NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

Computer Security Division News - 2014

NIST Draft Special Publication SP 800-85B-4 PIV Data Model Conformance Test Guidelines
August 6, 2014
 
NIST produced a revised version of NIST Special Publication SP 800-85B, PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-4" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet).

Link to the Comment Template Form (Excel)
Link to the Draft SP 800-85B-4 document (PDF)

The comment period closes at 5:00 EST (US and Canada) on September 5, 2014. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.


DRAFT Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
July 31, 2014
 
NIST announces the release of Draft Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Initial Public Draft). SP 800-53A is a Joint Task Force publication and a companion guideline to SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
 
This update to SP 800-53A contains significant changes to the 2010 version of the publication in both content and format. The changes have been driven by four fundamental needs of federal agencies:
 
    • The need for new or updated assessment procedures for the security controls and privacy controls defined in NIST SP 800-53, Revision 4;
    • The need for a more granular breakdown of assessment objectives to support continuous monitoring and ongoing authorization programs;
    • The need for a more structured format and syntax for assessment procedures to support the use of automated tools for assessment and monitoring activities; and
    • The need to support assessments of security capabilities and privacy capabilities and root cause analysis of failure modes for individual security or privacy controls or groups of controls.
 
By addressing the above needs, organizations will have the flexibility to: (i) define specific parts of security controls and privacy controls requiring greater scrutiny; (ii) more effectively tailor the scope and level of effort required for assessments; (iii) assign assessment and monitoring frequencies on a more targeted basis; and (iv) take advantage of potential new opportunities to conduct assessments of security or privacy capabilities including analysis of control dependencies.
 
There have also been some significant improvements in the current security assessment procedures based on feedback from federal agencies reflecting lessons learned during the conduct of actual assessments as part of the Risk Management Framework (RMF) process. The improvements include, for example, clarification of terminology, expansion of the number of potential assessment methods and assessment objects on a per-control basis, and a simpler decomposition of assessment objects to align more closely with control statements.
 
In addition to the above, privacy terminology has been integrated into SP 800-53A in a manner that is complementary to and supportive of the privacy controls defined in SP 800-53, Appendix J. While security and privacy disciplines are distinct programmatic entities, there are also important dependencies between those entities—highlighting the need for the programs to complement one another to ensure the security and privacy goals and objectives of organizations are satisfied. As with any transformation, there will be changes in this publication and other supporting publications as the privacy integration moves forward and is completed. Privacy assessment procedures are not included in this draft. The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.
 
The changes to the current security assessment procedures in SP 800-53A and the future privacy assessment procedures, should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies. Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions.
 
Please note that NIST has made a one-time change in the revision number of SP 800-53A (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-53.
 
Please send comments to sec-cert@nist.gov with "Comments Draft SP 800-53Arev4 in subject line. Comments will be accepted through September 26, 2014.


DRAFT NISTIR 8018, Public Safety Mobile Application Security Requirements Workshop Summary is available for public comment
July 29, 2014
 
On February 25, 2014, the Association of Public-Safety Communications Officials (APCO) International, in cooperation with FirstNet and the Department of Commerce held a half-day workshop titled “Public Safety Mobile Application Security Requirements” attended by public safety practitioners, mobile application developers, industry experts, and government officials. In this first-of-its-kind workshop, attendees contributed their experience and knowledge to provide input in identifying security requirements for public safety mobile applications. NISTIR 8018 describes the workshop and captures the input that was received from the workshop attendees.
 
Link to the Draft NISTIR 8018 document

The public comment period is from July 29, 2014 through September 13, 2014. Please send comments to: nistir8018@nist.gov


DRAFT NISTIR 8006, NIST Cloud Forensic Science Challenges
July 29, 2014
 
NIST Computer Security Division extended the public review period of the recently posted Draft NIST IR 8006, NIST Cloud Forensic Science Challenges, and will accept comments on the document until AUGUST 25, 2014. Complete information regarding this draft (including draft document and template to be used for comments) can be obtained from the CSRC Drafts page.


NIST Computer Security Division Released DRAFT NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks
July 15, 2014
 
In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks. This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process.
 
The public comment period is from July 15, 2014 through August 22, 2014. Please send comments to nistir8014@nist.gov using the public comment template that is provided (MS Excel).

Link to Draft NISTIR 8014 (PDF)
Link to Comment Template (MS Excel)


VCAT recommendations for the NIST Cryptographic Standards and Guidelines Development Process
July 14, 2014

NIST’s Visiting Committee for Advanced Technology (VCAT) finalized a report detailing recommendations for NIST’s cryptographic standards program. The VCAT’s recommendations are based on a review conducted by a group of invited experts, known at the Committee of Visitors (COV), which began last April.

The report is available on the VCAT website. In addition, NIST has posted the briefing documents that were provided to the VCAT and the Committee of Visitors. These include separate background documents released recently to respond to a Freedom of Information Act (FOIA) request about NIST’s cryptographic standards development process.


NIST Released NIST Interagency Report (NISTIR) 7987, Policy Machine: Features, Architecture, and Specification
July 2, 2014
 
NIST Interagency Report (NISTIR) 7987 describes an access control framework, referred to as the Policy Machine (PM), which fundamentally changes the way access control policy is expressed and enforced. The report gives a detailed description of the PM and the range of policies that can be specified and enacted. The report also describes the architecture of the PM and the properties of the PM model in detail.


Explanation of Changes to Draft SP 800-38G
June 27, 2014
 
Draft Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, released for public comment in July 2013, included three methods for format-preserving encryption (FPE). Called FF1, FF2, and FF3, these methods are modes for using the Advanced Encryption Standard (AES). All of the FPE modes were submitted to NIST by the private sector.
 
As part of the public review of Draft SP 800-38G and as part of its routine consultation with other agencies, NIST was advised by the National Security Agency that the FF2 mode in the draft did not provide the expected 128 bits of security strength for some use cases. NIST cryptographers confirmed this assessment in an analysis that is posted on the modes public comments page.
 
The FF2 mode was submitted by VeriFone Systems, Inc., for NIST¹s consideration in 2011 and was originally designed for use by the payment card industry.
 
Implementations of FF2 within the payment card industry are not vulnerable to this analysis in practice. Nevertheless, in order for FF2 to meet NIST¹s security requirements for other potential applications, VeriFone Systems, Inc., has indicated that it will submit a revised proposal for NIST to review. NIST intends to finalize SP 800-38G with FF1 and FF3 as it considers VeriFone's revised proposal of FF2.


DRAFT NISTIR 8006, NIST Cloud Forensic Science Challenges
June 23, 2014
 
NIST announces that Draft NIST IR 8006, NIST Cloud Forensic Science Challenges, has been released for public comments – can be accessed by the CSRC Drafts page. Deadline to submit comments has been EXTENDED TO AUGUST 25, 2014 (original deadline was July 21, 2014). Complete information regarding this draft can be obtained from the CSRC Drafts page.


Errata Update to Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
June 10, 2014
 
NIST announces the release of an errata update to Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This update will ensure that the Risk Management Framework (RMF) process and associated implementation guidance are consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government


Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management
June 3, 2014
 
NIST announces the release of Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management. This publication responds to Office of Management and Budget (OMB) Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, that directed NIST to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization. This is the first of three major updates to NIST guidance supporting the Risk Management Framework and the full transition to ongoing authorization by employing best practices in information security continuous monitoring. The second publication, an errata update to NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released on June 10, 2014. This update will ensure that the Risk Management Framework (RMF) process is consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government. The third publication, NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, will be released as an Initial Public Draft in July 2014. This update will ensure that the security assessment procedures are consistent with the security controls in NIST Special Publication 800-53, Revision 4. In addition, to help facilitate ease of use for our customers, the revision number of SP 800-53A is being changed to Revision 4, to be consistent with the current revision number of SP 800-53.


Second Draft Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations
June 3, 2014
 
NIST announces that Draft Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, has been released for public comment - can be accessed either by the SCRM Publications page OR the CSRC Drafts page. Deadline to submit comments: July 18, 2014. Complete informaiton regarding this draft can be obtained from the CSRC Drafts page and/or the Supply Chain Risk Management (SCRM) Publications page (links provided above).


Second Draft NISTIR 7924, Reference Certificate Policy is available for public comment
May 29, 2014
 
NIST announces the public comment release of second draft of NIST Interagency Report 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
 
NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.
 
NIST requests comments on Draft IR 7924 by Friday, August 1, 2014. Please send comments to nistir7924-comments@nist.gov, using the public comment template that is provided (MS Word).


DRAFT FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
May 28, 2014
 
NIST published a Federal Register Notice, FRN 2014-12336, on May 28, 2014 to announce the publication of Draft FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, and Draft Revision of the Applicability Clause of FIPS 180-4, Secure Hash Standard, and request for comments. A 90-day public comment period is provided. Comments must be received by NIST on or before August 26, 2014 to be considered. Details for how to submit public comments are available in the FRN.
 
For details on the SHA-3 standardization effort, please refer to this page: http://csrc.nist.gov/groups/ST/hash/sha-3/sha-3_standardization.html.


Special Publication 800-101 Revision 1, Guidelines on Mobile Device Forensics
May 28, 2014
 
NIST announces the release of Special Publication (SP) 800-101 Revision 1, Guidelines on Mobile Device Forensics. Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information.


Update on Three FISMA Publications Ongoing Authorization Supplemental Guidance, SP 800-37, Rev 1 (Errata), SP 800-53A Rev 2 (IPD)
May 20, 2014
 
The FISMA Implementation Project is announcing the following schedule for three publications.

  • First, a new publication, Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management, will be released within the next ten days. This 13-page publication responds to a requirement from the Office of Management and Budget (OMB) in Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, and provides clarifying and amplifying guidance on the application of current NIST guidelines to the security authorization process to facilitate the transition to ongoing authorization.
  • Second, an errata update for NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released within the next fifteen days. This update will ensure that the Risk Management Framework (RMF) process is consistent with the new federal policy on ongoing authorization and tightly coupled to the emerging continuous monitoring activities within the federal government.
  • Third, NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, will be released as an Initial Public Draft within forty-five days. This update will ensure that the security assessment procedures are consistent with the security controls in NIST Special Publication 800-53, Revision 4. In addition, to help facilitate ease of use for our customers, the revision number of SP 800-53A is being changed to Revision 4, to be consistent with the current revision number of SP 800-53.


NIST SP 800-53 On-Line Database Updated to Revision 4
May 20, 2014
 
The NIST Special Publication 800-53 Revision 4 On-line Reference Database has been posted which contains the catalog of security controls from Appendix F and G of SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (April 2013). This on-line database version provides customers with the functionality to quickly and efficiently browse the security controls, control enhancements, and supplemental guidance (including summarizing by control class, control family and control impact baseline) and search the security control catalog using user-specified keywords.


2 Draft PIV Special Publications open for public Comment: (1) Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, and (2) Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, are now available
May 19, 2014
 
Draft #1: NIST announces that Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4").
 
High level changes include:

  • A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.
  • In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:
    • rarely used data elements Buffer Length, DUNS and Organization Identifier in the CHUID data object
    • legacy data element MSCUID in all X.509 Certificate data objects and
    • legacy data elements Extended Application CardURL and Security Object Buffer in the Card Capability Container
  • Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.
  • Modified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”
NIST also requests comments on the pairing code, which is part of the new Virtual Contact Interface (VCI) of the PIV Card. Its purpose is to prevent skimming of cardholder data in wireless environment by an unauthorized wireless reader in the vicinity of the cardholder and to ensure that ‘cardholder consent’ for the release of cardholder data is enabled. The pairing code is part of the Virtual Contact Interface that provides for communication and enables wireless transactions between the PIV Card and NFC-enabled devices for authentication, signing or encryption. NIST assesses that the pairing code concept is the optimum method available to provide mitigation against a skimming threat.
 
NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified.
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue)
 
NIST requests comments on Revised Draft Special Publications 800-73-4 by 5:00pm EDT on June 16, 2014. Please submit comments on Revised Draft SP 800-73-4 using the SP 800-73-4 comments template form (lnk to comment form in Excel spreadsheet is 2nd to last link below for this draft document) to piv_comments@nist.gov with “Comments on Revised Draft SP 800-73-4” in the subject line
 
Draft #2: NIST announces that Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft on Drafts page titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4".
 
NIST requests comments on Revised Draft Special Publication 800-78-4 by 5:00pm EDT on June 16, 2014. Please submit comments on Revised Draft SP 800-78-4 using the SP 800-78-4 comment template form (see third link on drafts page for this draft for Excel spreadsheet) to piv_comments@nist.gov with "Comments on Revised Draft SP 800-78-4" in the subject line.


Draft Special Publication 800-56B Rev. 1 comment period has been extended
May 16, 2014
 
NIST has determined to extend the public comment period for the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography to May 30, 2014. Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision 1)" in the subject line before May 30, 2014.


Initial Public Draft Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security
May 13, 2014
 
NIST announces the release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
 
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:

  • Updates to ICS threats and vulnerabilities.
  • Updates to ICS risk management, recommended practices and architectures;
  • Updates to current activities in ICS security.
  • Updates to security capabilities and tools for ICS.
  • Additional alignment with other ICS security standards and guidelines.
  • New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays.
  • An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS.
Public comment period: May 14 through July 18, 2014
 
Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930)
Gaithersburg, MD 20899-8930
Electronic Mail: nist800-82rev2comments@nist.gov
 
Thanks again for taking the time to review the publication and for providing your comments.


Draft Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
May 12, 2014
 
NIST requests comments on the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. A formal announcement of the publication is planned on May 13, 2014 at the College of Science and Engineering, Technology Leadership Institute, University of Minnesota. The public comment period runs from May 13 through July 11, 2014.
Send comments to the NIST FISMA Team:
sec-cert@nist.gov with "Draft SP 800-160 Comments" in the subject line.


DRAFT Special Publication 800-57 Part 3 Revision 1
May 5, 2014
 
NIST would like to request comments on a Draft Revision of SP 800-57 Part 3, Recommendation for Key Management: Application-Specific Key Management Guidance.
 
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, and a new section for Secure Shell (SSH).
 
Comments should be sent to SP80057Part3@nist.gov, with "Comments on SP 800-57, Part 3" in the subject line. Comments should be submitted by July 5th, 2014.


NIST Interagnecy Report 7946, CVSS Implementation Guidance
April 29, 2014
 
NIST announces the release of NIST Interagency Report (NISTIR) 7946, CVSS Implementation Guidance. This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to over 50 000 vulnerabilities scored by analysts at the National Vulnerability Database (NVD). This document is intended to serve as an extension to the CVSS Version 2.0 specification, providing additional guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.


NIST Announces the Release of Special Publication (SP) 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
April 29, 2014
 
NIST has released Special Publication 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. TLS provides mechanisms to protect sensitive data during electronic dissemination across networks. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. The revised guidelines include the required support of TLS version 1.1, recommended support of TLS version 1.2, guidance on certificate profiles and validation methods, TLS extension recommendations, and support for a greater variety of FIPS-based cipher suites.


Draft Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
April 23, 2014

In support of the Federal Information Security Management Act of 2002 and the 2014 Framework for Improving Critical Infrastructure Cybersecurity, NIST will issue in May 2014, the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines will recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. The public comment period will run from May 13 through July 11, 2014.


Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
April 21, 2014

NIST requests comments on a revision of Draft Special Publication 800-90A Revision 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators. This revision removes the Dual_EC_DRBG from the document. An announcement containing rationale for the revision and a proposed transition schedule is available.

Please send comments on the revision of SP 800-90A and the transition schedule to RBG_comments@nist.gov by May 23, 2014, with “Comments on SP 800-90A” in the subject line.

The public comment period closes on May 23,2014.


(Third) Draft Special Publication 800-16 Revision 1, A Role-Based Model for Federal Information Technology / Cyber Security Training
March 14, 2014
 
NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
 
Please submit comments to sp80016-comments@nist.gov with “Comments on SP 800-16 Rev 1 (3rd draft)” in the subject line.
 
The public comment period closes on April 30,2014.


DRAFT Special Publication 800-56B Revision 1, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography
March 13, 2014
 
NIST announces the release of the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. SP 800-56B specifies key-establishment schemes based on the Rivest Shamir Adleman (RSA) algorithm. The revision is made on the August 2009 version. The main changes are listed in Appendix D.
 
Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision)" in the subject line.

UPDATED May 15, 2014 -- The comment period for this Draft SP 800-56B Rev. 1 has been EXTENDED TO MAY 30, 2014.


Draft Special Publication 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials and Draft NIST Interagency Report 7981, Mobile, PIV, and Authentication, are now available
March 7, 2014
 
#1 -- NIST announces release of Draft Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, for public comment. Draft SP 800-157 defines a technical specification for implementing and deploying derived PIV credentials on mobile devices, such as smart phones and tablets. The goal of the derived PIV credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.
 
Please submit comments on Draft SP 800-157 using the SP 800-157 comments template form (Excel spreadsheet) to piv_comments@nist.gov with “Comments on Draft SP 800-157” in the subject line
 
NIST requests comments to Draft Special Publication 800-157 by 5:00pm EDT on April 21, 2014.
 
#2 NIST announces release of Draft NIST IR 7981, Mobile, PIV, and Authentication for public comment. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
 
Please submit comments on Draft NIST IR 7981 using the NIST IR 7981 comment template form (Excel spreadsheet) to piv_comments@nist.gov with "Comments on Draft NIST IR 7981" in the subject line.
 
NIST requests comments on Draft NIST IR 7981 by 5:00pm EDT on April 21, 2014.


NISTIR 7849, A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification
March 6, 2014
 
NIST announces the release of NIST Interagency Report (IR) 7849, A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. Smart cards (smart identity tokens) are now extensively deployed for identity verification, and are used in controlling access to both IT and physical resources. This publication presents a methodology for assigning authentication strengths based on the strength of pair wise bindings between the five entities involved in smart card based authentications – the card (token), the token secret, the card holder, the card issuer, and the person identifier stored in the card. NISTIR 7849 also illustrates how to use the methodology for developing an authentication assurance level taxonomy for two real-world smart identity token deployments.


Draft NIST Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process
February 18, 2014
 
NIST requests comments on Draft NIST Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process. This document describes the principles, processes and procedures behind our cryptographic standards development efforts. Please send comments to crypto-review@nist.gov by April 18, 2014......


Special Publication (SP) 800-168, Approximate Matching: Definition and Terminology
January 27, 2014
 

NIST requests comments on the Draft of Special Publication (SP) 800-168, Approximate Matching: Definition and Terminology. SP 800-168 contains a definition for approximate matching including requirements and considerations for testing. Approximate matching is an emerging technology for identify similarities between two digital artifact. It is used to find objects that resemble each other to support security monitoring, digital forensics and other applications.

Announcement on behalf of the Joint Task Force Transformation Initiative:

NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
January 23, 2014
 
Updated Errata Table and XML File
 
  • Errata Table, as of 1/15/14 on pages xvii-xxi
    NIST will provide periodic errata updates to Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, as needed. The second errata update of SP 800-53, Revision 4 will be released Thursday, January 23rd. See http://csrc.nist.gov/publications/PubsSPs.html#800-53. The date of the errata update will be noted on the inside cover of the publication under the original publication date (April 2013 INCLUDES UPDATES AS OF 01-15-2014: PAGE XVII).
  • XML File
    The XML file for SP 800-53R4 has also been updated. See XML of SP 800-53R4 at https://nvd.nist.gov/static/feeds/xml/sp80053/rev4/800-53-controls.xml.
  • Future Errata Update on Appendix H
    NIST plans to release an errata update for Appendix H in February. This release will provide updates to the ISO/IEC 27001 mapping tables based on the 2013 update of the international standard.
  • POC
    If you have any questions, please contact sec-cert@nist.gov.


Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
January 21, 2014
 
NIST announces the final release of Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations. ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document provides Federal agencies with a definition of ABAC and considerations for using ABAC to improve information sharing within organizations and between organizations while maintaining control of that information.


DRAFT Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems
January 7, 2014
 
NIST requests comments on Draft Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. SP 800-152 contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a CKMS by U. S. Federal organizations. The Profile is based on SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS). Please send comments to FederalCKMSProfile@nist.gov by March 5, 2014, with “Comments on SP 800-152” on the subject line.

See news archive for previous years.