Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

News Archive - 2013


| 2015 | 2014 | 2013 | 2012 | 2011 |


Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment
December 13, 2013
 
NIST is pleased to announce that Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment. NISTIR 7863 provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card.
 
NIST requests comments on NISTIR 7863 by 5:00pm EST on January 17, 2014. Please submit comments on Draft NISTIR 7863 using the comments template form to piv_comments@nist.gov with “Comments on NISTIR 7863” in the subject line.

Comment Period for Draft Special Publicaiton 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations - has been extended
November 12, 2013
 
The comment period for Draft Special Publication 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, has been extended. The new deadline to submit comments is Friday, December 13, 2013.

NIST Initiating Review of Cryptographic Standards Development Process
Novemeber 1, 2013
Recent news reports about leaked classified documents have caused concern from the cryptographic community about......

read more >

Request for Comments on the Preliminary Cybersecurity Framework
October 29, 2013
 
The National Institute of Standards and Technology (NIST) seeks comments on the preliminary version of the Cybersecurity Framework (“preliminary Framework”). (Click here to see the October 29th Federal Register Notice) The preliminary Framework was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on February 26, 2013, and a series of open public workshops. The preliminary Framework was developed in response to NIST responsibilities directed in Executive Order 13636, “Improving Critical Infrastructure Cybersecurity” (“Executive Order”). Under the Executive Order, the Secretary of Commerce is tasked to direct the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework” or “Framework”). The Framework will consist of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The preliminary Framework is available electronically from the NIST Cybersecurity Framework website. Please note - the comment period deadline is December 13, 2013 (see the Federal Register Notice (1st link above in this announcement and/or visit the Cybersecurity Framework website for more information).

Draft NISTIR 7628 Revision 1, Guidelines to Smart Grid CyberSecurity
October 25, 2013
 
The National Institute of Standards and Technology (NIST) seeks comments on Draft NIST Interagency Report (NISTIR) 7628 Revision 1, Guidelines for Smart Grid Cyber Security. The comment period will be open from October 25 through December 23, 2013. Draft NISTIR 7628 Rev. 1 was completed by the NIST-led Smart Grid Cybersecurity Committee (formerly the Cyber Security Working Group) of the Smart Grid Interoperability Panel. The document has been updated to address changes in technologies and implementations since the release of NISTIR 7628 in September 2010. In addition, the document development strategy, cryptography and key management, privacy, vulnerability classes, research and development topics, standards review, and key power system use cases have been updated and expanded to reflect changes in the Smart Grid environment since 2010. The final version is expected to be posted in the spring of 2014.
 
Click HERE to go to the CSRC Drafts page to view the Draft NISTIR 7628 document. Information about the comment deadline, where to sned comments to and all files (3 for document and 3 comment templates) are provided.

DRAFT Special Publication 800-16 Revision 1 (Second Public Draft), A Role-Based Model For Federal Information Technology/Cyber Security Training is now available
October 24, 2013
 
NIST announces the release of the Second Public Draft of Special Publication (SP) 800-16 (Revision 1), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
 
NIST requests comments on draft SP 800-16 Revision 2 by November 30, 2013. Please send comments to SP80016-comments@nist.gov with the subject “Comments NIST SP 800-16”.

NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment
October 21, 2013 (updated from August 16, 2013 announcement)
 
This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
 
Due to the recent government shutdown, NIST is extending the comment period for NIST SP 800-161 by 14 days.  Comments are now due by November 1, 2013. Please submit comments to scrm-nist@nist.gov with "Comments NIST SP 800-161" in the subject line.
Link to Draft SP 800-161 on the CSRC Drafts page
Link to Comment Template on Drafts page.

DRAFT Special Publication 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations is now available
September 24, 2013
 
NIST announces the release of Draft Special Publication (SP) 500-52 (Revision 1), Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations for public comment. TLS provides mechanisms to protect sensitive data during electronic dissemination across networks. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. The revised guidelines include the required support of TLS version 1.1, recommended support of TLS version 1.2, guidance on certificate profiles and validation methods, TLS extension recommendations, and support for a greater variety of FIPS-based cipher suites.
 
NIST requests comments on draft SP 800-52 Revision 1 by November 30, 2013. Please send comments to SP80052-comments@nist.gov with the subject “Comments NIST SP 800-52”.
 
Draft Special Publication 800-52 Rev. 1 (PDF)

NIST Released 2 Publications - Special Publication 800-81-2 and NIST Interagency Report 7956
September 24, 2013
 
1) This revision of NIST Special Publication 800-81 (Identified as Special Publication 800-81-2, Secure Domain Name System (DNS) Deployment Guide) adds two new sections – one to provide guidance on secure set up of recursive DNS service and the other for securely configuring validating resolvers. It also incorporates knowledge gained from DNSSEC deployment experience to provide some updated guidance for DNS Administrators on cryptographic algorithm variables, configuration and operations.
 
2) Many of the security capabilities associated with exercise of cloud service features in the three primary service models – Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), involve cryptographic operations. This document NIST Interagency Report (NISTIR) 7956, Cryptographic Key Management Issues & Challenges in Cloud Services, analyzes and discusses various cryptographic key management challenges for performing these cryptographic operations in the context of architectural solutions that are commonly deployed for those operations.

Draft SP 800-90 Series: Random Bit Generators
800-90 A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
800-90 B: Recommendation for the Entropy Sources Used for Random Bit Generation
800-90 C: Recommendation for Random Bit Generator (RBG) Constructions are 3 drafts are available for public comments
September 9, 2013
 
In light of recent reports, NIST is reopening the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible.
 
The public comments will close on November 6, 2013. Comments should be sent to RBG_Comments@nist.gov.
 
In addition, NIST has released a supplemental ITL Security Bulletin titled "NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Supplemental ITL Bulletin for September 2013)" to support the draft revision effort.

Federal Information Processing Standard (FIPS) Publication 201-2, the Standard for Personal Identity Verification of Federal Employees and Contractors
September 5, 2013
 
The National Institute of Standards and Technology (NIST) is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 201-2, Personal Identity Verification of Federal Employees and Contractors. (See the Federal Register Notice announcing FIPS 201-2 approval.) This revision includes adaptations to changes in the environment and technology since the publication of FIPS 201-1, clarifications to existing text, additional text to resolve ambiguities and specific changes requested by Federal agencies and implementers.
 
FIPS 201-2 reflects the disposition of comments that were received during the public comment periods for the first and second drafts of the Standard, which were published on March 8, 2011, and July 9, 2012, respectively. The complete sets of comments and dispositions are provided in the two links below.
 
High level changes include:

  • Introduction of chain-of-trust and grace period for PIV card reissuance processes,
  • Relaxation of PIV Card termination requirements and specifically certificate revocation,
  • New options for physical card characteristics to help agencies achieve Section 508 compliance for PIV card orientation,
  • A UUID as a mandatory unique identifier for the PIV Card,
  • Downgrade of the authentication mechanism associated with the Card Holder Unique Identifier (CHUID) to indicate that it only provides little or no assurance of identity,
  • Updates to the PIV card’s on-board credentials include:
    • Expansion of the core mandatory credentials: the previously optional asymmetric card authentication, digital signature and key management are now mandatory,
    • New optional credentials: Iris recognition capability and fingerprint biometric match-on-card (OCC),
  • Introduction of an optional virtual contact interface (VCI), over which all functionalities of the PIV Card are accessible via contactless interface,
  • Accommodation for mobile devices in the form of PIV derived credentials that can be provisioned to mobile devices.
A detailed list of changes is available in FIPS 201-2, Appendix E, Revision History.
 
2011 Draft comments and dispositions
 
2012 Draft comments and dispositions

NIST announces the release of Draft NIST Interagency Report (NISTIR) 7946, CVSS Implementation Guidance, for public review and comment. This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to score over 50,000 vulnerabilities analyzed by the National Vulnerability Database (NVD). An overview of the CVSS base metrics is first presented followed by guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored IT vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.
 
The public comment period closed on October 4, 2013.
 
Comments on this publication may be submitted to: nistir7946-comments@nist.gov

DRAFT Special Publication 800-101 Revision 1, Guidelines on Mobile Device Forensics
September 4, 2013
 
NIST announces the public comment release of Draft Special Publication (SP) 800-101 (Revision 1), Guidelines on Mobile Device Forensics. Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information.
 
NIST requests comments on draft SP 800-101 (Revision 1) by October 4, 2013. Please send comments to richard.ayers@nist.gov with the subject "Comments SP 800-101 (Revision 1)"

NIST Announces the Release of Special Publication (SP) 800-63-2, Electronic Authentication Guideline
September 4, 2013
 
NIST has released Special Publication 800-63-2, Electronic Authentication Guideline. This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST Special Publication 800-63-1.
 
This revision is a limited update of Special Publication 800-63-1 and substantive changes are made only in section 5. Registration and Issuance Processes. The substantive changes made to section 5 are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration.

NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment
August 16, 2013
 
This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
 
NIST requests comments on Draft NIST SP 800-161 by October 15, 2013. Please submit comments to scrm-nist@nist.gov with "Comments NIST SP 800-161" in the subject line.
Link to Draft SP 800-161 on the CSRC Drafts page
Link to Comment Template is also provided on the Drafts page for this draft.

Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems
August 16, 2013
 
NIST announces the completion of Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems. This publication contains a description of the topics to be considered and the documentation requirements to be addressed when designing a CKMS. The CKMS designer satisfies the requirements by selecting the policies, procedures, components (hardware, software, and firmware), and devices (groups of components) to be incorporated into the CKMS, and then specifying how these items are employed to meet the requirements of this Framework.

Computer Security Incident Coordination (CSIC) RFI
August 1, 2013
 
Due to a configuration issue, RFI responses sent (only) to incidentcoordination@nist.gov were not delivered and also did not generate bounce errors. If you sent an RFI response to incidentcoordination@nist.gov prior to the closing date of July 29, 2013 at 5:00 p.m. Eastern time, NIST requests that you resend your response to the same address by August 9, 2013 at 5:00 p.m. Eastern time.
 
Click here to view the Federal Register Notice about RFI for the Computer Security Incident Coordination.

NIST announce the release of 3 Special Publications (SP) - SP 800-83 Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, and SP 800-165, 2012 Computer Security Division Annual Report.
July 23, 2013
 

  1. Special Publication 800-83 Revision 1
    NIST announces the final release of NIST Special Publication 800-83 (SP) Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Draft SP 800-83 Revision 1 replaces the original SP 800-83, which was released in 2005.
     
  2. Special Publication 800-40 Revision 3
    NIST announces the final release of NIST Special Publication (SP) 800-40 Revision 3, Guide to Enterprise Patch Management Technologies. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics for measuring the technologies’ effectiveness. NIST SP 800-40 Revision 3 complements the previous release (version 2), which was published in 2005.
     
  3. Special Publication 800-165
    NIST Computer Security Division announces the release of NIST Special Publication 800-165, 2012 Computer Security Division Annual Report. This annual report provides the important highlights and accomplishments that the NIST Computer Security Division has completed during FY2012.

NIST Announce the Approval of Federal Information Processing Standard (FIPS) 186-4, the Digital Signature Standard.
July 19, 2013
 
NIST is pleased to announce the approval of Federal Information Processing Standard (FIPS) 186-4, the Digital Signature Standard. This Standard specifies three techniques for the generation and verification of digital signatures that can be used for the protection of data: the Digital Signature Algorithm (DSA), the Elliptic Curve Digital Signature Algorithm (ECDSA) and the Rivest-Shamir Adelman Algorithm (RSA). This revision includes a clarification of terms, a reduction of restrictions on the use of random number generators and the retention and use of prime number generation seeds, a correction of wording and typographical errors, and further aligns the FIPS with Key Cryptography Standard (PKCS) #1.

NIST Announces the Release of Special Publication (SP) 800-76-2, Biometric Data Specifications for Personal Identity Verification
July 12, 2013
 
NIST has released Special Publication 800-76-2, Biometric Specifications for Personal Identity Verification. This document supports updated PIV biometric options and requirements of the forthcoming FIPS 201-2. It includes specifications for on-card fingerprint comparison and iris recognition. The new edition will formally replace the January 2007 version when FIPS 201-2 is published.

Draft Publication 800-38G
July 8, 2013
 
NIST is pleased to announce that Draft NIST Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, is available for public comment. Format-preserving encryption (FPE) has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases.
 
Three methods are specified in this publication: FF1, FF2, and FF3. Each is a format-preserving, Feistel-based mode of operation of the AES block cipher. FF1 was submitted to NIST by Bellare, Rogaway and Spies under the name FFX[Radix]; FF2 was submitted to NIST by Vance under the name VAES3; and FF3 is the main component of the BPS mechanism that was submitted to NIST by Brier, Peyrin, and Stern. The submission documents are available at the Block Cipher Modes - Modes Development page on CSRC website.
 
Public comments on Draft NIST Special Publication 800-38G may be submitted to EncryptionModes@nist.gov until September 3, 2013.

NIST Released Special Publication 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise
June 24, 2013
 
NIST announces the final release of Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise. The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of threats. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.

NIST Announce Release of Special Publication 800-56A Revision 2 and NISTIR 7298 Revision 2 - see below for full announcement
June 12, 2013
 
Special Publication 800-56A Revision 2:
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publication 800-56A, Revision 2: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. The revisions are made on the March 2007 version of this Recommendation. The major revisions are summarized in Appendix D.
 
NIST Interagency Report (IR) 7298, Revision 2
NIST and ITL are proud to announce the release of NIST Interagency Report (IR) 7298, Revision 2, Glossary of Key Information Security Terms. The National Institute of Standards and Technology (NIST) has received numerous requests to provide a summary glossary for our publications and other relevant sources, and to make the glossary available to practitioners. As a result of these requests, this glossary of common security terms has been extracted from NIST Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009). This glossary includes most of the terms in the NIST publications. It also contains nearly all of the terms and definitions from CNSSI-4009. This glossary provides a central resource of terms and definitions most commonly used in NIST information security publications and in CNSS information assurance publications. Each entry in the glossary points to one or more source NIST publications, and/or CNSSI-4009, and/or supplemental sources where appropriate. The NIST publications referenced are the most recent versions of those publications (as of the date of this document).

Special Publication 800-82, Revision 1, Guide to Industrial Control Systems (ICS) Security
May 15, 2013
 
NIST announces the release of Special Publication 800-82, Revision 1, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
 
Special Publication 800-82, Revision 1 includes the ICS material transferred from Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, Appendix I. Special Publication 800-82, Revision 1 is being released concurrent with Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, to preserve the continuity of that ICS material. The ICS material is now located in Appendix G of Special Publication 800-82, Revision 1.
 
Additionally, NIST is planning a major update to Special Publication 800-82 (Special Publication 800-82, Revision 2) that will include:

  • Updates to ICS threats and vulnerabilities;
  • Updates to ICS risk management, recommended practices and architectures;
  • Updates to current activities in ICS security;
  • Updates to security capabilities and technologies for ICS;
  • Additional alignment with other ICS security standards and guidelines;
  • New tailoring guidance for Special Publication 800-53, Revision 4 security controls including the introduction of overlays; and
  • An ICS overlay for Special Publication 800-53, Revision 4 security controls that will provide tailored security control baselines for Low, Moderate, and High impact ICS.
NIST will collaborate with the public and private sectors over the next year to produce Special Publication 800-82, Revision 2. Two drafts for public comment are expected with the first draft planned for late summer 2013 and a final draft planned for winter 2013. Special Publication 800-82, Revision 2 is targeted for final publication in spring 2014.

Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, and Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, are now available
May 13, 2013
 
#1 -- NIST announces that Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to align with Candidate Final FIPS 201-2. Major changes in draft SP 800-73-4 include:

  • Removal of Part 4, The PIV Transitional Data Model and Interfaces;
  • The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
  • The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
  • The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism; and
  • The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits.

#2 --- NIST announces that Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified add algorithm and key size requirements for secure messaging and to add requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing. In particular, the following changes are introduced in draft SP 800-78-4:
  • Algorithm and key size requirements for the optional PIV Secure Messaging key have been added.
  • RSA public keys may only have a public exponent of 65,537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65,537 and less than 2256.)
  • A new Section was added to provide requirements for CAVP validation testing.
NIST requests comments on Draft Special Publications 800-73-4 and 800-78-4 by 5:00pm EDT on June 14, 2013. Please submit comments on Draft SP 800-73-4 using the SP 800-73-4 comments template form (Excel spreadsheet) to piv_comments@nist.gov with “Comments on Draft SP 800-73-4” in the subject line, and comments on Draft SP 800-78-4 using the SP 800-78-4 comment template form (Excel spreadsheet) to piv_comments@nist.gov with "Comments on Public Draft SP 800-78-4" in the subject line.

Periodic Errata Updates for SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
May 9, 2013
 
NIST will provide periodic errata updates to Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, as needed. The errata updates can be editorial or substantive in nature. The specific changes will be listed in the Errata table on page xvii of the publication. The date of the errata update will be noted on the front cover of the publication under the original publication date.
 
The first errata update of SP 800-53, Revision 4 is now available from the CSRC Special Publications page.
 
The markup version of Appendices D, F, and G for SP 800-53, Revision 4 are now available - on the Special Publications page.
 
Questions or comments can be sent to sec-cert@nist.gov.

NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
April 30, 2013
 
NIST announces the final release of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.
 
Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This "Build It Right" strategy is coupled with a variety of security controls for "Continuous Monitoring" to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.
 
To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.
 
Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:

  • Assumptions relating to security control baseline development;
  • Expanded, updated, and streamlined tailoring guidance;
  • Additional assignment and selection statement options for security and privacy controls;
  • Descriptive names for security and privacy control enhancements;
  • Consolidated tables for security controls and control enhancements by family with baseline allocations;
  • Tables for security controls that support development, evaluation, and operational assurance; and
  • Mapping tables for international security standard ISO/IEC 15408 (Common Criteria).

The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

Special Publication 800-53 Revision 4 is available here. A markup version of Appendices D, F, and G containing security control and security control baseline changes from SP 800-53, Revision 3 to Revision 4 will be available NLT May 7, 2013. There will be additional download instructions for the markup appendices provided by a subsequent notification from the FISMA Implementation Project.

An updated (April 30, 2013) FISMA Implementation Project Schedule is available at: http://csrc.nist.rip/groups/SMA/fisma/schedule.html.

Questions or comments can be sent to sec-cert@nist.gov.

Draft Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
April 22, 2013
 
NIST announces the public comment release of draft Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations. ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document provides Federal agencies with a definition of ABAC and considerations for using ABAC to improve information sharing within organizations and between organizations while maintaining control of that information.
 
NIST requests comments on draft SP 800-162 by May 31, 2013. Please send comments to vincent.hu@nist.gov with the subject "Comments SP 800-162"

Draft NIST Interagency Report (IR) 7924, Reference Certificate Policy now available for Public Comment
April 11, 2013
 
NIST announces the public comment release of Draft Interagency Report (IR) 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
 
This new draft document, based on the Federal Public Key Infrastructure Common Policy, was developed with a particular emphasis on identifying stronger computer, lifecycle and network security controls.
 
NIST requests comments on Draft IR 7924 by Friday, June 7, 2013. Please send comments to nistir7924-comments@nist.gov, using this public comment template (MS Word).

President Executive Order "Improving Critical Infrastructure Cybersecurity"
February 13, 2013
 
Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure.
RFI - Framework for Reducing Cyber Risks to Critical Infrastructure

Final Public Draft of NIST Special Publication 800-53 Revision 4
February 5, 2013
 
NIST announces the release of Draft Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft). Special Publication 800-53, Revision 4, represents the culmination of a two-year initiative to update the guidance for the selection and specification of security controls for federal information systems and organizations. This update, the most comprehensive since the initial publication of the controls catalog in 2005, was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, and the Committee on National Security Systems. NIST received and responded to several thousand comments during the extensive public review and comment period.
 
The proposed changes included in Special Publication 800-53, Revision 4, support the federal information security strategy of “Build It Right, Then Continuously Monitor” and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this update, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services—especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications). In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements addressing the advanced persistent threat (APT), supply chain, insider threat, application security, distributed systems, mobile and cloud computing, and developmental and operational assurance;
     
  • Clarification of security control language;
     
  • New tailoring guidance including the fundamental assumptions used to develop the security control baselines;
     
  • Significant expansion of supplemental guidance for security controls and enhancements;
     
  • Streamlined tailoring guidance to facilitate customization of baseline security controls;
     
  • New privacy controls and implementation guidance based on the internationally recognized Fair Information Practice Principles;
     
  • Updated security control baselines;
     
  • New summary tables for security controls and naming convention for control enhancements to facilitate ease-of-use;
     
  • New mapping tables for ISO/IEC 15408 (Common Criteria);
     
  • The concept of overlays, allowing organizations and communities of interest to develop specialized security plans that reflect specific missions/business functions, environments of operation, and information technologies; and
     
  • Designation of assurance-related controls for low-impact, moderate-impact, and high-impact information systems and additional controls for responding to high assurance requirements.
As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, information security programs—capable of addressing sophisticated threats.
 
To support the final public review process, NIST will publish a markup version of Appendices D, F, and G (i.e., baseline allocations and the catalog of security controls for information systems and organizations) on or about February 8th to show the changes from the initial public draft. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or other appendices. A markup showing changes from Revision 3 to Revision 4 for the aforementioned appendices will be provided upon final publication of Special Publication 800-53, anticipated for April 2013.
 
Public comment period: February 5th through March 1st, 2013.
 
Comments can be sent to: sec-cert@nist.gov .

Final Approval of NIST Interagency Report (IR) 7511 Revision 3 is now available
February 5, 2013
 
NIST announces the release of NIST Interagency Report (NISTIR) 7511 Revision 3, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. NISTIR 7511 defines the requirements that must be met by products to achieve SCAP 1.2 Validation. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in producing SCAP validated products.

DRAFT Special Publication 800-63-2, Electronic Authentication Guideline is now available for comment
February 1, 2013
 
NIST announces the release of Draft Special Publication 800-63-2, Electronic Authentication Guideline for public review and comment. This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication will supersede NIST Special Publication 800-63-1.
 
This draft is a limited update of Special Publication 800-63-1 and substantive changes are made only in section 5. Registration and Issuance Processes. The substantive changes in the revised draft are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration. Other changes to section 5 are minor explanations and clarifications. New or revised text is highlighted in the review draft. Other sections of NIST Special Publication 800-63-1 have not been changed in this draft.
 
Please submit comments on the revision to eauth-comments@nist.gov with the subject line: “Draft SP 800-63-2 Comments”. The comment period closes on March 4, 2013.

Update Status on (Draft) NIST Special Publication 800-53 Revision 4
January 18, 2013
 
NIST anticipates the release of Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft) on Tuesday, February 5th. The final public comment period will run from February 5th through March 1st. Final publication is expected by the end of April.
 
NIST released a paper "The Role of the National Institute of Standards and Technology in Mobile Security".

back to top page to links for other Archived News (2011-current year).