Try the new CSRC.nist.gov and let us know what you think!
(Note: Beta site content may not be complete.)

News Archive - 2015

| 2015 | 2014 | 2013 | 2012 | 2011 |

NIST Announced Release of Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export
December 29, 2015

NIST announces that Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export, is now available for public comment. This document provides the data representation of a chain-of-trust record for the exchange of records between issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.

NIST requests comments on Draft Special Publications 800-156 by 5:00pm EST on January 28, 2016. The comment period for this draft is now CLOSED. Questions send email to: piv_comments@nist.gov.

NIST Announced Release of DRAFT Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
December 28, 2015

NIST is pleased to announce the public comment release of Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal Government facilities and assets. The document has been updated to Revision 1 to align with FIPS 201-2. High-level changes include:

Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
- Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms
- Addition of a new section (5.3.1) titled “Migrating Away from the Legacy CHUID Authentication Mechanism” to aid in the transition away from the CHUID + VIS authentication mechanism
- In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks
- Addition of a new appendix titled “Improving Authentication Transaction Times” to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK)
Addition of a new section (5.4) titled “PIV Identifiers” and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS’s access control list.
In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice’s “Vulnerability Assessment Report of Federal Facilities” document with the ISC’s document titled “Risk Management Process for Federal Facilities” to aid deriving the security requirement for facilities.

For your convenience, we have provided a comment template - Excel file. Comments should be submitted to piv_comments@nist.gov with "Comments on Draft SP 800-116 Revision 1" in the subject line. The comment period has been extended and now closes at 5:00 EST (US and Canada) on March 1, 2016.

NIST Released 2 Draft NISTIRs: (1) NISTIR 8060 and (2) NISTIR 8085 - see below for further details
December 17, 2015

(1) DRAFT NISTIR 8060
NIST is pleased to announce the fourth and final public comment release of NIST Interagency Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.

This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.

This document represents a final discussion draft of this report. The authors have conducted a number of iterations of this report to further develop the concepts and guidelines contained herein based on public feedback. This is the final iteration of public review before finalizing this initial revision of the report. For this final draft, reviewers should focus their reviews on the overall report. Detailed review of all the guidelines in Sections 5 and 6 is also requested to ensure that the guidelines appropriately balance the needs of tag providers and consumers.

Email comments to: nistir8060-comments@nist.gov.
The public comment period closes on January 8, 2016.

(2) DRAFT NISTIR 8085
NIST is pleased to announce the first public comment release of NIST Interagency Report (NISTIR) 8085, Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags.

This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.

The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.

Please send comments to nistir8060-comments@nist.gov with “Comments NISTIR 8085” in the subject line. Note: The email used for providing public comments is the same as the email used for NISTIR 8060. Comments will be accepted through January 8, 2016.

NIST Interagency Report (NISTIR) 8053, De-Identification of Personal Information has been approved as final
December 16, 2015

(note - this document was approved in late October (date shown on the cover of this document) - this is first time this NISTIR has been announced on CSRC website) NIST announces the final release of NIST Interagency Report (NISTIR) 8053, De-Identification of Personal Information. De-identification removes identifying information from a dataset so that individual data cannot be linked with specific individuals. De-identification can reduce the privacy risk associated with collecting, processing, archiving, distributing or publishing information. This document summarizes roughly two decades of de-identification research, discusses current practices, and presents opportunities for future research.

NIST Interagency Report (NISTIR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation, has been approved as final
December 11, 2015

NIST announces the final release of NIST Interagency Report (NISTIR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This report describes a proof of concept implementation that was designed by NIST to address challenges with Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. NIST IR 7904 is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation.

Special Publication 800-70 Revision 3, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been approved as final.
December 11, 2015

Special Publication 800-70 Revision 3, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released as final. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 3 updates the previous version of the document, which was released in 2011, by streamlining the text and removing outdated content, as well as updating the requirements for United States Government Configuration Baselines (USGCB).

New Request for Information on the Cybersecurity Framework.
December 11, 2015

NIST releases a third Cybersecurity Framework Request for Information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity, requesting information* about:

the variety of ways in which the Framework is being used to improve cybersecurity risk management,
how best practices for using the Framework are being shared,
the relative value of different parts of the Framework,
the possible need for an update of the Framework, and
options for the long-term governance of the Framework.

See the RFI for a detailed set of questions.

Responses will be posted at the Cybersecurity Framework RFI page, and will inform NIST’s planning and decision-making about how to further advance the Framework so that the Nation’s critical infrastructure is made more secure by enhancing its cybersecurity and risk management. This information will also assist in developing the agenda of a Framework workshop being planned for April 6-7, 2016 at NIST in Gaithersburg, Maryland. More specifics will be available at a later date.

Comments are due by February 9, 2016, and may be sent to cyberframework@nist.gov with the Subject “Views on the Framework for Improving Critical Infrastructure Cybersecurity.” See the RFI for more comment submission details.

Also see the full Federal Register Notice and the Cybersecurity Framework homepage.

* This information is needed to carry out NIST's responsibilities under the Cybersecurity Enhancement Act of 2014 and Executive Order 13636.

Request for Nominations for Members To Serve on National Institute of Standards and Technology Federal Advisory Committees
December 8, 2015

NIST is accepting nominations of individuals to serve on eight Federal Advisory Committees, including the Information Security and Privacy Advisory Board (ISPAB). Nominations will be accepted on an ongoing basis and will be considered as and when vacancies arise.

For further details, see the full Federal Register Notice and the ISPAB homepage.

NIST released Draft SP 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
December 2, 2015

NIST announces the public comment release of NIST Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. The aim of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies on various types of data services. However, the two standards differ with respect to the manner in which access control policies are specified, managed, and enforced. This document describes XACML and NGAC, and then compares them with respect to five criteria. The goal of this publication is to help ABAC users and vendors make informed decisions when addressing future data service policy enforcement requirements.

The specific areas where comments are solicited are:

Accuracy in the description of the XACML and NGAC frameworks.
Analysis

Deadline to submit comments is: January 15, 2016.
Email comments or questions to: sp800-178@nist.gov using the Comment Template included along with this announcement.

The "Type" codes for comment are:

E - Editorial
G - General
T - Technical

NIST Released Draft NISTIR 8080, Usability and Security Considerations for Public Safety Mobile Authentication
November 20, 2015

In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8080, Usability and Security Considerations for Public Safety Mobile Authentication. There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN), however, these capabilities should not compromise the ability of first responders to complete their missions. This report describes the constraints presented by the personal protective equipment, specialized gear, unique operating environments, and how such constraints may interact with public safety. The overarching goal of this work is analyzing mobile authentication technologies to explore which may be more appropriate and usable for first responders.

Deadline to submit comments is: December 28, 2015.
Email comments or questions to: nistir8080@nist.gov

NIST announces the final release of Special Publication (SP) 800-167, Guide to Application Whitelisting
November 6, 2015

NIST announces the final release of Special Publication (SP) 800-167, Guide to Application Whitelisting. The purpose of this publication is to assist organizations in understanding the basics of application whitelisting (also known as application control) by examining the basics of application whitelisting and explaining the planning and implementation for application whitelisting technologies throughout the security deployment lifecycle.

Read the NIST press release for additional information.

NIST announces the completion of Special Publication (SP) 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
November 6, 2015

SP 800-131A Rev. 1 provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms by Federal government agencies when protecting sensitive, but unclassified information.

NIST Announce the Release of Draft SP 1800-4, Mobile Device Security: Cloud & Hybrid Builds
November 5, 2015

The full announcement, links to the draft documnet, comment template, email to send comments to, and to learn more about Draft SP 1800-4, Mobile Device Security: Cloud & Hybrid Builds, please visit the National Cybersecurity Center of Excellence (NCCoE) (a NIST program) or to the CSRC Drafts page. Deadline to submit comments is: January 8, 2016.

NIST Announce the Release of NIST Cybersecurity Practice Guide, Draft Special Publication 1800-5: "IT Asset Management"
November 2, 2015

NIST is excited to announce the release of the latest NIST Cybersecurity Practice Guide, "IT Asset Management" for the Financial Services sector. The document is a draft, and comments are being accepted.

What's the guide about?

Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Additionally, many financial organizations include subsidiaries, branches, third-party partners, and contractors as well as temporary workers and guests; tracking and managing hardware and software across these groups adds another layer of complexity.

To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to centrally monitor and gain deeper insight into their entire IT asset portfolio with an automated platform. Using open source and commercially available technologies, this example solution addresses questions such as "What operating systems are our laptops running?" and "Which devices are vulnerable to the latest threat?"

The example solution gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.

The guide is available for download in PDF or for Web viewing in HTML5 from the NIST National Cybersecurity Center of Excellence (NCCoE).

NIST & NCCoE look forward to receiving your comments on the draft guide—the approach, the architecture, and possible alternatives.

The comment period is open through January 8, 2016.

Comments will be made public after review and can be submitted anonymously. Submit comments online or via email to financial_nccoe@nist.gov.

Read the NIST press release for additional information.

NIST Announces the Release of Special Publication 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems
October 30, 2015

NIST announces the publication of Special Publication (SP) 800-152, A Profile for U. S. Federal Cryptographic Key Management Systems. This document contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a Key Management System by U. S. Federal organizations. The Profile is based on NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS). Final comments received for final draft of SP 800-152.

NIST Announces the Release of NISTIR 7966, Security of Interactive and automated Access Management Using Secure Shell (SSH)
October 30, 2015

NIST announces the final release of NIST Internal Report (NISTIR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH). The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management in an enterprise, focusing on the management of SSH user keys. It describes the primary categories of vulnerabilities in SSH user key management and recommends practices for planning and implementing SSH access management.

NIST Announces the Release of NISTIR 7987 Revision 1, Policy Machine: Features, Architecture, and Specification
October 30, 2015

NIST announces the release of NIST Inter agency Report (NISTIR) 7987 Revision 1, Policy Machine: Features, Architecture, and Specification. The ability to control access to sensitive data in accordance with policy is perhaps the most fundamental security requirement. Despite over four decades of security research, the limited ability for existing access control mechanisms to enforce a comprehensive range of policy persists. While researchers, practitioners and policy makers have specified a large variety of access control policies to address real-world security issues, only a relatively small subset of these policies can be enforced through off-the-shelf technology, and even a smaller subset can be enforced by any one mechanism. This report describes an access control framework, referred to as the Policy Machine (PM), which fundamentally changes the way policy is expressed and enforced. The report gives an overview of the PM and the range of policies that can be specified and enacted. The report also describes the architecture of the PM and the properties of the PM model in detail.

NIST Requests Comments on FIPS 186-4, Digital Signature Standard
October 20, 2015

NIST requests comments on Federal Information Processing Standard (FIPS) 186-4, Digital Signature Standard, which has been in effect since July 2013. FIPS 186-4 specifies three techniques—RSA, DSA, and ECDSA--for the generation and verification of digital signatures, along with a set of elliptic curves recommended for government use.

NIST primarily seeks comments on the recommended elliptic curves specified in Appendix D of the FIPS, but comments on other areas of the FIPS will also be considered. FIPS 186-4 is available at http://csrc.nist.rip/external/nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.

The Federal Register Notice provides additional background information, including questions that NIST is especially interested in having addressed.

Comments due: December 4, 2015

Send comments to: FIPS186-comments@nist.gov with “Comment on FIPS 186” in the Subject line. See the FRN for additional details on submitting comments.

NIST has officially withdrawn 6 Federal Information Processing Standards (FIPS)
October 19, 2015

Today in the Federal Register, NIST announced the withdrawal of six Federal Information Processing Standards (FIPS):

FIPS 181, Automated Password Generator (APG);
FIPS 185, Escrowed Encryption Standard;
FIPS 188, Standard Security Label for Information Transfer;
FIPS 190, Guideline for the Use of Advanced Authentication Technology Alternatives;
FIPS 191, Guideline for The Analysis of Local Area Network Security; and
FIPS 196, Entity Authentication Using Public Key Cryptography.

These FIPS are obsolete and are being withdrawn because they have not been updated to reference current or revised voluntary industry standards, federal specifications, or federal data standards. Federal agencies are responsible for using current voluntary industry standards and current federal specifications and data standards in their acquisition and management activities.

For more details, see the complete Federal Register announcement. Archived copies of the withdrawn FIPS are available on CSRC’s Archived FIPS page.

NIST Cybersecurity Practice Guide, Draft Special Publication 1800-3: "Attribute Based Access Control"
October 1, 2015

NIST requests public comments on Draft NIST Cybersecurity Practice Guide 1800-3, Attribute Based Access Control.

Most businesses today use Role Based Access Control (RBAC) to assign access to networks and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly—perhaps within several systems. As organizations expand and contract, partner with external vendors or systems, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.

To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence developed a reference design for an Attribute Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability, and security. In fact, Gartner recently predicted that ?by 2020, 70% of enterprises will use attribute-based access control?as the dominant mechanism to protect critical assets, up from less than 5% today.?

This newly available practice guide provides IT and security engineers with critical information they can use to recreate the example solution with the same or similar technologies. Our solution is guided by NIST standards and industry best practices.

Read the NIST press release.

Comments due: December 4, 2015.
See directions for submitting comments.

Draft SP 1800-3a: Executive Summary
Draft SP 1800-3b: Approach, Architecture, and Security Characteristics
Draft SP 1800-3c: How-To Guides (27 MB)
All files (parts a-c) (83 MB)
SP 1800-3 homepage (Attribute Based Access Control)

DRAFT SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection
September 29, 2015

NIST announces the public comment release of NIST Special Publication 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. VMs constitute the primary resource to be protected in a virtualized infrastructure, since they are the compute engines on which business/mission critical applications of the enterprise are run. Further, since VMs are end-nodes of a virtual network, the configuration of virtual network forms an important element in the security of VMs and their hosted applications. The virtual network configuration areas considered for VM protection in this document are – Network Segmentation, Network Path Redundancy, Firewall Deployment Architecture and VM Traffic Monitoring. The configuration options in each of these areas are analyzed for their advantages and disadvantages and security recommendations are provided.

The specific areas where comments are solicited are:

Advantages and Disadvantages of the various configuration options in the four virtual network configuration areas.
The Security Recommendations

The public comment period closes on Friday, October 23, 2015. Please send comments to sp800-125b@nist.gov using the Comment Template included along with this announcement. The “Type” codes for comment are:

E - Editorial
G - General
T - Technical

Draft SP 800-125B
Comment Template Form

DRAFT SP 800-177 DRAFT Trustworthy Email
September 28, 2015

NIST requests comments on Special Publication (SP) 800-177, Trustworthy Email. This draft is a complimentary guide to NIST SP 800-45 Guidelines on Electronic Mail Security and covers protocol security technologies to secure email transactions. This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP. This guide is written for the enterprise email administrator, information security specialists and network managers.

Deadline to submit comments is November 30, 2015.
Send comments to: SP800-177@nist.gov .

Draft SP 800-177
Comment Template Form

DRAFT NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements is available for public comment
September 18, 2015

NIST requests comments on a revision of NIST Interagency Report (IR) 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. This document defines the test requirements that products must satisfy in order to be awarded SCAP 1.2 validation. A list of changes is provided in the Summary of Changes section of the document. Please send comments to ir7511comments@nist.gov by October 15, 2015 with "Comments on IR 7511 Rev 4" in the subject line.

Draft Special Publication 800-57 Part 1 Revision 4, Recommendation for Key Management: Part 1: General is available for public comment
September 10, 2015

NIST requests comments on a revision of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1 (Rev. 4). This Recommendation provides general guidance and best practices for the management of cryptographic keying material. A list of changes is provided in Appendix D of the document. Please send comments to keymanagement@nist.gov by October 31, 2015, with "Comments on SP 800-57, Part 1" in the subject line.

Link to Draft SP 800-57 Part 1 Rev. 4 (PDF)
Link to the Comment Template Form (Word)
Linke to the Mark-up Copy of this Draft (from Rev. 3 to Rev. 4) (PDF)

(THIRD Draft) NISTIR 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
August 31, 2015

NIST is pleased to announce the third public comment release of NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.

This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.

This document represents a third discussion draft of this report. The authors are conducting a number of iterations of this report to further develop the concepts and guidelines contained herein based on public feedback. A typical cycle of revision will consist of a two-week public comment period followed by a two to three week revision period resulting in an updated discussion draft. The authors plan to conduct a total of four to six iterations of this cycle before finalizing this report. While this is a slight departure from the normal development cycle for a NISTIR, the authors believe that this collaborative approach will result in a better set of usable guidance for SWID tag creators.

For this draft iteration, review should cover the overall report, noting three areas of particular interest:

  • The clarity and feasibility of the guidelines in Sections 3 and 4
  • Section 5, which has been reorganized and largely rewritten
  • Appendix A, which has been completely rewritten

Specific attention should be given to any inline questions in the report. These questions represent areas where feedback is needed to complete this report.

Please send comments to nistir8060-comments@nist.gov with “Comments Third Draft NISTIR 8060” in the subject line. Comments will be accepted through September 24, 2015.

NIST is proud to announce the release of DRAFT Special Publication 1800-2, Identity and Access Management for Electric Utilities
August 26, 2015

NIST's National Cybersecurity Center of Excellence (NCCoE) has released a draft of the latest NIST Cybersecurity Practice Guide, Draft Special Publication (SP) 1800-2, Identity and Access Management for Electric Utilities.

NIST's Public and Affairs office released a press release regarding this draft SP.

The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks. Additionally, many utilities run identity and access management (IdAM) systems that are decentralized and controlled by numerous departments. Several negative outcomes can result from this: an increased risk of attack and service disruption, an inability to identify potential sources of a problem or attack, and a lack of overall traceability and accountability regarding who has access to both critical and noncritical assets.

To help the energy sector address this cybersecurity challenge, security engineeres at the NCCoE developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.

Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP). Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

Links to the Draft SP 1800-2 & comment template can be accesses by either going to:
(1) the NCCoE's Identity and Access Management (IdAM) webpage for SP 1800-2. --OR to--
(2) the CSRC Drafts Publications page

Deadline to submit comments: October 23, 2015.
Email comments to: energy_nccoe@nist.gov.

NIST Requests Comments on the Security Content Automation Protocol (SCAP)
August 21, 2015

NIST requests comments on the design and development of Security Content Automation Protocol (SCAP) version 1.3. Please send suggestions for SCAP 1.3 by September 28, 2015. For more information, visit the CSRC SCAP web page.

NIST Released Special Publication 800-176, 2014 Computer Security Division Annual Report
August 21, 2015

NIST announces the release of NIST Special Publication 800-176, 2014 Computer Security Division Annual Report. This annual report provides the important highlights and accomplishments of their work (projects/programs and publications released) that the NIST Computer Security Division has completed during FY 2014 (time frame covers October 1, 2013 to September 30, 2014).

NIST requests comments on using ISO/IEC 19790:2012 as the U.S. Federal Standard for cryptographic modules
August 12, 2015

NIST is seeking public comments on using International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standards for cryptographic algorithm and cryptographic module testing, conformance, and validation activities, currently specified by Federal Information Processing Standard (FIPS) 140-2. The National Technology Transfer and Advancement Act (NTTAA), Public Law 104-113, directs federal agencies to adopt voluntary consensus standards wherever possible. The responses to this request for information (RFI) will be used to plan possible changes to the FIPS or in a decision to use all or part of ISO/IEC 19790:2012, Security Requirements for Cryptographic Modules, for testing, conformance and validation of cryptographic algorithms and modules.

The **RFI posted in today’s Federal Register provides additional background information, including seven questions that NIST is especially interested in having addressed, as well as NIST’s intentions.

Send public comments to: UseOfISO@nist.gov (also see the address for sending written comments)
Comment period closes: September 28, 2015.

**[Note: in the RFI, the link to the ISO site is incorrect; it should link to
http://www.iso.org/iso/catalogue_detail.htm?csnumber=52906 instead.]

NIST Announces the Release of Draft NIST Interagency Report (NISTIR) 8074, Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity
August 10, 2015

NIST seeks public comments on Draft NIST Interagency Report (NISTIR) 8074, which comprises two volumes, "Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity" (Vol. 1) and "Supplemental Information" (Vol. 2).

More details (download/view 2 volumes, email address where to send comments to, comment template forms) about this draft can be found on the CSRC Draft Publications page (click link above). The public comment period closes September 24, 2015.

FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions and Revision to the Applicability Clause of FIPS 180-4, Secure Hash Standard
August 5, 2015

NIST published a Federal Register Notice, on August 5, 2015 to announce the publication of Federal Information Processing Standard (FIPS) 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, and a Revision of the Applicability Clause of Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard. FIPS 202 specifies the SHA-3 family of hash functions, as well as mechanisms for other cryptographic functions to be specified in the future. The revision to the Applicability Clause of FIPS 180-4 approves the use of hash functions specified in either FIPS 180-4 or FIPS 202 when a secure hash function is required for the protection of sensitive, unclassified information in Federal applications, including as a component within other cryptographic algorithms and protocols.

More details are available at this page: SHA-3 standardization effort.

Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI) has been approved as final
July 30, 2015

NIST is pleased to announce the release of Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). The document provides guidelines for assessing the reliability of issuers of PIV Cards and issuers of the newly introduced Derived PIV Credential for mobile devices. The document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:

Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
Addition of issuer controls for the PIV Card’s visual topography,
Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
Updated references to the more recent credentialing guidance issued by OPM,
Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
Modified process to include an independent review prior to authorization of issuer.

Now available: NIST Draft Cybersecurity Practice Guide, Special Publication 1800-1: Securing Electronic Health Records on Mobile Devices
July 29, 2015

The use of mobile devices in health care sometimes outpaces the privacy and security protections on those devices. Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions.

Cybersecurity experts at the National Cybersecurity Center of Excellence (NCCoE) collaborated with health care industry leaders and technology vendors to develop an example solution to show health care organizations how they can secure electronic health records on mobile devices. The guide provides IT implementers and security engineers with a detailed architecture so that they can recreate the security characteristics of the example solution with the same or similar technologies. Our solution is guided by relevant standards and best practices from NIST and others, including those in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Please go to the CSRC Drafts page to view/download the Draft Special Publication 1800-1 document. There are 5 separate parts to this document (Part A, B, C, D, and E).

Please submit comments by September 25, 2015. Comments will be made public after review and can be submitted anonymously. Submit comments online --OR-- via email to HIT_NCCoE@nist.gov.

Second Draft NISTIR 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
July 22, 2015

NIST is pleased to announce the second public comment release of NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.

This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.

For this draft iteration, review should be focused on the overall document, especially the requirements defined in sections 3 and 4. Specific attention should be given to any inline questions in the report. These questions represent areas where feedback is needed to complete this report.

Please send comments to NISTIR8060-comments@nist.gov with “Comments Draft NISTIR 8060” in the subject line. Comments will be accepted through August 7, 2015.

Final Report by University of Maryland Supply Chain Management Center - from a NIST Grant
July 17, 2015

NIST is pleased to announce the publication of a report by the University of Maryland’s Supply Chain Management Center titled “Leveraging the Cyber Risk Portal as a Teaching & Education Tool”. The report, which stems from a NIST grant, details updates and new content developed for the Cyber Risk Portal. These activities build on the series of enterprise IT supply chain risk management tools from a previous NIST grant. The University of Maryland enhanced the usability of the portal by conducting a re-design of the user interface and developing new educational multi-media content, including video interviews of subject matter experts and content-specific tutorials. In addition, the report details results of several additional market testing and opportunity research, including discussions with the insurance industry and critical sectors of the federal community.

For more information, visit the NIST Supply Chain Risk Management (SCRM) project pages on the CSRC website. (note: This announcement has also been posted on the SCRM's News/Events page as well)

Second Draft NISTIR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation is available for public comment
July 15, 2015

NIST announces the second public comment release of Interagency Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This report describes a proof of concept implementation that was designed by NIST to address challenges with Infrastructure as a Service (IaaS) cloud technologies and geolocation. Since the initial public comment release, NIST IR 7904 has been extensively updated to reflect advances and changes in the proof of concept implementation technologies.

Link to document (PDF)
Link to the Comment Template Form (Excel)

Please submit comments by August 24, 2015 to:
ir7904-comments@nist.gov, with "IR 7904 Comments" in the subject line.

DRAFT NIST Interagency Report (IR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research
July 14, 2015

NIST announces the public comment release of Draft NIST Interagency Report (IR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research. This report documents proof of concept research performed by NIST to determine how DPCs could be used to PIV-enable mobile devices and provide multi-factor authentication for an organization's mobile device users. This report captures DPC requirements, proposes an architecture that supports these requirements, and describe how this architecture could be implemented and operated.

Please submit comments by August 24, 2015 to dpc@nist.gov, with "IR 8055 Comments" in the subject line.

Link to the Draft NISTIR 8055 document (PDF)
Link to the Comment Template Form (Excel) for submitting comments.

Draft Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
July 10, 2015

NIST requests comments on Draft Special Publication (SP) 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, which was originally published in January 2011. The most significant differences in this revision are 1) declaring the Dual_EC_DRBG as a disallowed method for random bit generation, 2) the deprecation of the non-approved key-agreement and key-transport schemes, and the non-approved key-wrapping methods through December 31, 2017, and the intent to disallow them thereafter, and 3) the inclusion of the SHA-3 hash functions specified in FIPS 202. Please submit comments by August 14, 2015 to CryptoTransitions@nist.gov, with "SP 800-131A Comments" in the subject line.

NIST Computer Security Released the NIST Special Publication (SP) 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
June 25, 2015

NIST announces the completion of Revision 1 of NIST Special Publication (SP) 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. In this revision, the specification of the Dual_EC_DRBG has been removed. The remaining DRBGs (i.e., Hash_DRBG, HMAC_DRBG and CTR_DRBG) are recommended for use. Other changes included in this revision are listed in an appendix.

NIST announces the release of Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
June 18, 2015

Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations has been approved as final. The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key has been approved as final & is now available
June 18, 2015

NIST is pleased to announce the release of NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key. The document provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card. The document clarifies the requirement for “explicit user action” and specifies a range of PIN caching options that maintains the goal of ‘explicit user action’ while adhering to consistent and reliable level of security. The document will encourage the development of compliant applications and middleware that use the digital signature key.

NIST is pleased to announce the release of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security
June 10, 2015

NIST announces the release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.

This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:

Updates to ICS threats and vulnerabilities.
Updates to ICS risk management, recommended practices and architectures;
Updates to current activities in ICS security.
Updates to security capabilities and tools for ICS.
Additional alignment with other ICS security standards and guidelines.
New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays.
An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS.

NIST's Public and Affairs Office also released a press release regarding the release of this Special Publication.

NIST Released Draft Special Publication 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
June 8, 2015

NIST announces that Draft Special Publication (SP) 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object,
Tests for populating these newly added data objects in the PIV Card Application,
Tests to verify the on-card biometric comparison mechanism,
Tests to verify the correct behavior of secure messaging and the virtual contact interface and,
Tests to verify that the PIV Card Application enforces PIN length and format requirements.

Federal agencies and private organizations, including test laboratories as well as individuals, are invited to review the draft guidelines and submit comments to NIST by email to pivtesting@nist.gov with "Comments on Draft SP 800-85A-4" in the subject line. Comments should be submitted using the comment template (see link below - Excel spreadsheet). The comment period closes at 5:00pm EDT on July 10, 2015.

Two PIV Special Publications (SP) have been released: (1) SP 800-73-4, Interfaces for Personal Identity Verification, AND (2) SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification
June 1, 2015

#1: NIST is pleased to announce the release of Special Publication 800-73-4, Interfaces for Personal Identity Verification. This document has been updated to align with Final FIPS 201-2 and to reflect the disposition of comments that were received on the first and second draft of SP 800-73-4, published in May 2013 and May 2014, respectively. The complete set of comments and dispositions is provided below.

High level changes from SP 800-73-3 to SP 800-73-4 include:

Removal of Part 4, The PIV Transitional Data Model and Interfaces;
The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
Inclusion of clarifying information about the virtual contact interface and the use of the pairing code;
The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism;
The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits;
In collaboration with the FICAM FIPS 201 Test Program reduced some of the PIV Card options where possible.

The complete set of comments and dispositions is provided below.

#2: NIST announces the release of Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to align with updates in SP 800-73-4. The document reflects the disposition of comments that were received on the first and second draft of SP 800-78-4, which was published in May, 2013 and May 2014, respectively. In particular, the following changes were introduced in SP 800-78-4:

Removal of information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past;
Addition of algorithm and key size requirements for the optional PIV Secure Messaging key.
Addition of requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing.
Clarified that RSA public keys may only have a public exponent of 65 537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65 537 and less than 2²⁵⁶.)

The complete set of comments and dispositions is provided below.

DRAFT NISTIR 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
May 29, 2015

NIST is pleased to announce the public comment release of NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags.

This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.

Please send comments to NISTIR8060-comments@nist.gov with “Comments Draft NISTIR 8060” in the subject line. Comments will be accepted through June 15, 2015.

Draft NISTIR 8062, Privacy Risk Management for Federal Information Systems
May 29, 2015

NIST requests comments on the draft report NISTIR 8062, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems

Please send comments to privacyeng@nist.gov by July 31, 2015 at 5:00pm EDT (note - comment period has been extended from July 13 TO July 31) using the comment matrix provided (link provided below).

Background:
Expanding opportunities in cloud computing, big data, and cyber-physical systems are bringing dramatic changes to how we use information technology. While these technologies bring advancements to U.S. national and economic security and our quality of life, they also pose risks to individuals’ privacy.

Privacy Risk Management for Federal Information Systems (NISTIR 8062) introduces a privacy risk management framework for anticipating and addressing risks to individuals’ privacy. In particular, it focuses on three privacy engineering objectives and a privacy risk model. To develop this document, NIST conducted significant public outreach and research. We are soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.

Note to Reviewers:
To facilitate public review, we have compiled a number of topics of interest to which we would like reviewers to respond. Please keep in mind that it is not necessary to respond to all topics listed below, Reviewers should also feel free to suggest other areas of revision or enhancement to the document

Privacy Risk Management Framework: Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy? Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel? Are there any gaps in the framework?
Privacy Engineering Objectives: Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements? Are there properties or capabilities that systems should have that these objectives do not cover?
Privacy Risk Model:
- Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
- Can data actions be evaluated as the document proposes? Is the approach of identifying and assessing problematic data actions usable and actionable?
- Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
- The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment.

Draft NISTIR 8062
Comment Matrix Form for Draft NISTIR 8062

NIST Releases Draft NISTIR 8058, Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content
May 1, 2015

NIST announces the public comment release of Draft NIST Internal Report (NISTIR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Over time, certain stylistic conventions regarding the authoring of SCAP 1.2 content have become best practices. They improve the quality of SCAP content in several ways, such as improving the accuracy and consistency of results, avoiding performance problems, reducing user effort, lowering content maintenance burdens, and enabling content reuse. This document has been created to capture the best practices and encourage their use by SCAP content authors and maintainers.

Please send comments to NISTIR8058-comments@nist.gov with “Comments Draft NISTIR 8058” in the subject line. Comments will be accepted through June 1, 2015.

NIST is pleased to announce the release of NIST Internal Report (NIST IR) 8041, Proceedings of the Cybersecurity for Direct Digital Manufacturing (DDM) Symposium
April 15, 2015

NIST IR 8041, Proceedings of the Cybersecurity for Direct Digital Manufacturing (DDM) Symposium is now available. Direct Digital Manufacturing involves fabricating physical objects from a data file using computer-controlled processes with little to no human interaction. This publication contains speaker abstracts, presentation summaries and slides, and working session results of a one-day symposium hosted by NIST on February 3, 2015 to explore cybersecurity needed for DDM.

NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
April 9, 2015

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.

Special Publication 800-161: (i) provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations; (ii) integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multi-tiered, SCRM-specific approach, including guidance on assessing supply chain risk and applying mitigation activities; and, (iii) builds on existing practices from multiple disciplines and is intended to increase the ability of organizations to strategically manage ICT supply chain risks over the entire life cycle of systems, products, and services.

For information on NIST’s ICT SCRM Program, please visit: http://csrc.nist.rip/scrm/

NIST Requests Comments on SP 800-63-2, Electronic Authentication Guideline
April 9, 2015

NIST requests comments on SP 800-63-2, Electronic Authentication Guideline. This document describes the technical requirements necessary to meet the four Levels of Assurance that are specified in the OMB memorandum M-04-04, E-Authentication Guidance for Federal Agencies. Comment period CLOSED on: May 22, 2015. For More Information, Please Visit the CSRC E-Authentication webpage.

NIST Released Draft NISTIR 8053, De-Identification of Personally Identifiable Information
April 7, 2015

NIST requests comments on an initial public draft report on NISTIR 8053, De-identification of personally Identifiable Information. This document describes terminology, process and procedures for the removal of personally identifiable information (PII) from a variety of electronic document types.

Background:
This draft results from a NIST-initiated review of techniques that have been developed for the removal of personally identifiable information from digital documents. De-identification techniques are widely used to removal of personal information from data sets to protect the privacy of the individual data subjects. In recent years many concerns have been raised that de-identification techniques are themselves not sufficient to protect personal privacy, because information remains in the data set that makes it possible to re-identify data subjects.

We are soliciting public comment for this initial draft to obtain feedback from experts in industry, academia and government that are familiar with de-identification techniques and their limitations.

Comments will be reviewed and posted on the CSRC website. We expect to publish a final report based on this round of feedback. The publication will serve as a basis for future work in de-identification and privacy in general.

Note to Reviewers:
NIST requests comments especially on the following:

Is the terminology that is provided consistent with current usage?
Since this document is about de-identification techniques, to what extent should it discuss differential privacy?
To what extent should this document be broadened to include a discussion of statistical disclosure limitation techniques?
Should the glossary be expanded? If so, please suggest words, definitions, and appropriate citations?

Questions? Send email to: draft-nistir-deidentify@nist.gov Comment period CLOSED on: May 15, 2015.

DRAFT Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
April 2, 2015

NIST announces the release of Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations (Final Public Draft). (NOTE: This draft has been since approved as final as of June 2015)

The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry; and (iii) when the information systems where the CUI resides are not operated by organizations on behalf of the federal government. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

The final draft of NIST Special Publication 800-171 contains some significant changes based on the comments received from both the public and private sectors. The changes include:

Clarifying the purpose, scope, and applicability of the publication;
Defining the underlying assumptions and expectations for federal agencies and nonfederal organizations in applying the recommended CUI security requirements;
Explaining how the publication relates to the Controlled Unclassified Information (CUI) federal rule and the Federal Acquisition Regulation (FAR) clause to be sponsored by the National Archives and Records Administration (NARA);
Adjusting the CUI security requirements to ensure complete coverage and traceability to federal policies, standards, and guidance;
Providing tables that illustrate the mapping of CUI security requirements to security controls in NIST Special Publication 800-53 and ISO /IEC 27001;
Providing tables that illustrate the tailoring actions on the NIST Special Publication 800-53 moderate security control baseline; and
Adding guidance on using the content of the mapping tables to support implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The final publication of SP 800-171 is targeted for June 2015 after the final public comment period. Questions? Send email to sec-cert@nist.gov. Comment period CLOSED on: May 12, 2015

NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks
March 31, 2015

In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks. This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process

DRAFT National Checklist Program for IT Products - Guidelines for Checklist Users and Developers is now available for public comment.
March 26, 2015

Draft Special Publication 800-70 Revision 3, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. (NOTE: This draft document has been approved final: December 2015). It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 3 updates the previous version of the document, which was released in 2011, by streamlining the text and removing outdated content, as well as updating the requirements for United States Government Configuration Baselines (USGCB).

Comment period CLOSED on: April 27, 2015. Questions? Send email to: 800-70comments@nist.gov.

Second Public Draft release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH)
March 4, 2015

NIST announces the second public comment release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH). (NOTE: This Draft has been approved final Oct. 2015) The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management in an enterprise, focusing on the management of SSH user keys. It describes the primary categories of vulnerabilities in SSH user key management and recommends practices for planning and implementing SSH access management. The scope of this draft is significantly different from the original public comment draft; this draft includes both interactive and automated access management, not just the latter.

Comment period CLOSED: April 3, 2015. Questions? Send email to: NISTIR7966-comments@nist.gov.

NIST is pleased to announce the release of NIST Internal Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
March 4, 2015

NIST announces the release of the NIST Interagency Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009, “Requirements for Smart Meter Upgradeability,” describes functional and security requirements for the secure upgrade—both local and remote—of Smart Meters. This report describes conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether Smart Meters and Upgrade Management Systems conform to the requirements of NEMA SG-AMI 1-2009. For each relevant requirement in NEMA SG-AMI 1-2009, the document identifies the information to be provided by the vendor to facilitate testing, and the high-level test procedures to be conducted by the tester/laboratory to determine conformance.

NIST is pleased to announce the release of NIST Internal Report (NISTIR) 8023, Risk Management for Replication Devices.
February 23, 2015

NIST Internal Report (NISTIR) 8023, Risk Management for Replication Devices is now available. A replication device (RD) is any device that reproduces (e.g., copies, prints, scans) documents, images, or objects from an electronic or physical source. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs. It provides basic information on common threats and vulnerabilities to RDs and provides an example RD risk assessment.”

Special Publication 800-82, Revision 2 Final Public Draft Guide to Industrial Control Systems (ICS) Security
February 9, 2015

NIST announces the final public draft release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. (Note: As of May 2015, this draft has been approved as final) Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.

This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:

Updates to ICS threats and vulnerabilities,
Updates to ICS risk management, recommended practices and architectures,
Updates to current activities in ICS security,
Updates to security capabilities and tools for ICS,
Additional alignment with other ICS security standards and guidelines,
New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays,
An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS,

Public comment period CLOSED on: March 9, 2015.
Email questions to: nist800-82rev2comments@nist.gov

Errata Update for Special Publication 800-53, Revision 4
January 29, 2015

NIST announces the release of an Errata Update for Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This update contains new mapping tables for ISO/IEC 27001: 2013

NIST Special Publication 800-163, Vetting the Security of Mobile Applications, has been approved as final
January 26, 2015

The purpose of Special Publication 800-163, Vetting the Security of Mobile Applications, is to help organizations understand the process for vetting the security of mobile applications, plan for the implementation of an app vetting process, develop app security requirements, understand the types of app vulnerabilities and the testing methods used to detect them, and determine if an app is acceptable for deployment on the organization's mobile devices.

NIST released Revision 1 of Special Publication 800-57 Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
January 23, 2015

Special Publication 800-57, Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance, is intended primarily to help system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements. This document also provides information for end users regarding application options left under their control in a normal use of the application.

This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, as well as a new section for Secure Shell (SSH).

The applications and protocols addressed in this revision are: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC), Encrypted File Systems (EFS) and Secure Shell (SSH).

Second Public Draft NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process, is available for review and public comment
January 23, 2015

NIST requests comments on a Second Public Draft of NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This revised document describes the principles, processes and procedures behind our cryptographic standards development efforts. Questions? Email: crypto-review@nist.gov Comment period CLOSED on March 27, 2015. Please see this announcement for additional information for reviewers. NIST Public Affairs Office also released a press release covering the release of the second draft of NISTIR 7977.

NISTIR 8018, Public Safety Mobile Application Security Requirements Workshop Summary, has been finalized and is now available
January 23, 2015

NIST announces the release of NIST Interagency Report (NISTIR) 8018, Public Safety Mobile Application Security Requirements Workshop Summary. The purpose of this publication is to capture the findings of a half-day workshop held by the Association of Public –Safety Communications Officials (APCO) in association with FirstNet and the Department of Commerce. The workshop’s goal was to identify and define mobile application security requirements relevant to public safety by building on APCO’s Key Attributes of Effective Apps for Public Safety and Emergency Response and their related efforts. Workshop discussions centered around the following topics: battery life, unintentional denial of service, mobile application vetting, data protection, location information, and identity management. In addition to providing a description of the workshop and capturing attendees’ input, NISTIR 8018 identifies possible areas of further research related to public safety mobile applications.

NIST, Computer Security Resource Center

News Archive - 2015

back to top page to links for other Archived News (2011-current year).