Organizations are facing larger quantities, volumes, and varieties of computer security logs, and also need to address requirements to analyze and retain certain logs to comply with Federal legislation and regulations, including FISMA, HIPAA, the Sarbanes-Oxley Act of 2002, and the Gramm-Leach-Bliley Act. As a result, many organizations have a greater need for computer security log management--the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management assists in ensuring that computer security records are stored in sufficient detail for an appropriate period of time.
     
    This document provides detailed information on developing, implementing, and maintaining effective log management practices throughout an enterprise. It includes guidance on establishing a centralized log management infrastructure, which includes hardware, software, networks, and media. It also discusses the log management processes that should be put in place at an organization-wide level, including the definition of roles and responsibilities, the creation of feasible logging policies, and the division of responsibilities between system-level and organization-level administrators. Guidance is also provided on log management at the individual system level, such as configuring log generating sources, supporting logging operations, performing log data analysis, and managing long-term data storage.
     
    NIST requests comments on NIST SP 800-92 by May 18 2006. Please submit comments to 800-92comments@nist.gov with "Comments SP800-92/Log Management" in the subject line.
  • April 5, 2006: NIST is holding the Second Cryptographic Hash Workshop on August 24- 25, 2006 in UCSB, Santa Barbara. Details of the workshop can be found on http://www.nist.gov/hash-function Call for Papers Submission Deadline: May 12, 2006
  • April 5, 2006: NIST is pleased to announce the release of NIST Special Publication 800-85A, PIV Card Application and Middleware Interface Test Guidelines (SP800-73 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and PIV Middleware interfaces for conformance to specifications in SP 800-73 (Interfaces for Personal Identity Verification). The Guidelines are to be used by the developers of software modules and testing laboratories. SP 800-85A is the first of the two documents (the other one is SP 800-85B to be released shortly) that will replace SP 800-85 released in October 2005.

March:

  • March 24, 2006: NIST is pleased to announce the release of NIST Special Publication 800-73-1, Interfaces for Personal Identity Verification, 2006 Edition. Special Publication 800-73-1 specifies a PIV data model, communication interface, and application programming interface. This revision includes changes to the access control requirements for reading PIV public key certificates, storage of the biometric fingerprints in one container, incorporation of the Errata to date, and accomodation of public comments.
  • March 16, 2006: The National Institute of Standards and Technology (NIST) is holding a workshop to discuss Phase II of the FISMA Implementation Project and proposed requirements for credentialing organizations to conduct information security assessments of federal information systems, including those information systems operated by contractors on behalf of the federal government.
  • March 15, 2006: NIST has posted a statement on the continued use of the hash functions specified in FIPS 180-2.
  • March 14, 2006: The National Institute of Standards and Technology (NIST) is pleased to announce the approval of a revision to Federal Information Processing Standard (FIPS) Publication 201, Standard for Personal Identity Verification of Federal Employees and Contractors. The revision makes changes to Section 2.2, PIV Identify Proofing and Registration Requirements, Section 4.3, Cryptographic Specifications, Section 5.2, PIV Identity Proofing and Registration Requirements, Section 5.3.1, PIV Card Issuance, Section 5.4.2.1 X.509 Certificate Content, and to Appendix D, PIV Object Identifiers and Certificate Extension. The revision also clarifies the identity proofing and registration process that departments and agencies must follow when issuing identity credentials. The changes are needed to make FIPS 201-1 consistent with the Memorandum for All Departments and Agencies (M-05-24), issued by the Office of Management and Budget on August 5, 2005, Implementation of Homeland Security Presidential Directive (HSPD) 12 ­ Policy for a Common Identification Standard for Federal Employees and Contractors.
  • March 14, 2006: Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is now available. FIPS 200 is the second of two mandatory security standards required by the Federal Information Security Management Act (FISMA). FISMA requires all federal agencies to develop, document and implement agency-wide information security programs and to provide security for the information and information systems that support the operations and assets of the agency. FIPS 200 specifies minimum security requirements for federal information and information systems that are not national security systems and a risk-based process for selecting security controls from NIST Special Publication 800-53 necessary to satisfy these requirements.
  • March 13, 2006: NIST Special Publication (SP) 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, is now available . This document specifies key establishment schemes based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography).

February:

  • February 28, 2006: Draft Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems is now available for a one-month public comment period. The minimum security controls in SP 800-53 will be become mandatory for federal agencies and their support contractors upon final approval and publication of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The comment period for SP 800-53, Revision 1 closes on Friday, March 31, 2006.
  • February 13, 2006: Draft Special Publication 800-73-1 Interfaces for Personal Identity Verification
    NIST has received several comments that it is difficult to track the proposed changes to Special Publication 800-73. We have therefore replaced the original posting with a concise list of the proposed changes. These changes reference the current version of Special Publication 800-73. Pending public comment, NIST plans to make these changes and post an updated version 800-73-1.
  • February 8, 2006: NIST Special Publication 800-73-1, Interfaces for Personal Identity Verification, is now available for a three week public comment period. This document provides necessary changes to SP 800-73 for synchronization with biometric data requirements in SP 800-76 and to enhance the utility of the PIV card for logical access. Please submit comments using the comment template form (Excel spreadsheet - .xls) provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-73-1" in the subject line. The comment period closes at 5:00 EST on Tuesday, February 28th, 2006.
  • February 1, 2006: NIST is pleased to announce the release of NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. Special Publication 800-76 specifies technical acquisition and formatting requirements for the biometric credentials of Federal Information Processing Standard 201 (FIPS 201) conformant Personal Identity Verification (PIV) systems, including the PIV Card itself. Special Publication 800-76 enumerates required procedures and formats for fingerprints, fingerprint templates and facial images by appropriate instantiation of values and practices generically laid out in published biometric standards.

January:

  • January 18, 2006: NIST is pleased to announce the release of NIST Interagency Report 7284, Personal Identity Verification Card Management Report, which provides an overview of card management systems, identifies generic card management requirements, and considers some technical approaches to filling the existing gaps in PIV card management. The purpose of the report is to offer higher level of consistency and testability for PIV card issuance processes, enhance ability to outsource various card management components and functions, and improve overall security for the Federal PIV framework.


 

Last updated: March 7, 2007
Page created: February 7, 2006