Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)
News Archive - 2014
| 2015 | 2014 | 2013 | 2012 | 2011 |
Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials has been approved as final
December 19, 2014
NIST announces the release of Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials. SP 800-157 defines a technical specification for implementing and deploying Derived PIV Credentials to mobile devices, such as smart phones and tablets. The goal of the Derived PIV Credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.
Comments and their dispositions received during the public comment period are available here.
DRAFT Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems
December 19, 2014
NIST requests comments on DRAFT Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. This Profile is based on NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems, and has been prepared to assist Cryptographic Key Management System (CKMS) designers and implementers in selecting the features to be provided in their “products,” and to assist Federal organizations and their contractors when procuring, installing, configuring, operating, and using a Federal Cryptographic Key Management System (FCKMS). Please send comments by February 18, 2015 to FederalCKMSProfile@nist.gov, with "Comments on SP 800-152" in the subject line. A template has been provided. Note that these comments will be posted for public review.
Note that this revision includes references to some of the security controls in SP 800-53. Comments on the accuracy of these references would be appreciated.
NIST Released Special Publication 800-88 Revision 1, Guidelines for Media Sanitization
December 18, 2014
Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, has been approved as final. Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide will assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information.
NIST Released DRAFT NISTIR 7621 Revision 1, Small Business Information Security: The Fundamentals
December 16, 2014
Draft NISTIR 7621 Revision 1, Small Business Information Security: The Fundamentals; is now available for public comment. NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language. Comments will be accepted through February 9, 2015. Please send comments / questions to: smallbizsecurity@nist.gov .
Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans, has been approved as final.
December 12, 2014
NIST announces the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. This update to Special Publication 800-53A contains significant changes to the 2010 version of the publication in both content and format. The changes have been driven by four fundamental needs of federal agencies to include:
- The need for new or updated assessment procedures for the security controls defined in NIST Special Publication 800-53, Revision 4. Security and Privacy Controls for Federal Information Systems and Organizations;
- The need for a more granular breakdown of assessment objectives to support continuous monitoring and ongoing authorization programs;
- The need for a more structured format and syntax for assessment procedures that can support the use of automated tools for assessment and monitoring activities; and
- The need to support assessments of security capabilities and root cause analysis of failure modes for individual security controls or groups of controls.
- Define specific parts of security controls requiring greater scrutiny, monitoring, or assessment;
- More effectively tailor the scope and level of effort required for assessments;
- Assign assessment and monitoring frequencies on a more targeted basis; and
- Take advantage of potential new opportunities to conduct assessments of security capabilities including analysis of control dependencies.
- Clarification of terminology;
- Expansion of the number of potential assessment methods and assessment objects on a per-control basis; and
- A simpler decomposition of assessment objects to align more closely with security control statements.
The changes to the current security assessment procedures in SP 800-53A should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies. Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions.
This publication was developed by the Joint Task Force Transformation Initiative Working Group with representatives from the Civilian, Defense, and Intelligence Communities to produce a unified information security framework for the federal government. Please note that we have made a one-time change in the revision number of SP 800-53A (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-53, Revision 4.
DRAFT Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
November 21, 2014
NIST requests your comments on the latest revision of Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, which is dated November 2014. This document specifies Deterministic Random Bit Generators based on approved hash functions (as specified in FIPS 180-4), HMAC (as specified in FIPS 198-1) and block ciphers (as specified in FIPS 197 for AES, and SP 800-67 for TDEA). This revision removes the previously approved Dual_EC_DRBG that was based on the use of elliptic curves and includes a number of other changes that are listed in the final appendix of the document. Both a marked-up copy and a clean copy of the document are provided for your review. Please submit comments to rbg_comments@nist.gov with "SP 800-90A comments" in the subject line by December 31, 2014.
DRAFT Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations
November 18, 2014
NIST announces the release of Draft Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations (Initial Public Draft).
The protection of sensitive unclassified federal information while residing in non-federal information systems and environments of operation is of paramount importance to federal agencies. Compromises of this information can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) as defined by Executive Order 13556, when such information resides in non-federal information systems and organizations. The requirements apply to:
- Non-federal information systems that are beyond the scope of the systems covered by the Federal Information Security Management Act (FISMA); and
- All components of non-federal systems that process, store, or transmit CUI.
- Primarily the responsibility of the federal government (i.e., uniquely federal);
- Related primarily to availability; or
- Assumed to be routinely satisfied by non-federal organizations without any further specification.
This publication is part of a larger initiative by the National Archives and Records Administration (NARA) to fulfill their responsibilities as Executive Agent for Executive Order 13556 for CUI. NARA has a three-part plan to help standardize the naming conventions and protection requirements for sensitive information (designated CUI) both within the federal government and when such information resides in non-federal information systems and organizations. NARA’s plan includes:
- Incorporating uniform CUI policies and practices into the Code of Federal Regulations;
- Using NIST SP 800-171 to define requirements to protect the confidentiality of CUI; and
- Developing a standard Federal Acquisition Regulation (FAR) clause to levy the SP 800-171 security requirements to contractor environments.
NIST Released Draft Special Publication 800-150, Guide to Cyber Threat Information Sharing
October 28, 2014
NIST announces the public comment release of Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.
Please send your comments to:
sp800-150comments@nist.gov by November 28, 2014 using the following template (See 2nd link below).
Link to Document: Draft SP 800-150 (PDF)
Link to: Comment Template Form (Excel file)
DRAFT Special Publication 800-125A, Security Recommendations for Hypervisor Deployment
October 20, 2014
NIST announces the public comment release of NIST DRAFT Special Publication 800-125A, Security Recommendations for Hypervisor Deployment. Server Virtualization (enabled by Hypervisor) is finding widespread adoption in enterprise data centers both for hosting in-house applications as well as for providing computing resources for cloud services. The hypervisor provides abstraction of all physical resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (each consisting of an O/S (called Guest O/S), Middleware and a set of Application programs) to be run on a single physical host (referred to virtualized host or hypervisor host).
Since the NIST publication of SP 800-125 (Guide to Security for Full Virtualization Technologies) in January 2011, both the feature set of hypervisors as well as the tools for configuration and administration of virtualized infrastructure spawned by the hypervisor has seen considerable increase. This has generated the need to develop security recommendations for secure deployment of hypervisor platforms. This special publication defines a focused set of twenty-two security recommendations (in terms of architectural choices and configuration settings), intended to ensure secure execution of tasks performed by the hypervisor components under the umbrella of five baseline functions.
The public comment period closes on Monday, November 10, 2014. Please send comments to mouli@nist.gov
These 2 documents were approved as final at end of September - made available to CSRC website on September 30 - Special Publication 800-56B Revision 1 and NISTIR 7628 Revision 1
October 2, 2014
1. Special Publication 800-56B Revision 1
NIST announces the release of Special Publication 800-56B Revision 1, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. NIST SP 800-56B specifies key-establishment schemes based on the Rivest Shamir Adleman (RSA) algorithm. The revision is made on the August 2009 version. The main changes are listed in Appendix D.
2. NIST Interagency Report 7628 Revision 1
NIST announces the publication of NISTIR 7628 Revision 1, Guidelines for Smart Grid Cybersecurity. The three volumes of NISTIR 7628 Rev. 1 present a comprehensive framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of smart grid stakeholders can use the methods and supporting information presented in this report as guidance for assessing cybersecurity risk and identifying and applying appropriate cybersecurity requirements. Since the original release in 2010, smart grid technologies and implementations have moved from a notional vision to deployments and stakeholders have had the opportunity to provide feedback on the report and their experience deploying systems.
NIST Released DRAFT NIST Interagency/Internal Report 8023, Risk Management for Replication Devices (RDs)
September 10, 2014
NIST announces the release of Draft NIST IR 8023, Risk Management for Replication Devices. For the purposes of this NISTIR, replication devices (RDs) include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines when used as a copier, printer, or scanner.
RDs are found throughout most organizations and are components included in many information systems. NISTIR 8023 provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs. Appropriate countermeasures in the context of the System Development Life Cycle are suggested. A security risk assessment template in table and flowchart format is also provided to help organizations determine the risk associated with replication devices.
As always, we look forward to your feedback during the public comment period.
Please send comments to sec-cert@nist.gov with "Comments - Draft NISTIR 8023” in subject line. Comments will be accepted through October 17, 2014.
Special Publication 800-147B, BIOS Protection Guidelines for Servers
September 3, 2014
NIST announces the release of NIST Special Publication 800-147B, BIOS Protection Guidelines for Servers. This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document includes BIOS and platform vendors of server-class systems, and information system security professionals who are responsible for procuring, deploying, and managing servers.
This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in enterprise environments.
DRAFT Special Publication 800-53 Revision 4, Appendix H is available for public comment
August 28, 2014
NIST announces the release of Draft Special Publication 800-53, Revision 4, Appendix H, International Information Security Standards, Security Control Mappings for ISO/IEC 27001: 2013. (NOTE: This draft Appendix H for SP 800-53 Revision 4 has been approved as final and has been incoporated into the updated SP 800-53 Revision 4 document in January 2015). This update to Appendix H was initiated due to the 2013 revision to ISO/IEC 27001, which occurred after the final publication of SP 800-53, Revision 4. In addition to considering the new content in ISO/IEC 27001 for the mapping tables, new mapping criteria were employed in conducting the mapping analysis. The new criteria are intended to produce more accurate results—that is, to successfully meet the mapping criteria, the implementation of the mapped controls should result in an equivalent information security posture. While mapping exercises may by their very nature, include a degree of subjectivity, the new criteria attempts to minimize that subjectivity to the greatest extent possible.
Please send comments to sec-cert@nist.gov with "Comments Draft SP 800-53, Appendix H” in subject line. Comments will be accepted through September 26, 2014.
Draft Special Publication 800-167 Guide to Application Whitelisting is available for public comment
August 22, 2014
NIST announces the public comment release of Draft Special Publication (SP) 800-167, Guide to Application Whitelisting. The purpose of this publication is to assist organizations in understanding the basics of application whitelisting (also known as application control) by examining the basics of application whitelisting and explaining the planning and implementation for application whitelisting technologies throughout the security deployment lifecycle. (This information and links to document/comment template can also be found on the Drafts page).
Please send your comments to 800-167comments@nist.gov by September 26, 2014 using the following template (See 2nd link below).
Link to Draft SP 800-167 document (PDF)
Link to Comment Template (Excel)
Draft NIST Interagency Report (IR) 7966 Security of Automated Access Management Using Secure Shell (SSH) is available for public comment
August 21, 2014
NIST announces the public comment release of Draft NIST Interagency Report (IR) 7966, Security of Automated Access Management Using Secure Shell (SSH). (NOTE: This draft & the 2nd draft has been approved as FINAL on October 2015). The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH automated access management in an enterprise, focusing on the management of SSH access tokens. It discusses the basics of access management and automated access management and it examines the basics of SSH version 2.0. It describes the primary categories of vulnerabilities in SSH user key management and recommends possible mitigations for each category of vulnerability then it lists recommended practices for management. It explains risk mitigation for SSH access tokens. and it concludes with solution planning and deployment..
Questions? Send email to NISTIR7966-comments@nist.gov . Comment period CLOSED on September 26, 2014.
Draft Special Publication 800-163 Technical Considerations for Vetting 3rd Party Mobile Applications is available for public comment
August 19, 2014
NIST announces that Draft Special Publication 800-163, Technical Considerations for Vetting 3rd Party Mobile Applications, is now available for public comment. The purpose of this document is to provide guidance for vetting 3rd party software applications (apps) for mobile devices. Mobile app vetting is intended to assess a mobile app’s operational characteristics of secure behavior and reliability (including performance) so that organizations can determine if the app is acceptable for use in their expected environment. This document provides key technical software assurance considerations for organizations as they adopt mobile app vetting processes.
NIST requests comments on Draft Special Publication 800-163 by 5:00pm EDT on September 18, 2014. Please submit comments to nist800-163@nist.gov with "Comments on Draft SP 800-163" in the subject line.
Link to Draft SP 800-163 document (PDF)
NIST Draft Special Publication SP 800-85B-4 PIV Data Model Conformance Test Guidelines
August 6, 2014
NIST produced a revised version of NIST Special Publication SP 800-85B, PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-4" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet).
Link to the Comment Template Form (Excel)
Link to the Draft SP 800-85B-4 document (PDF)
The comment period closes at 5:00 EST (US and Canada) on September 5, 2014. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
DRAFT Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
July 31, 2014
NIST announces the release of Draft Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Initial Public Draft). SP 800-53A is a Joint Task Force publication and a companion guideline to SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
This update to SP 800-53A contains significant changes to the 2010 version of the publication in both content and format. The changes have been driven by four fundamental needs of federal agencies:
• The need for new or updated assessment procedures for the security controls and privacy controls defined in NIST SP 800-53, Revision 4;
• The need for a more granular breakdown of assessment objectives to support continuous monitoring and ongoing authorization programs;
• The need for a more structured format and syntax for assessment procedures to support the use of automated tools for assessment and monitoring activities; and
• The need to support assessments of security capabilities and privacy capabilities and root cause analysis of failure modes for individual security or privacy controls or groups of controls.
By addressing the above needs, organizations will have the flexibility to: (i) define specific parts of security controls and privacy controls requiring greater scrutiny; (ii) more effectively tailor the scope and level of effort required for assessments; (iii) assign assessment and monitoring frequencies on a more targeted basis; and (iv) take advantage of potential new opportunities to conduct assessments of security or privacy capabilities including analysis of control dependencies.
There have also been some significant improvements in the current security assessment procedures based on feedback from federal agencies reflecting lessons learned during the conduct of actual assessments as part of the Risk Management Framework (RMF) process. The improvements include, for example, clarification of terminology, expansion of the number of potential assessment methods and assessment objects on a per-control basis, and a simpler decomposition of assessment objects to align more closely with control statements.
In addition to the above, privacy terminology has been integrated into SP 800-53A in a manner that is complementary to and supportive of the privacy controls defined in SP 800-53, Appendix J. While security and privacy disciplines are distinct programmatic entities, there are also important dependencies between those entities—highlighting the need for the programs to complement one another to ensure the security and privacy goals and objectives of organizations are satisfied. As with any transformation, there will be changes in this publication and other supporting publications as the privacy integration moves forward and is completed. Privacy assessment procedures are not included in this draft. The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.
The changes to the current security assessment procedures in SP 800-53A and the future privacy assessment procedures, should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies. Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions.
Please note that NIST has made a one-time change in the revision number of SP 800-53A (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-53.
Please send comments to sec-cert@nist.gov with "Comments Draft SP 800-53Arev4 in subject line. Comments will be accepted through September 26, 2014.
DRAFT NISTIR 8018, Public Safety Mobile Application Security Requirements Workshop Summary is available for public comment
July 29, 2014
On February 25, 2014, the Association of Public-Safety Communications Officials (APCO) International, in cooperation with FirstNet and the Department of Commerce held a half-day workshop titled “Public Safety Mobile Application Security Requirements” attended by public safety practitioners, mobile application developers, industry experts, and government officials. In this first-of-its-kind workshop, attendees contributed their experience and knowledge to provide input in identifying security requirements for public safety mobile applications. NISTIR 8018 describes the workshop and captures the input that was received from the workshop attendees.
Link to the Draft NISTIR 8018 document
The public comment period is from July 29, 2014 through September 13, 2014. Please send comments to: nistir8018@nist.gov
DRAFT NISTIR 8006, NIST Cloud Forensic Science Challenges
July 29, 2014
NIST extended the public review period of the recently posted Draft NIST IR 8006, NIST Cloud Forensic Science Challenges, and will accept comments on the document until AUGUST 25, 2014. Complete information regarding this draft (including draft document and template to be used for comments) can be obtained from the CSRC Drafts page.
NIST Released DRAFT NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks
July 15, 2014
In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks. This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process.
The public comment period is from July 15, 2014 through August 22, 2014. Please send comments to nistir8014@nist.gov using the public comment template that is provided (MS Excel).
Link to Draft NISTIR 8014 (PDF)
Link to Comment Template (MS Excel)
VCAT recommendations for the NIST Cryptographic Standards and Guidelines Development Process
July 14, 2014
NIST’s Visiting Committee for Advanced Technology (VCAT) finalized a report detailing recommendations for NIST’s cryptographic standards program. The VCAT’s recommendations are based on a review conducted by a group of invited experts, known at the Committee of Visitors (COV), which began last April.
The report is available on the VCAT website. In addition, NIST has posted the briefing documents that were provided to the VCAT and the Committee of Visitors. These include separate background documents released recently to respond to a Freedom of Information Act (FOIA) request about NIST’s cryptographic standards development process.
NIST Released NIST Interagency Report (NISTIR) 7987, Policy Machine: Features, Architecture, and Specification
July 2, 2014
NIST Interagency Report (NISTIR) 7987 describes an access control framework, referred to as the Policy Machine (PM), which fundamentally changes the way access control policy is expressed and enforced. The report gives a detailed description of the PM and the range of policies that can be specified and enacted. The report also describes the architecture of the PM and the properties of the PM model in detail.
Explanation of Changes to Draft SP 800-38G
June 27, 2014
Draft Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, released for public comment in July 2013, included three methods for format-preserving encryption (FPE). Called FF1, FF2, and FF3, these methods are modes for using the Advanced Encryption Standard (AES). All of the FPE modes were submitted to NIST by the private sector.
As part of the public review of Draft SP 800-38G and as part of its routine consultation with other agencies, NIST was advised by the National Security Agency that the FF2 mode in the draft did not provide the expected 128 bits of security strength for some use cases. NIST cryptographers confirmed this assessment in an analysis that is posted on the modes public comments page.
The FF2 mode was submitted by VeriFone Systems, Inc., for NIST¹s consideration in 2011 and was originally designed for use by the payment card industry.
Implementations of FF2 within the payment card industry are not vulnerable to this analysis in practice. Nevertheless, in order for FF2 to meet NIST¹s security requirements for other potential applications, VeriFone Systems, Inc., has indicated that it will submit a revised proposal for NIST to review. NIST intends to finalize SP 800-38G with FF1 and FF3 as it considers VeriFone's revised proposal of FF2.
DRAFT NISTIR 8006, NIST Cloud Forensic Science Challenges
June 23, 2014
NIST announces that Draft NIST IR 8006, NIST Cloud Forensic Science Challenges, has been released for public comments – can be accessed by the CSRC Drafts page. Deadline to submit comments has been EXTENDED TO AUGUST 25, 2014 (original deadline was July 21, 2014). Complete information regarding this draft can be obtained from the CSRC Drafts page.
Errata Update to Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
June 10, 2014
NIST announces the release of an errata update to Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This update will ensure that the Risk Management Framework (RMF) process and associated implementation guidance are consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government
Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management
June 3, 2014
NIST announces the release of Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management. This publication responds to Office of Management and Budget (OMB) Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, that directed NIST to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization. This is the first of three major updates to NIST guidance supporting the Risk Management Framework and the full transition to ongoing authorization by employing best practices in information security continuous monitoring. The second publication, an errata update to NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released on June 10, 2014. This update will ensure that the Risk Management Framework (RMF) process is consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government. The third publication, NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, will be released as an Initial Public Draft in July 2014. This update will ensure that the security assessment procedures are consistent with the security controls in NIST Special Publication 800-53, Revision 4. In addition, to help facilitate ease of use for our customers, the revision number of SP 800-53A is being changed to Revision 4, to be consistent with the current revision number of SP 800-53.
Second Draft Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
June 3, 2014
NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment - can be accessed either by the SCRM Publications page OR the CSRC Drafts page. Deadline to submit comments: July 18, 2014. Complete information regarding this draft can be obtained from the CSRC Drafts page and/or the Supply Chain Risk Management (SCRM) Publications page (links provided above).
Second Draft NISTIR 7924, Reference Certificate Policy is available for public comment
May 29, 2014
NIST announces the public comment release of second draft of NIST Interagency Report 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.
NIST requests comments on Draft IR 7924 by Friday, August 1, 2014. Please send comments to nistir7924-comments@nist.gov, using the public comment template that is provided (MS Word).
DRAFT FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
May 28, 2014
NIST published a Federal Register Notice, FRN 2014-12336, on May 28, 2014 to announce the publication of Draft FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, and Draft Revision of the Applicability Clause of FIPS 180-4, Secure Hash Standard, and request for comments. A 90-day public comment period is provided. Comments must be received by NIST on or before August 26, 2014 to be considered. Details for how to submit public comments are available in the FRN.
For details on the SHA-3 standardization effort, please refer to this page:
http://csrc.nist.rip/groups/ST/hash/sha-3/sha-3_standardization.html.
Special Publication 800-101 Revision 1, Guidelines on Mobile Device Forensics
May 28, 2014
NIST announces the release of Special Publication (SP) 800-101 Revision 1, Guidelines on Mobile Device Forensics. Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information.
Update on Three FISMA Publications Ongoing Authorization Supplemental Guidance, SP 800-37, Rev 1 (Errata), SP 800-53A Rev 2 (IPD)
May 20, 2014
The FISMA Implementation Project is announcing the following schedule for three publications.
- First, a new publication, Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management, will be released within the next ten days. This 13-page publication responds to a requirement from the Office of Management and Budget (OMB) in Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, and provides clarifying and amplifying guidance on the application of current NIST guidelines to the security authorization process to facilitate the transition to ongoing authorization.
- Second, an errata update for NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released within the next fifteen days. This update will ensure that the Risk Management Framework (RMF) process is consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government.
- Third, NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, will be released as an Initial Public Draft within forty-five days. This update will ensure that the security assessment procedures are consistent with the security controls in NIST Special Publication 800-53, Revision 4. In addition, to help facilitate ease of use for our customers, the revision number of SP 800-53A is being changed to Revision 4, to be consistent with the current revision number of SP 800-53.
NIST SP 800-53 On-Line Database Updated to Revision 4
May 20, 2014
The NIST Special Publication 800-53 Revision 4 On-line Reference Database has been posted which contains the catalog of security controls from Appendix F and G of SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (April 2013). This on-line database version provides customers with the functionality to quickly and efficiently browse the security controls, control enhancements, and supplemental guidance (including summarizing by control class, control family and control impact baseline) and search the security control catalog using user-specified keywords.
2 Draft PIV Special Publications open for public Comment: (1) Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, and (2) Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, are now available
May 19, 2014
Draft #1: NIST announces that Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4").
High level changes include:
- A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.
- In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:
- rarely used data elements Buffer Length, DUNS and Organization Identifier in the CHUID data object
- legacy data element MSCUID in all X.509 Certificate data objects and
- legacy data elements Extended Application CardURL and Security Object Buffer in the Card Capability Container
- Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.
- Modified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”
NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified.
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue)
NIST requests comments on Revised Draft Special Publications 800-73-4 by 5:00pm EDT on June 16, 2014. Please submit comments on Revised Draft SP 800-73-4 using the SP 800-73-4 comments template form (lnk to comment form in Excel spreadsheet is 2nd to last link below for this draft document) to piv_comments@nist.gov with “Comments on Revised Draft SP 800-73-4” in the subject line
Draft #2: NIST announces that Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4".
NIST requests comments on Revised Draft Special Publication 800-78-4 by 5:00pm EDT on June 16, 2014. Please submit comments on Revised Draft SP 800-78-4 using the SP 800-78-4 comment template form (see third link on drafts page for this draft for Excel spreadsheet) to piv_comments@nist.gov with "Comments on Revised Draft SP 800-78-4" in the subject line.
Draft Special Publication 800-56B Rev. 1 comment period has been extended
May 16, 2014
NIST has determined to extend the public comment period for the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography to May 30, 2014. Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision 1)" in the subject line before May 30, 2014.
Initial Public Draft Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security
May 13, 2014
NIST announces the release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:
- Updates to ICS threats and vulnerabilities.
- Updates to ICS risk management, recommended practices and architectures;
- Updates to current activities in ICS security.
- Updates to security capabilities and tools for ICS.
- Additional alignment with other ICS security standards and guidelines.
- New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays.
- An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS.
Comments on this publication may be submitted to:
Electronic Mail: nist800-82rev2comments@nist.gov
Thanks again for taking the time to review the publication and for providing your comments.
Draft Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
May 12, 2014
NIST requests comments on the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. A formal announcement of the publication is planned on May 13, 2014 at the College of Science and Engineering, Technology Leadership Institute, University of Minnesota. The public comment period runs from May 13 through July 11, 2014.
Send comments to the NIST FISMA Team:
sec-cert@nist.gov with "Draft SP 800-160 Comments" in the subject line.
DRAFT Special Publication 800-57 Part 3 Revision 1
May 5, 2014
NIST would like to request comments on a Draft Revision of SP 800-57 Part 3, Recommendation for Key Management: Application-Specific Key Management Guidance.
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, and a new section for Secure Shell (SSH).
Comments should be sent to SP80057Part3@nist.gov, with "Comments on SP 800-57, Part 3" in the subject line. Comments should be submitted by July 5th, 2014.
NIST Interagency Report 7946, CVSS Implementation Guidance
April 29, 2014
NIST announces the release of NIST Interagency Report (NISTIR) 7946, CVSS Implementation Guidance. This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to over 50 000 vulnerabilities scored by analysts at the National Vulnerability Database (NVD). This document is intended to serve as an extension to the CVSS Version 2.0 specification, providing additional guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.
NIST Announces the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
April 29, 2014
NIST has released Special Publication 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. TLS provides mechanisms to protect sensitive data during electronic dissemination across networks. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. The revised guidelines include the required support of TLS version 1.1, recommended support of TLS version 1.2, guidance on certificate profiles and validation methods, TLS extension recommendations, and support for a greater variety of FIPS-based cipher suites.
Draft Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
April 23, 2014
In support of the Federal Information Security Management Act of 2002 and the 2014 Framework for Improving Critical Infrastructure Cybersecurity, NIST will issue in May 2014, the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines will recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. The public comment period will run from May 13 through July 11, 2014.
Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
April 21, 2014
NIST requests comments on a revision of Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. This revision removes the Dual_EC_DRBG from the document.
Please send comments on the revision of SP 800-90A and the transition schedule to RBG_comments@nist.gov by May 23, 2014, with “Comments on SP 800-90A” in the subject line.
The public comment period closes on May 23,2014.
(Third) Draft Special Publication 800-16 Revision 1, A Role-Based Model for Federal Information Technology / Cyber Security Training
March 14, 2014
NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
Please submit comments to sp80016-comments@nist.gov with “Comments on SP 800-16 Rev 1 (3rd draft)” in the subject line.
The public comment period closes on April 30,2014.
DRAFT Special Publication 800-56B Revision 1, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography
March 13, 2014
NIST announces the release of the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. SP 800-56B specifies key-establishment schemes based on the Rivest Shamir Adleman (RSA) algorithm. The revision is made on the August 2009 version. The main changes are listed in Appendix D.
Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision)" in the subject line.
UPDATED May 15, 2014 -- The comment period for this Draft SP 800-56B Rev. 1 has been EXTENDED TO MAY 30, 2014.
Draft Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials and Draft NIST Interagency Report 7981, Mobile, PIV, and Authentication, are now available
March 7, 2014
#1 -- NIST announces release of Draft Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, for public comment. Draft SP 800-157 defines a technical specification for implementing and deploying derived PIV credentials on mobile devices, such as smart phones and tablets. The goal of the derived PIV credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.
Please submit comments to piv_comments@nist.gov with “Comments on Draft SP 800-157” in the subject line
NIST requests comments to Draft Special Publication 800-157 by 5:00pm EDT on April 21, 2014.
#2 NIST announces release of Draft NIST IR 7981, Mobile, PIV, and Authentication for public comment. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
Please submit comments on Draft NIST IR 7981 using the NIST IR 7981 comment template form (Excel spreadsheet) to piv_comments@nist.gov with "Comments on Draft NIST IR 7981" in the subject line.
NIST requests comments on Draft NIST IR 7981 by 5:00pm EDT on April 21, 2014.
NISTIR 7849, A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification
March 6, 2014
NIST announces the release of NIST Interagency Report (IR) 7849, A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. Smart cards (smart identity tokens) are now extensively deployed for identity verification, and are used in controlling access to both IT and physical resources. This publication presents a methodology for assigning authentication strengths based on the strength of pair wise bindings between the five entities involved in smart card based authentications – the card (token), the token secret, the card holder, the card issuer, and the person identifier stored in the card. NISTIR 7849 also illustrates how to use the methodology for developing an authentication assurance level taxonomy for two real-world smart identity token deployments.
Draft NIST Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process
February 18, 2014
NIST requests comments on Draft NIST Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process. This document describes the principles, processes and procedures behind our cryptographic standards development efforts. Please send comments to crypto-review@nist.gov by April 18, 2014......
Special Publication (SP) 800-168, Approximate Matching: Definition and Terminology
January 27, 2014
NIST requests comments on the Draft of Special Publication (SP) 800-168, Approximate Matching: Definition and Terminology. SP 800-168 contains a definition for approximate matching including requirements and considerations for testing. Approximate matching is an emerging technology for identify similarities between two digital artifact. It is used to find objects that resemble each other to support security monitoring, digital forensics and other applications.
Announcement on behalf of the Joint Task Force Transformation Initiative:
NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and OrganizationsJanuary 23, 2014
Updated Errata Table and XML File
- Errata Table, as of 1/15/14 on pages xvii-xxi
NIST will provide periodic errata updates to Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, as needed. The second errata update of SP 800-53, Revision 4 will be released Thursday, January 23rd. See http://csrc.nist.rip/publications/PubsSPs.html#800-53. The date of the errata update will be noted on the inside cover of the publication under the original publication date (April 2013 INCLUDES UPDATES AS OF 01-15-2014: PAGE XVII). - XML File
The XML file for SP 800-53R4 has also been updated. See XML of SP 800-53R4 at https://nvd.nist.gov/static/feeds/xml/sp80053/rev4/800-53-controls.xml. - Future Errata Update on Appendix H
NIST plans to release an errata update for Appendix H in February. This release will provide updates to the ISO/IEC 27001 mapping tables based on the 2013 update of the international standard. - POC
If you have any questions, please contact sec-cert@nist.gov.
Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
January 21, 2014
NIST announces the final release of Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations. ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document provides Federal agencies with a definition of ABAC and considerations for using ABAC to improve information sharing within organizations and between organizations while maintaining control of that information.
DRAFT Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems
January 7, 2014
NIST requests comments on Draft Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. SP 800-152 contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a CKMS by U. S. Federal organizations. The Profile is based on SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS). Please send comments to FederalCKMSProfile@nist.gov by March 5, 2014, with “Comments on SP 800-152” on the subject line.