Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)
| 2014 | 2013 | 2012 | 2011 | 2010 |
NIST is Proud to Announce the Release of Two Special Publications (SPs): SP 800-119 and SP 800-135
December 28, 2010
1. Special Publication 800-119, Guidelines for the Secure Deployment of IPv6
This document is intended to help with the deployment of the next generation Internet Protocol, IPv6. It describes and analyzes IPv6's new and expanded protocols, services, and capabilities, including addressing, DNS, routing, mobility, quality of service, multihoming, and IPsec. For each component, there is a detailed analysis of the differences between IPv4 and IPv6, the security ramifications and any unknown aspects. It characterizes new security threats posed by the transition to IPv6 and provides guidelines on IPv6 deployment, including transition, integration, configuration, and testing. It also addresses more recent significant changes in the approach to IPv6 transition.
2. Special Publication 800-135, Recommendation for Application-Specific Key Derivation Functions
Special Publication 800-135, Recommendation for Application-Specific Key Derivation Functions, specifies security requirements for existing application-specific key derivation functions in: IKEv1 and IKEv2, SSH, TLS, SRTP, the User-based Security Model for version 3 of SNMP, the Trusted Platform Module (TPM), American National Standard (ANS) X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography).
NOTE: Special Publication 800-135 has been updated with SP 800-135 Revision 1 which was released Dec. 2011.
NIST IR-7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities
December 22, 2010
This report (NIST Interagency Report 7502) describes a specification for the Common Configuration Scoring System (CCSS), a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores can be determined. Once CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.
Draft Special Publication 800-70 Revision 2 is now available
December 22, 2010
Draft Special Publication 800-70 Revision 2, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 2 updates the previous version of the document, which was released in 2009, primarily by adding additional SCAP-oriented guidance and content related to the United States Government Configuration Baseline (USGCB).
The comment period for draft SP 800-70 Revision 2 closed on January 31, 2011.
This draft document (SP 800-70 Rev. 2) has been approved as final - February 2011.
NIST Released Special Publication 800-132, Recommendation for Password Based Key Derivation Part 1: Storage Applications
December 16, 2010
NIST is pleased to announce the release of Special Publication 800-132. Recommendation for Password-Based Key Derivation Part 1: Storage Applications. This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect stored electronic data or data protection keys.
NIST Interagency Report (NISTIR) 7601, Framework for Emergency Response Officials (ERO) Authentication and Authorization Infrastructure, is now available
December 16, 2010
NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 7601, Framework for Emergency Response Officials (ERO) Authentication and Authorization Infrastructure. This document identifies the building blocks of an architecture that facilitates the functions of authentication and authorization of EROs using a combination of credentials in trusted tokens and trusted back-end data repositories. Specifically it identifies the different types of ERO communities, the various types of credentials (Identity, Capability and Deployment Authorization) and the component service classes such as: Credentialing Service Class, Credential Verification Service Class and the Trust Federation Service Class.
NIST Released Initial Public Draft Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations
December 16, 2010
NIST announces the publication of Draft Special Publication 800-137 (initial public draft), Information Security Continuous Monitoring for Federal Information Systems and Organizations. The purpose of this guideline is to assist organizations in the development of a continuous monitoring strategy and the implementation of a continuous monitoring program providing visibility into organizational assets, awareness of threats and vulnerabilities, and visibility into the effectiveness of deployed security controls. It provides ongoing assurance that planned and implemented security controls are aligned with organizational risk tolerance as well as the information needed to respond to risk in a timely manner should observations indicate that the security controls are inadequate.
The comment period for Special Publication 800-137 closed on March 15, 2011.
NOTE: This draft (SP 800-137) was approved as final - Sept. 2011.
NIST announces the publication of (Final Public Draft), Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View
December 14, 2010
NOTE: This draft (SP 800-39) has been approved final - March 2011.
This document is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.
The final public draft of introduces a three-tiered risk management approach that allows organizations to focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how risk is assessed, responded to, and monitored over time in the context of critical missions and business functions. The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes—making these processes risk aware. Risk-aware mission/business processes drive enterprise architecture decisions and facilitate the development and implementation of effective information security architectures that provide roadmaps for allocating safeguards and countermeasures to information systems and the environments in which those systems operate.
The multitiered risk management approach (moving from organization to missions to systems) ensures that strategic considerations (including top-level organizational goals and objectives), drive investment and operational decisions with regard to managing risk to organizational operations and assets, individuals, other organizations, and the Nation. This type of risk-based decision making is especially important with respect to how organizations address advanced persistent threats which have the potential through sophisticated cyber attacks, to degrade or debilitate federal information systems supporting the critical applications and operations of the federal government.
The risk management approach described in this publication is supported by a series of security standards and guidelines necessary for managing information security risk. In particular, the Special Publications developed by the Joint Task Force Transformation Initiative supporting the unified information security framework for the federal government include:
SP 800-39 supersedes the original SP 800-30 as the source for guidance on risk management. SP 800-30 is being revised to provide guidance on risk assessment as a supporting document to SP 800-39 and is projected for final publication in 2011.
The final comment period for closed on January 25, 2011. Please send questions to sec-cert@nist.gov.
NIST Announce 5 SHA-3 Candidates
December 13, 2010
NIST has selected five SHA-3 candidate algorithms to advance to the third (and final) round.
NIST is Proud to Announce the Release of 3 Draft Documents (1 Special Publication & 2 NIST IRs) - See Details Below
December 6, 2010
(1) NIST announces the public comment release of Draft Special Publication (SP) 800-51 Revision 1, Guide to Using Vulnerability Naming Schemes. This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). Draft SP 800-51 Revision 1 gives an introduction to both naming schemes and makes recommendations for end-user organizations on using their names. The publication also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings. Draft SP 800-51 Revision 1 is intended to replace the original SP 800-51, which was released in 2002.
NIST requests comments on draft SP 800-51 Revision 1 by January 3rd, 2011. Please submit all comments to 800-51comments@nist.gov.
(2) NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7693, Specification for Asset Identification 1.1. Asset identification plays an important role in an organization's ability to quickly correlate different sets of information about assets. Draft NISTIR 7693 provides the necessary constructs to uniquely identify assets based on known identifiers and/or known information about the asset. The Asset Identification specification includes a data model, methods for identifying assets, and guidelines on how to use asset identification.
NIST requests comments on draft NISTIR 7693 by January 3rd, 2011. Please submit all comments to asset-reporting-comments@nist.gov.
(3) NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7694, Specification for the Asset Reporting Format 1.1. Draft NISTIR 7694 proposes the Asset Reporting Format (ARF), a data model for expressing the transport format of information about assets and the relationships between assets and reports. The intent of ARF is to provide a uniform foundation for the expression of reporting results. ARF is vendor and technology neutral, flexible, and suited for a wide variety of reporting applications. Draft NISTIR 7694 builds upon the asset identification concepts in draft NISTIR 7693, Specification for Asset Identification 1.1.
NIST requests comments on draft NISTIR 7694
by January 3rd, 2011. Please submit all comments to asset-reporting-comments@nist.gov.
Draft Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identity Verification is now available
November 19, 2010
NIST announces that Draft Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified 1) to align the set of acceptable RSA public key exponents with FIPS 186-3 and 2) to permit the use of SHA-1 after 12/31/2010 when signing revocation information, under limited circumstances. In particular, the following changes are introduced in draft SP 800-78-3:
Comment period for draft SP 800-78-3 closed on December 3, 2010.
NOTE: This draft (SP 800-78-3) has been approved as final - Dec. 2010.
NIST Released Special Publication 800-142, Practical Combinational Testing
October 28, 2010
Software bugs are one of the most significant contributors to information system security vulnerabilities. Combinatorial testing is a method that can reduce cost and increase the effectiveness of software testing for many applications. NIST Special Publication 800-142, "Practical Combinatorial Testing", provides a self-contained tutorial on using combinatorial testing for real-world software. It introduces the key concepts and methods, explains use of software tools for generating combinatorial tests (freely available on the NIST web site csrc.nist.rip/acts), and discusses advanced topics.
NIST Announce the Release of DRAFT NISTIR 7692, Specification for the Open Checklist Interactive Language (OCIL)
October 22, 2010
NIST announces the public comment release of draft Interagency Report (IR) 7692, Specification for the Open Checklist Interactive Language (OCIL) Version 2.0. OCIL, which is one of the components being developed in support of the Security Content Automation Protocol (SCAP), provides a standardized, automated basis for expressing questionnaires and related information, such as answers to questions and final questionnaire results. OCIL can be used to collect information that requires interacting with people, such as asking them about training they have participated in, and also to harvest information stored during an organization's previous data collection efforts, such as audits. Draft NIST IR 7692 defines OCIL version 2.0 and explains the requirements that products and questionnaires must meet to comply with the OCIL specification.
NIST requests comments on draft IR 7692 by November 19, 2010. Please submit all comments to ocil-comments@nist.gov
NIST Released 2 Publications: (1) NIST Interagency Report (NISTIR) 7497, Security Architecture Design Process for Health Information Exchanges (HIEs)
AND
(2) Addendum to NIST Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode
October 21, 2010
Publication #1: NIST Interagency Report (NISTIR) 7497, Security Architecture Design Process for Health Information Exchanges (HIEs) is now available. The purpose of this publication is to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that demonstrates how these practices can be applied to the development of HIEs. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.
Publication #2 NIST is pleased to announce the publication of Addendum to NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode. The addendum specifies three variants of Cipherblock Chaining (CBC) mode that accept any plaintext input whose length is greater than or equal to the block size, whether or not the length is a multiple of the block size. These variants are essentially padding methods for CBC mode that do not expand the length of the plaintext, because, when padding bits are needed in these variants, they are “stolen” from the penultimate ciphertext block. The variants differ only in the ordering of some of the ciphertext bits; the third variant supports the specification in Kerberos 5.
NIST is proud to announce the release of DRAFT Special Publication 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion
September 23, 2010
Draft Special Publication 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion, specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A and 800-56B through an extraction-then-expansion procedure. NIST is in the process of modifying SP 800-56A and SP 800-56B to approve the extraction-then-expansion KDFs specified in this draft Recommendation (800-56C).
The comment period closed on October 30, 2010.
NOTE: This draft (SP 800-56C) has been approved as final - November 2011.
NIST is proud to announce the release of NISTIR 7628, Guidelines for Smart Grid Cyber Security
September 2, 2010
This three-volume report, NISTIR 7628, Guidelines for Smart Grid Cyber Security, presents an analytical framework that organizations can use to develop effective cyber security strategies tailored to their particular combinations of Smart Grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of Smart Grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements.
NIST is proud to announce the release of DRAFT Special Publication 800-135, Recommendation for Existing Application-Specific Key Derivation Functions
August 31, 2010
Draft Special Publication 800-135, Recommendation for Application-Specific Key Derivation Functions, specifies security requirements for existing application-specific key derivation functions in: American National Standard (ANS) X9.42-2001-Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, American National Standard (ANS) X9.63-2001-Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, Internet Key Exchange, Secure Shell, Transport Layer Security, The Secure Real-time Transport Protocol, User-based Security Model for version 3 of the Simple Network Management Protocol , and Trusted Platform Module.
Comments for this draft has been closed on September 30th, 2010
NIST is Proud to Announce the Release of Special Publication 800-81 Revision 1 Secure Domain Name System (DNS) Deployment Guide
August 24, 2010
NIST has released an updated document for Special Publication (SP) 800-81, “Secure Domain Name System (DNS) Deployment Guide" (SP 800-81 Revision 1). This revision addresses all the comments and feedback received from the drafts. This revised document has 3 more subsections which is described below. A brief description of the 3 new subsections is given below:
(1) Guidelines on Procedures for migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5).
(2) Guidelines for Procedures for migrating to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6).
(3) Deployment Guidelines for Split-Zone under different scenarios (Section 11.7).
NIST Computer Security Division Releases 3 DRAFT NIST Interagency Reports (NISTIR) - 7695, 7696, and 7697 - all 3 draft NISTIRs relate to Common Platform Enumeration (CPD) -- (see details below)
August 24, 2010
NIST announces the public comment release of three Draft NIST Interagency Reports (IR) on Common Platform Enumeration (CPE). CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. The three new reports propose specifications as part of CPE version 2.3. Draft NIST IR 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings. Draft NIST IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms. Finally, Draft NIST IR 7697 contains the CPE dictionary specification, which defines the concept of a dictionary of identifiers and prescribes high-level rules for dictionary curators.
NIST requests comments on draft IRs 7695, 7696, and 7697 by September 15th, 2010. Please submit all comments to cpe-comments@nist.gov.
Registration is open for the 6th Annual IT Security Automation Conference
August 10, 2010
Date of Conference: September 27th - 29th, 2010
Location of Conference: Baltimore Convention Center Baltimore Inner Harbor, MD
Conference Website: http://scap.nist.gov/events/
AGENDA: Click here to view the Conference Agenda.
:
CONFERENCE FLYER: Click here to view the Conference Flyer.
The 6th Annual IT Security Automation Conference, hosted by the National Institute of Standards and Technology, in conjunction with the Department of Homeland Security, National Security Agency, and Defense Information Systems Agency, will focus on the breadth and depth of automation principles and technologies designed to support automation requirements across organizations in multiple sectors. This 3-day event includes tutorials, conference proceedings, workshops, and a vendor expo. Topics include using security automation in support of healthcare IT and cloud computing, using security automation tools and technologies to ease the technical burdens of policy compliance, and innovated uses of automation across the enterprise in both Federal Government and industry applications. Security automation leverages standards and specifications to reduce the complexity and time necessary to manage vulnerabilities, measure security, and ensure compliance, freeing resources to focus on other areas of the IT infrastructure.
Cybersecurity, Innovation and the Internet Economy
August 3, 2010
Cybersecurity, Innovation and the Internet Economy. The Commerce Department today issued a news release describing the Notice of Inquiry and a full-day public symposium devoted to cybersecurity. View the announcement and the Federal REgister Notice......
The August 4-6 ISPAB Meeting will be Webcast
August 3, 2010
In our work toward an open, transparent and collaborative environment, the National Institute of Standards and Technology will web cast on day of the Information Security and Privacy Advisory Board (ISPAB). Please use the link to view the web cast day of the meeting. We plan on expanding the methods used for a more participative environment in the future. The webcast starts at 8:30am EST on August 4.
http://csrc-nist.granicus.com/ViewPublisher.php?view_id=2
(NOTE: You will be leaving NIST's and CSRC's webspace. The host of the webcast is using our template so you can easily get back to our CSRC website after viewing the webcast.)
NIST Released Draft NIST IR 7275 Revision 4
July 29, 2010
NIST announces the release of DRAFT NIST Interagency Report (NISTIR) 7275 Revision 4,
Specification for the Extensible Configuration Checklist Description Format
(XCCDF) Version 1.2. The eXtensible Configuration Checklist Description Format (XCCDF) Version 1.2 is the latest revision of an eXtensible Markup Language (XML) based model that enables the expression of security configuration rules. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of security guidance or checklist compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices.
The closing dates to submit comments is August 30, 2010. Please forward comments by email to xccdfcomments@nist.gov .
NIST is proud to announce the Release of 2 Special Publications: Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0 and
Special Publication 800-85A-2, PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance)
July 27, 2010
Publication #1:
NIST announces that Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.0, has been published as final. SCAP is a suite of specifications for organizing, expressing, and measuring security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP Version 1.0, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP Version 1.0 capabilities within their offerings.
Publication #2:
NIST is pleased to announce the release of Special Publication (SP) 800-85A-2 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Middleware, and the PIV Card Application interfaces for conformance to specifications in SP 800-73-3 (Interfaces for Personal Identity Verification) .The document is a revision for the earlier version (April 2009), which reflected TA and DTR from the superseded SP 800-73-2, 2008 Edition.
This 3rd revision, include the additional tests necessary to test the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through SP 800-73-3 Parts 1, 2 and 3.
These include:
Draft Special Publication 800-125, Guide to Security for Full Virtualization Technologies is now available for public comment
July 7, 2010
NIST announces the public comment release of draft Special Publication (SP) 800-125, Guide to Security for Full Virtualization Technologies. Full virtualization technologies run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating systems on a single computer. The purpose of draft SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization, and to provide recommendations for addressing these concerns.
NIST requests comments on draft SP 800-125 by August 13, 2010. Please submit comments to 800-125comments@nist.gov with "Comments SP 800-125" in the subject line.
NIST Interagency Report (NISTIR) 7559, Forensics Web Services (FWS) has been released
July 6, 2010
NIST Interagency Report (NISTIR) 7559, Forensics Web Services (FWS) is now available. Web services are currently a preferred way to architect and provide complex services. This complexity arises due to the composition of new services and dynamically invoking existing services. These compositions create service inter-dependencies that can be misused for monetary or other gains. When a misuse is reported, investigators have to navigate through a collection of logs to recreate the attack. In order to facilitate this task, we propose the design and architecture of a forensic web services (FWS) that would securely maintain transactional records between other web services. These secure records can be re-linked to reproduce the transactional history by an independent agency. In this report, we show the necessary components of a forensic framework for web services.
Draft Addendum to NIST Special Publication 800-38A
July 6, 2010
NIST announces a period of public comment on the Draft Addendum to NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode. The draft addendum specifies three variants of Cipher Block Chaining (CBC) mode that accept any plaintext input whose bit length is greater than or equal to the block size, whether or not the length is a multiple of the block size. These variants are essentially padding methods for CBC mode that do not expand the length of the plaintext. When padding bits are needed in these variants, they are “stolen” from the penultimate ciphertext block. The variants differ only in the ordering of some of the ciphertext bits.
Comments may be submitted to EncryptionModes@nist.gov by August 6, 2010.
On-line Course Available: "Applying the Risk Management Framework to Federal Information Systems"
June 30, 2010
The purpose of this course is to provide people new to risk management with an overview of a methodology for managing organizational risk—the Risk Management Framework (RMF). The RMF was developed by the National Institute for Standards and Technology (NIST) to help organizations manage risks to and from Information Technology (IT) systems more easily, efficiently and effectively. This course describes at a high-level the importance of establishing an organization-wide risk management program, the information security legislation related to organizational risk management, the steps in the RMF, and the NIST publications related to each step. The course is available at http://csrc.nist.rip/groups/SMA/fisma/rmf-training.html. Patricia Toth may be contacted for more information at patricia.toth@nist.gov.
NIST announces the publication of Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations.
June 29, 2010
Special Publication 800-53A, Revision 1, provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 (including updates as of May 1, 2010). This publication represents the third in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative, a partnership that includes NIST, the Intelligence Community (IC), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS). The mission of the Joint Task Force is to develop a unified information security framework for the federal government and its contractors. The updated security assessment guideline incorporates best practices in information security from the DOD, IC, and Civil agencies and includes security control assessment procedures for both national security and non national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment activities in all phases of the system development life cycle including development, implementation, and operation.
The important changes in Special Publication 800-53A, Revision 1, are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management—that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. The increased flexibility in the selection of assessment methods, assessment objects, and depth and coverage attribute values empowers organizations to place the appropriate emphasis on the security control assessment process at every stage in the system development life cycle to include a robust continuous monitoring process. For example, carrying out an increased level of assessment early in the system development life cycle can provide significant benefits by identifying weaknesses and deficiencies in the information system early and facilitate more cost-effective solutions. Alternatively, allowing organizations to customize their assessment activities during continuous monitoring can place the right emphasis on the assessment of those security controls providing the greatest return on investment, adjusting to varying operational environments and threats. As always, communities of interest may establish certain floors or ceilings on the level of assessment activities based on mission/business needs.
Finally, NIST in coordination with its partners in the Joint Task Force, plans to update and post to the FISMA Implementation Project web site, Assessment Cases for the assessment procedures in Appendix F as described in Special Publication 800-53A, Appendix H, providing organizations and assessors with additional detail in conducting specific assessments of federal information systems. NIST will provide ongoing progress reports regarding updates for the assessment cases.
NIST Announce the Release of Draft NIST Interagency Report (IR) 7622, Piloting Supply Chain Risk Management Practices for Federal Information Systems
June 25, 2010
Draft NISTIR 7622, Piloting Supply Chain Risk Management Practices for Federal Information Systems is intended to provide a wide array of practices that when implemented will help mitigate supply chain risk. It is our intent that organizations begin to pilot the activities and the practices contained in this document and provide feedback on the practicality, feasibility, cost, challenges, and successes. This is the first step in a much larger initiative of developing a comprehensive approach to managing supply chain risks. Comments on the document should be sent to: scrm-nist@nist.gov by August 15, 2010. Comments and lessons learned on piloting the practices should be sent to the same e-mail address by December 30, 2010.
NIST Announce the Release of DRAFT Special Publication 800-132, Recommendation for Password-Based Key Derivation - Part 1: Storage Applications
June 24, 2010
NIST announces the release of draft Special Publication 800-132, Recommendation for Password-Based Key Derivation - Part 1: Storage Applications. This Recommendation specifies techniques for the derivation of master keys from passwords to protect electronic data in a storage environment. Please submit comments to draft-sp800-132-comments@nist.gov with "Comments on Draft SP800-132" in the subject line. The comment period closes on July 28, 2010.
NIST Released 2 NIST Interagency Reports (IRs): (1) NISTIR 7653, 2009 Computer Security Division Annual Report and (2) NISTIR 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards
June 21, 2010
NISTIR 7653, 2009 Computer Security Division Annual Report
This report provides the highlights of the Computer Security Division's accomplishments for FY2009.
NISTIR 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards, is now available
NIST Special Publication 800-73-3, Interfaces for Personal Identity Verification, introduces the ability to store retired Key Management Keys within the PIV Card Application on a PIV Card. NIST IR 7676 complements SP 800-73-3 by providing some of the rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History mechanism.
Draft Special Publication 800-130, A Framework for Designing Cryptographic Key Management Systems
June 16, 2010
A draft of NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems, is available for an initial public comment period. This document contains descriptions of Cryptographic Key Management System (CKMS) components that should be considered by a CKMS designer and specifies requirements for the documentation of those CKMS components in the design. Comments are due by August 17, 2010, and should be sent to CKMSDesignFramework@nist.gov with “Comments on CKMS Design Framework” in the subject line. Note that this document will be discussed at a Key Management Workshop scheduled for September 20-21, 2010 at NIST. See http://csrc.nist.rip/groups/ST/key_mgmt/ for more information on the workshop.
NIST Released the Second Public Draft of Special Publication 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes
June 16, 2010
Second Public Draft Special Publication 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, is available for public comment. NIST Special Publication (SP) 800-57, Part 1 included a general approach for transitioning from one algorithm or key length to another. This Recommendation (SP 800-131) provides more specific guidance for transitions to stronger cryptographic keys and more robust algorithms. Public comments should be sent to CryptoTransitions@nist.gov by July 16, 2010.
Special Publication 800-34 Revision 1 Contingency Planning Guide for Federal Information Systems
June 7, 2010
NIST announces the release of Special Publication 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems. SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.
NIST releases FAQ on Continuous Monitoring (Superseded by SP 800-137).
June 1, 2010
The Draft NIST Interagency Report 7298 Revision 1, Glossary of Key Information Security Terms has been released for public comment.
May 28, 2010
Draft NIST interagency Report 7298 Revision 1, Glossary of Key Information Security Terms is now available for public comment. This glossary of common security terms has been extracted from NIST Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009). The terms included are not all inclusive of terms found in the NIST publications, but do include most of the terms in those publications. The glossary does contain all of the terms and definitions from CNSSI-4009. The purpose of this glossary is to provide a central resource of definitions most commonly used in NIST information security publications and in CNSS information assurance publications.
Comments should be sent to secglossary@nist.gov by COB June 30, 2010.
Draft Special Publication 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1
May 27, 2010
NIST announces the second public comment release of Special Publication (SP) 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.6.
NIST requests comments on the second public draft SP 800-126 Revision 1 by June 28, 2010.. Please submit comments to 800-126comments@nist.gov with “Comments SP 800-126” in the subject line.
Cloud Computing Workshop & Forum
May 25, 2010
The agenda and presentations are NOW available to view from the May 20, 2010 CLOUD COMPUTING forum & workshop.
NIST Draft Special Publication SP 800-85A-2 "PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 compliance)"
May 14, 2010
NIST has a revised version of NIST Special Publication SP 800-85A. The revised document is titled Draft Special Publication 800-85A-2 “PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 compliance)”. The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-3 Parts 1, 2 and 3. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-2. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVtesting@NIST.gov. The comment period closed on May 27, 2010. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
NOTE: This draft document (SP 800-85A-2) has been approved as final - July 2010.
NIST Releases Special Publication 800-53A Revision 1 (Final Public Draft), Guide for Assessing the Security Controls in Federal Information Systems and Organizations
May 5, 2010
NIST announces the publication of Special Publication 800-53A, Revision 1 (FPD), Guide for Assessing the Security Controls in Federal Information Systems and Organizations.
The final draft of Special Publication 800-53A, Revision 1 provides guidelines for developing security assessment plans and associated security control assessment procedures that are consistent with Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 (including updates as of 05-01-2010).
The final draft of Special Publication 800-53A, Revision 1, developed by the Joint Task Force Transformation Initiative Working Group is part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors. This publication represents the third in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The updated security assessment guideline incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies and includes security control assessment procedures for both national security and non national security systems. The guideline for developing security assessment plans is intended to support a wide variety of assessment activities in all phases of the system development life cycle including development, implementation, and operation.
Special Publication 800-53A, Revision 1, contains the following significant changes:
NIST Releases Update for Special Publication 800-53 Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
May 5, 2010
NIST announces the publication of an errata update for Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009 (includes updates as of 05-01-2010) Organizations should consult the errata table on page xi of the Special Publication for the list of changes.
NIST Releases Draft NIST Interagency Report (IR) 7511 Revision 2
April 20, 2010
Draft NIST Interagency Report (IR) 7511 Revision 2, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 2 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
This update to Draft NIST Interagency Report (IR) 7511 Revision 2, includes changes to the Internet Connectivity requirements and clarifying language to several other requirements and test procedures.
If you have questions regarding this document, please send email to: IR7511comments@nist.gov . The deadline to submit comments is May 20, 2010.
ISPAB Meeting will be webcast on April 8, 2010
April 7, 2010
In our work toward an open, transparent and collaborative environment, the National Institute of Standards and Technology will web cast on day of the Federal Advisory Committee Meeting, the Information Security and Privacy Advisory Board (ISPAB). Please use the link to view the web cast day of the meeting. We plan on expanding the methods used for a more participative environment in the future. The webcast starts at 8:30am EST on April 8.
http://csrc-nist.granicus.com/ViewPublisher.php?view_id=2
(NOTE: You will be leaving NIST's and CSRC's webspace. The host of the webcast is using our template so you can easily get back to our CSRC website after viewing the webcast.)
NIST Released Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
April 6, 2010
NIST announces the release of Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). SP 800-122 provides practical, context-based guidelines for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for incidents involving PII.
NIST released the following two NIST IRs - (1) NIST IR 7665, Proceedings of the Privilege Management Workshop, September 1-3, 2009 AND (2) NIST IR-7657, A Report on the Privilege (Access) Management Workshop
March 30, 2010
1) NIST released the NIST Interagency Report (NISTIR) 7665, Proceedings of the Privilege Management Workshop, September 1-3, 2009. This document is a synopsis of the major proceedings of the plenary and tracks of the first Privilege Management Workshop co-sponsored by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA), Gaithersburg, Maryland, September 1–3, 2009.
The primary goal of this first workshop was to bring together a wide spectrum of individuals representing differing viewpoints, use cases, and organizational needs with the intent of reaching a common understanding of several facets of this important area. This includes reaching consensus on the definition of privilege management and other terminology; understanding and analyzing the strengths and weaknesses of current and proposed access control models; ascertaining the current state of the practice and future research directions in privilege management; and understanding and articulating the managerial, legal, and policy requirements associated with privilege management. To facilitate these objectives, the workshop was organized into four tracks:
NIST Releases Special Publication Initial Public Draft 800-128, Guide for Security Configuration Management of Information Systems
March 18, 2010
NIST announces the publication of Initial Public Draft Special Publication 800-128, , Guide for Security Configuration Management of Information Systems. The publication provides guidelines for managing the configuration of information system architectures and associated components for secure processing, storing, and transmitting of information. Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems.
NIST SP 800-128 identifies the major phases of security configuration management and describes the process of applying security configuration management practices for information systems including: (i) planning security configuration management activities for the organization; (ii) planning security configuration management activities for the information system; (iii) configuring the information system to a secure state; (iv) maintaining the configuration of the information system in a secure state; and (iv) monitoring the configuration of the information system to ensure that the configuration is not inadvertently altered from its approved state.
The security configuration management concepts and principles described in this publication provide supporting information for NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations that include the Configuration Management family of security controls and other security controls that draw upon configuration management activities in implementing those controls. This publication also provides important supporting information for the Monitor Step (Step 6) of the Risk Management Framework that is discussed in NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
NIST requests comments on the Initial Public Draft of Special Publication 800-128, by June 14, 2010. Please submit comments to sec-cert@nist.gov.
NIST Releases Draft NIST IR 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards
March 17, 2010
NIST announces that Draft NIST Interagency Report 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards, has been released for public comment.
NIST Special Publication 800-73-3, Interfaces for Personal Identity Verification, introduces the ability to store retired Key Management Keys within the PIV Card Application on a PIV Card. NIST IR 7676 complements SP 800-73-3 by providing some of the rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History mechanism.
NIST requests comments on Draft NIST IR 7676 by 5:00pm EDT on April 23, 2010. Please submit your comments to PIV_comments@nist.gov with "Comments on Public Draft NISTIR 7676" in the subject line.
NIST Released Draft NIST IR 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements
March 10, 2010
Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
If you have questions regarding this document, please send email to: IR7669comments@nist.gov. There is a 30-day comment period which will close on Friday, April 9, 2010.
NIST Releases Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
February 22, 2010
NIST announces the final publication of Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This publication represents the second in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors. The initial publication produced by the task force, NIST Special Publication 800-53, Revision 3, created a common security control catalog reflecting the information security requirements of the national security community and the nonnational security community. NIST Special Publication 800-37, Revision 1, continues the transformation by changing the traditional process employed by the federal government to certify and accredit federal information systems. The revised process provides greater emphasis on: (i) building information security capabilities into information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) understanding and accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of information systems.
NIST Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The RMF-based process has the following characteristics:
The risk management process described in this publication changes the focus from the traditional stovepiped, static approaches to C&A and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions. In addition to the above changes, NIST Special Publication 800-37 revises information system authorization guidance for federal agencies and extends the current approach to include joint and leveraged authorizations.
NIST Released NISTIR 7658 Guide to SIMfill Use and Development
February 22, 2010
NISTIR 7658, Guide to SIMfill Use and Development is now available on the CSRC website. SIMfill is a proof-of-concept, open source, application developed by NIST to populate identity modules with test data, as a way to assess the recovery capability of mobile forensic tools. An initial set of test data is also provided with SIMfill as a baseline for creating other test cases. This report describes the design and organization of SIMfill in sufficient detail to allow informed use and experimentation with the software and test data provided, including the option to modify and extend the program and data provided to meet specific needs.
NIST Released Draft Special Publication 800-119, Guidelines for the Secure Deployment of IPv6
February 22, 2010
NIST announces the public comment release of Special Publication (SP) 800-119, Guidelines for the Secure Deployment of IPv6. IPv6 (Internet Protocol version 6) is the next generation Internet Protocol, accommodating vastly increased address space. This document describes and analyzes IPv6's new and expanded protocols, services, and capabilities, including addressing, DNS, routing, mobility, quality of service, multihoming, and IPsec. For each component, there is a detailed analysis of the differences between IPv4 and IPv6, the security ramifications and any unknown aspects. It characterizes new security threats posed by the transition to IPv6 and provides guidelines on IPv6 deployment, including transition, integration, configuration, and testing. It also addresses more recent significant changes in the approach to IPv6 transition.
NIST requests comments on Draft SP 800-119 by April 23, 2010. Please submit comments to draft-sp800-119-comments@nist.gov with "Comments SP 800-119" in the subject line.
NIST is Proud to Announce the Release of 2 Special Publications 800-73-3 Interfaces for Personal Identity Verification and Special Publication 800-78-2 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)
February 22, 2010
#1 --- NIST announces that Special Publication 800-73-3, Interfaces for Personal Identity Verification, has been released. SP 800-73-3 introduces new, optional features including:
(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-2; and
(3) provisions for Non-Federal Issuer (NFI) credentials. SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.
Except for very minor editorial changes, the Revision History in Part 1 of SP 800-73-3 lists all of updates to SP 800-73 since its initial release.
#2 --- NIST is pleased to announce the release of Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in SP 800-78-2:
NIST Released the SECOND draft of NIST Interagency Report (NISTIR) 7628
February 2, 2010
NIST announces that the second draft of NISTIR 7628, Smart Grid Cyber Security Strategy and Requirements, is now available for public comment. The second draft of the document contains the updated overall security strategy for the Smart Grid and updated logical interface diagrams, privacy, bottom-up analysis, and vulnerability class analysis sections. In addition, new chapters on research and development themes and standards assessment have been included. Finally, an overall functional logical Smart Grid architecture is included.
This is the second draft of the NISTIR; comments are being received through approximately JUNE 1, 2010. A comment submission template is posted. Also posted with the draft NISTIR is a disposition of comments document. Over 450 individual comments were received and addressed (as applicable) in the second draft of the NISTIR. The final version is scheduled to be posted Spring 2010.
Please submit comments to cswgdraft2comments@nist.gov
NIST Special Publication 800-38E has been Released
January 25, 2010
NIST is pleased to announce the release of Special Publication 800-38E: Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Storage Devices. This publication approves the XTS-AES mode of the AES algorithm by reference to its specification in IEEE Std 1619-2007, as an option for protecting the confidentiality of data on storage devices. The XTS-AES mode does not provide authentication of the data or its source.
NIST Released Draft Special Publication 800-131
January 14, 2010
Draft Special Publication 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, is available for public comment. NIST Special Publication (SP) 800-57, Part 1 included a general approach for transitioning from one algorithm or key length to another. This Recommendation (SP 800-131) provides more specific guidance for transitions to stronger cryptographic keys and more robust algorithms. Public comments should be sent to CryptoTransitions@nist.gov by March 15, 2010. The authors of this document, Elaine Barker and Allen Roginsky, will be available for discussions at the RSA Conference in San Francisco on March 1-5.
NIST Released NIST Interagency Report (IR) 7609
January 11, 2010
NIST Internal Report 7609, Cryptographic Key Management Workshop Summary – June 8-9, 2009, is now available. This document provides highlights of a workshop that was held in June 2009 to discuss the current state of key management systems, to identify future needs, and to discuss the development of a Cryptographic Key Management Design Framework that will address the issues discussed during the workshop. Further information about this project is also available.