Personal Identity Verification of Federal Employees and Contractors PIV

PIV News Archives

POSTED December 13, 2013 -- Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key is available for public comment.

NIST is pleased to announce that Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment. NISTIR 7863 provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card.

NIST requests comments on NISTIR 7863 by 5:00pm EST on January 17, 2014. Please submit comments on Draft NISTIR 7863 using the comments template form (Click link above to Draft NISTIR 7863 to go to Drafts page where link to comment template can be found) to piv_comments@nist.gov with “Comments on NISTIR 7863” in the subject line.

POSTED September 5, 2013 -- Federal Information Processing Standard (FIPS) Publication 201-2, the Standard for Personal Identity Verification of Federal Employees and Contractors

The National Institute of Standards and Technology (NIST) is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 201-2, Personal Identity Verification of Federal Employees and Contractors. (See the Federal Register Notice announcing FIPS 201-2 approval.) This revision includes adaptations to changes in the environment and technology since the publication of FIPS 201-1, clarifications to existing text, additional text to resolve ambiguities and specific changes requested by Federal agencies and implementers. 
 
FIPS 201-2 reflects the disposition of comments that were received during the public comment periods for the first and second drafts of the Standard, which were published on March 8, 2011, and July 9, 2012, respectively. The complete sets of comments and dispositions are provided in the two links below. 
 
High level changes include:

• Introduction of chain-of-trust and grace period for PIV card reissuance processes,
• Relaxation of PIV Card termination requirements and specifically certificate revocation,
• New options for physical card characteristics to help agencies achieve Section 508 compliance for PIV card orientation,
• A UUID as a mandatory unique identifier for the PIV Card,
• Downgrade of the authentication mechanism associated with the Card Holder Unique Identifier (CHUID) to indicate that it only provides little or no assurance of identity,
• Updates to the PIV card’s on-board credentials include:
  • Expansion of the core mandatory credentials: the previously optional asymmetric card authentication, digital signature and key management are now mandatory,
  • New optional credentials: Iris recognition capability and fingerprint biometric match-on-card (OCC),
• Introduction of an optional virtual contact interface (VCI), over which all functionalities of the PIV Card are accessible via contactless interface,
• Accommodation for mobile devices in the form of PIV derived credentials that can be provisioned to mobile devices.

A detailed list of changes is available in FIPS 201-2, Appendix E, Revision History. 
 
2011 Draft comments and dispositions
 
2012 Draft comments and dispositions

POSTED May 13, 2013 --- Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, and Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, are now available

#1 -- NIST announces that Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to align with Candidate Final FIPS 201-2. Major changes in draft SP 800-73-4 include:

• Removal of Part 4, The PIV Transitional Data Model and Interfaces;
• The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
• The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
• The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism; and
• The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits.

#2 --- NIST announces that Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified add algorithm and key size requirements for secure messaging and to add requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing. In particular, the following changes are introduced in draft SP 800-78-4:

• Algorithm and key size requirements for the optional PIV Secure Messaging key have been added.
• RSA public keys may only have a public exponent of 65,537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65,537 and less than 2²⁵⁶.)
• A new Section was added to provide requirements for CAVP validation testing.

Comment period closed on June 14, 2013.

POSTED August 26, 2012: Presentations From the Revised FIPS 201-2 Workshop

Presentations for the Revised Draft FIPS 201-2 workshop is available here

POSTED July 26, 2012: NIST is pleased to announce the availability of test Personal Identity Verification (PIV) Cards.

In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards. The set of test PIV Cards contains sixteen smart cards that are loaded with a PIV Card Application, as specified in Special Publication 800-73-3. The PIV Card Applications on the smart cards are loaded with test data and keys that are similar to what might appear on actual PIV Cards, with the exception that the certificates on the test PIV Cards were issued from a test public key infrastructure. Information about the test cards is available on the PIV Test Cards website. The test cards are available for purchase as a NIST Special Database.

POSTED July 9, 2012: Revised Draft FIPS 201-2 and Associated Public Workshop

The NIST Computer Security Division is pleased to release the Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. The Revised Draft FIPS 201-2 reflects the disposition of comments received from the first public comment Draft FIPS 201-2 (the 2011 Draft) published on March 8, 2011. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the Revised Draft. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD, to present the Revised Draft FIPS 201-2.

Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on the Revised Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930. Electronic comments may be sent to: piv_comments@nist.gov. Please state "Revised Draft FIPS 201-2 Comments" in the subject line of the email. Comment period closed on August 10, 2012.

A summary and analysis of the comments received during the public comment period of the 2011 Draft and NIST's disposition of these comments, as reflected in the Revised Draft FIPS 201-2, are provided in the Federal Register Notice (FRN). The complete set of comments and dispositions are provided in a link provided below.

Simultaneously, NIST is releasing a revised draft of Special Publication 800-76-2 Biometric Specifications for Personal Identity Verification, supporting the Revised Draft FIPS 201-2. Comments are also invited by August 10, 2012 with the dedicated template listed below.

The public workshop on the Revised Draft FIPS 201-2 will be held on Wednesday, July 25, 2012, at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on the Revised Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Revised Draft. The agenda and related information for the public workshop, including information about the webcast, will be available before the workshop on the NIST Computer Security Resource Center Web site at http://csrc.nist.rip. Anyone wishing to attend the workshop in person must pre-register at http://www.nist.gov/itl/csd/ct/fips201-2_workshop_2012.cfm by 5:00pm Eastern Time on Monday, July 18th, 2012, in order to enter the NIST facility and attend the workshop.

Revised_Draft_FIPS-201-2

Revised Draft FIPS 201-2 Track-Change version

Comments_and_Dispositions_on_the_2011_Draft

Revised_Draft_SP_800_76_2.pdf

POSTED April 26, 2011: Presentations From FIPS 201-2 Workshop

Presentations for the Draft FIPS 201-2 workshop is available here.

POSTED April 18, 2011: Biometric Data Specification for Personal Identity Verification is Now Available

NIST is pleased to announce the availability of the public comment draft of NIST Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification. The draft amends the 2007 specification SP 800-76-1 to include iris recognition and on-card fingerprint comparison, and to extend and refine the biometric sensor and performance specifications. Note that FIPS 201-2, the binding parent PIV specification, is simultaneously open for public comment. 
 
Written comments on SP 800-76-2 may be sent to: Patrick Grother, Information Access Division, Information Technology Laboratory, ATTN: Comments on Revision Draft SP 800-76-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7740, Gaithersburg, MD 20899-7740. 
 
Electronic comments on SP 800-76-2 should be drafted and sent to: piv_comments@nist.gov.
Comment period closed on June 6, 2011.

(Webmaster Note: As of July 2013, this draft (SP 800-76-2) has been approved as final and is the current SP.)

POSTED April 11, 2011: Registration for the FIPS 201-2 Workshop Has Been Extended - 2 Days

The deadline to register for the FIPS 201-2 workshop has been extended by two days. Register by close of business Wednesday, April 13, 2011, in order to enter the NIST facility and attend the workshop

POSTED March 8, 2011: NIST is Pleased to Announce the Public Comment Draft FIPS 201-2 and Associated Public Workshop

The NIST Computer Security Division is pleased to announce Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. Draft FIPS 201-2 amends FIPS 201-1 and includes adaptation to changes in the environment since the publication of FIPS 201-1, and specific changes requested by Federal agencies and implementers. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the proposed changes. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD to present the Draft FIPS 201-2. 
 
Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on Revision Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7730, Gaithersburg, MD 20899-7730. 
 
Electronic comments may be sent to: piv_comments@nist.gov. Comments must be received by June 6, 2011. 
 
Both FIPS 201-1 and Draft FIPS 201-2 are available electronically from the NIST web site at: http://csrc.nist.rip/publications/PubsFIPS.html. A summary of changes reflected in Draft FIPS 201-2 is available in the Federal Register Notice (FRN). 
 
The public workshop on Draft FIPS 201-2 will be held Monday and Tuesday, April 18 and 19, 2011 at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Draft. The agenda, webcast and related information for the public workshop will be available before the workshop on the NIST Computer Security Resource Center Web site at http://csrc.nist.rip. Anyone wishing to attend the workshop in person, must pre-register at http://www.nist.gov/allevents.cfm by close of business Monday, April 11, 2011, in order to enter the NIST facility and attend the workshop.

(Webmaster Note: FIPS 201-2 has since been approved as final and is the supporting FIPS document.)

POSTED January 5, 2011: NIST is Proud to Announce the Release of Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identification Verification

NIST announces that Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, has been released. The document has been modified 1) to align the set of acceptable RSA public key exponents with FIPS 186-3 and 2) to permit the use of SHA-1 after 12/31/2010 when signing revocation information, under limited circumstances.
(Webmaster Note: As of May 2015, SP 800-78-4 is the current supporting document.)

POSTED July 27, 2010: Special Publication 800-85A-2, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-3 Compliance)

NIST is pleased to announce the release of Special Publication (SP) 800-85A-2 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 Compliance). This document provides Derived Test Requiremetns (DTR) and Test Assertions (TA) for testing the PIV Middleware, and the PIV Card Application interfaces for conformance to specifications in SP 800-73-3 (Interfaces for Personal Identity Verification) .The document is a revision for the earlier version (April 2009), which reflected TA and DTR from the superseded SP 800-73-2, 2008 Edition.
(Webmaster Note: SP 800-85A-4 is the current version of this document.)
 
This 3rd revision, include the additional tests necessary to test the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through SP 800-73-3 Parts 1, 2 and 3. 
 
These include:

• Tests for retrieving newly added optional PIV data objects such as the Key History object, the twenty retired X.509 Certificates for Key Management and the Iris Image data object
• Test for populating these newly added data object on the PIV card
• Tests for verifying the correct behavior of RSA Key Transport and EC DH key agreement scheme

POSTED May 13, 2010: NIST Draft Special Publication SP 800-85A-2 "PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-3 compliance)"

NIST has a revised version of NIST Special Publication 800-85A. The revised document is titled Draft Special Publication 800-85A-2 “PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 compliance)”. The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-3 Parts 1, 2 and 3. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-2. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVtesting@NIST.gov .

Comment period closed on May 27, 2010. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

(Webmaster Note: As of Oct. 2017, the current supporting document is SP 800-85A-4. Please visit the CSRC SP page for more details on this document.)

POSTED March 18, 2010: NIST Releases Draft NIST IR 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards

NIST announces that Draft NIST Interagency Report 7676, Maintaining and Using Key History on Personal Identity Verification (PIV) Cards, has been released for public comment.

NIST Special Publication 800-73-3, Interfaces for Personal Identity Verification, introduces the ability to store retired Key Management Keys within the PIV Card Application on a PIV Card. NIST IR 7676 complements SP 800-73-3 by providing some of the rationale for the design of the mechanism for storing retired Key Management Keys on PIV Cards and by providing suggestions to smart card vendors, PIV Card Issuers, and middleware developers on the use of the Key History mechanism.

Comment period closed on April 23, 2010.
Email comments/questions to PIV_comments@nist.gov
(Webmaster Note: This Draft NISTIR 7676 has been approved as final. Click here to learn more about the final version of NISTIR 7676.)

POSTED February 22, 2010: NIST is Proud to Announce the Release of Special Publication 800-73-3 Interfaces for Personal Identity Verification

NIST announces that Special Publication 800-73-3, Interfaces for Personal Identity Verification, has been released. SP 800-73-3 introduces new, optional features including:

1. on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
2. use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-2; and 
3. provisions for Non-Federal Issuer (NFI) credentials. SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities. 

Except for very minor editorial changes, the Revision History in Part 1 of SP 800-73-3 lists all of updates to SP 800-73 since its initial release.

(Webmaster Note:  As of Oct. 2017, the current document is SP 800-73-4) Please visit the CSRC Special Publications page for more details on this document.

POSTED February 22, 2010: NIST is proud to announce the release of Special Publication 800-78-2 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)

NIST is pleased to announce the release of Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in SP 800-78-2:

• The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in SP800-78-2 as a key agreement scheme for the PIV card.
• The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
• For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in SP 800-78-2.

(Webmaster Note:  As of Oct. 2017, the current document is SP 800-78-4) Please visit the CSRC Special Publications page for more details on this document.

POSTED October 22, 2009: Release of Partial CSP Version 1.3 Software

NIST is pleased to announce the release of reference implementation of a Partial CSP Version 1.3, Cryptographic Service Provider for Windows Logon. This existing PIV demonstration software is updated to decompress zipped certificates that are available on production PIV Cards. With this update, the CSP can be used to demonstrate Windows XP Logon with production PIV Cards. Note that this CSP does NOT implement all functions required of a production CSP. Please use the accompanying documentation to install the CSP and configure Windows XP operating system.

POSTED October 6, 2009: NIST Draft Special Publication 800-78-2 Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV) has been Released

NIST is pleased to announce the release of Draft Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in draft SP 800-78-1:

• The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in Draft SP800-78-2 as a key agreement scheme for the PIV card.
• The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, draft SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
• For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in draft SP 800-78-1.
   
  The changes are incorporated in the document as well in a track-change version. Comments should be submitted to piv_comments@nist.gov
  The comment period closed on November 12, 2009.
  (Webmaster Note:  This draft document has been approved as final. As of Oct. 2017, the current document is SP 800-78-4) Please visit the CSRC Special Publications page for more details on this document.

POSTED September 11, 2009: NIST Draft Special Publication SP 800-85B-1 PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them topiv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 24, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
(Webmaster Note: This draft document has been approved as final.)

POSTED August 14, 2009: The National Institute of Standards and Technology (NIST) is pleased to announce the release of NIST Interagency Report 7611, Use of ISO/IEC 24727 -- Service Access Layer Interface for Identity (SALII): support for development and use of interoperable identity credentials

The Interagency Report details properties and capabilities of ISO/IEC 24727 to achieve identity credential interoperability -- enabling client-applications to access identity credentials from different issuers. Specifically, the document explores this new standard by discussing existing Federal identity credentials, such as PIV, and the PIV application demonstrations developed by NIST. The capabilities of ISO/IEC 24727 are illustrated through a proof-of-concept scenario where the PIV Card interacts with applications (Windows Logon, Linux Logon, Email Signing and Encryption) through the ISO/IEC 24727 framework thus achieving credential independence from client-application.

The document provides a high-level discussion and strives to minimize technical details. An additional publication elaborating the technical discussion, including an ISO/IEC 24727 reference implementation, will be provided after the proof-of-concept implementation.

POSTED August 13, 2009: NIST Releases Draft Special Publication 800-73-3, Interfaces for Personal Identity Verification

NIST announces that Draft Special Publication (SP) 800-73-3, Interfaces for Personal Identity Verification, has been released for public comment. Draft SP 800-73-3 introduces new, optional features including:

(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;

(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-1; and

(3) provisions for Non-Federal Issuer (NFI) credentials. Draft SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.

Except for minor editorial changes, all changes can be reviewed with the track-change version of Draft SP 800-73-3.

Comment period closed on September 13, 2009.
Comments/Questions? Email PIV_comments@nist.gov
(Webmaster Note: This draft document has been approved as final. As of Oct. 2017, the current document is SP 800-73-4) Please visit the CSRC Special Publications page for more details on this document.)

POSTED April 3, 2009: NIST Special Publication 800-85A-1 PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-2 Compliance)

NIST is pleased to announce the release of SP 800-85A-1 PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-2 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and the PIV Middleware interfaces for conformance to specifications in SP 800-73-2 (Interfaces for Personal Identity Verification). The document is a revision for the earlier version (March 2006), which reflected TA and DTR from the superseded SP 800-73-1, 2006 Edition. The new SP 800-85A-1 is based on TA and DTRs from SP 800-73-2 (September 2008 Edition) and includes the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here.
(Webmaster Note: This draft document has been approved final. Please visit the Special Publications page for more details - note as of Oct. 2017, the current version is SP 800-85A-4)

POSTED February 6, 2009: NIST Draft Special Publication SP 800-85A-1"PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-2 compliance)"

NIST has a revised version of NIST Special Publication SP 800-85A “PIV Card Application and Middleware Interface Test Guidelines (SP800-73 compliance)”. The revised document is titled Draft SP800-85A-1 “PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 compliance)” and is posted on the Computer Security Resource Center Web site (csrc.nist.rip). The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1,   2 and 3.  A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to  PIVtesting@NIST.gov with "Comments on Public Draft SP 800-85A-1" in the subject line.  Comments should be submitted using the comment template (Excel spreadsheet).  The comment period closes at 5:00 EST (US and Canada) on February 28, 2009.  All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
(Webmaster Note: This draft document has been approved final. Please visit the Special Publications page for more details - note as of Oct. 2017, the current version is SP 800-85A-4)