NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's CSRC:

CSRC News - 2016

NIST Released Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
May 4, 2016
 
NIST announces the release of second draft Special Publication 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

NIST Public Affairs Office published a press release of this draft (SP 800-160).
 
The United States has developed incredibly powerful and complex systems—systems that are inexorably linked to the economic and national security interests of the Nation. The complete dependence on those systems for mission and business success in both the public and private sectors, including the critical infrastructure, has left the Nation extremely vulnerable to hostile cyber-attacks and other serious threats. With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and threats to federal, state, and local governments, the military, businesses, industry, and the critical infrastructure, the need for trustworthy secure systems has never been more important.
 
Engineering-based approaches to solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today’s systems—as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. Managing the complexity of today’s systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences.
 
NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems—and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the life cycle. The public comment period for this publication is May 4 through July 1, 2016. Comments can be sent to: sec-cert@nist.gov.


NIST Released NISTIR 8105, Report on Post-Quantum Cryptography
April 28, 2016
 
NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 8105, Report on Post-Quantum Cryptography. NIST Public Affairs Office issued a press release in regards to announcing the release of this NISTIR.

This Report shares NIST’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.
 
The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. In recent years, there has been a substantial amount of research on quantum computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere.


NIST Released NISTIR 8040, Measuring the Usability and Security of Permuted Passwords on Mobile Platforms
April 27, 2016
 
NIST has published NIST Interagency Report (NISTIR) 8040, Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. Password entry on mobile devices significantly impacts both usability and security, but there is a lack of usable security research in this area, specifically for complex password entry. This document proposes a measurement method for quantifying the effects on security resulting from optimizing the usability of password entry specifically for constrained input environments, i.e., the mobile touchscreen. A set of Python scripts for the experiments the NIST/ITL research team conducted on entropy loss are made publicly available.


The Information Security and Privacy Advisory Board welcome New Chair
April 26, 2016
 
A new chair was appointed to the National Institute of Standards and Technology (NIST) Information Security and Privacy Advisory Board (ISPAB).
 
The new chair is Christopher Boyer, Assistant Vice President for Global Public Policy, AT&T Services Inc., where he is responsible for the company’s strategic policy positions related to cybersecurity, and develop strategic policy positions related to cybersecurity. He will assume the role and responsibilities of the Chair from the current chair on May 1, 2016. Mr. Boyer was appointed as an ISPAB member in June 2012, and his term will end on June 10, 2020.
 
The ISPAB was originally created by the Computer Security Act of 1987 (P.L. 100- 235) as the Computer System Security and Privacy Advisory Board, and amended by Public Law 107-347, The E-Government Act of 2002, Title III, The Federal Information Security Management Act (FISMA) of 2002. The statutory objectives of the Board include identifying emerging managerial, technical, administrative, and physical safeguard issues relative to information security and privacy. The next ISPAB meeting will be held on June 15-17, 2016, in Washington, D.C. ISPAB meetings are open to the public. For more information, see http://csrc.nist.gov/groups/SMA/ispab/meetings.html.


NIST Released the final version of NISTIR 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
April 25, 2016
 
NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting and continuous monitoring of IT software assets.


NIST requests comments on the second draft of Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing
April 21, 2016
 
NIST requests comments on the Second Draft of Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. This draft provides guidelines for establishing, participating in, and maintaining cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, the importance of building trust, the handling of sensitive information, and the automated exchange of cyber threat information. The goal of the publication is to provide guidelines that help improve cybersecurity operations and risk management activities through safe and effective information sharing practices. The guide is intended for computer security incident response teams (CSIRTs), system and network administrators, security staff, privacy officers, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and other stakeholders in cyber threat information sharing activities.
 
A comment template is available for submitting comments.
The public comment period for the publication closes on May 24, 2016.
Email comments to sp800-150comments@nist.gov .


NIST Released the final version of "Best Practices Guide for Personal Identity Verification (PIV)-enabled Privileged Access"
April 21, 2016
 

NIST announces the final release of the best practices guide for Personal Identity Verification (PIV)-enabled privileged access. The paper is in response to the Office of Management and Budget (OMB)’s October 2015 Cybersecurity Strategy and Implementation Plan (and included in the Cyber National Action Plan (CNAP), requiring Federal agencies to use PIV credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user authentication and provides best practices for agencies to implement PIV authentication for privileged users.


NIST Releases the Second Draft of SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions
April 13, 2016

NIST invites comments on the second draft of Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. This Recommendation specifies constructions for the implementation of RBGs. An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bit generator (NRBG). The constructed RBGs consist of DRBG mechanisms, as specified in SP 800-90A, and entropy sources, as specified in SP 800-90B.

On May 2-3, 2016, NIST will host a workshop on Random Number Generation to discuss the SP 800-90 series of documents--specifically, SP 800-90B and SP 800-90C.

Please send comments to rbg_comments@nist.gov (Subject: "Comments on Draft SP 800-90C"), preferably using the comment template provided.
Comments are due by Monday, June 13, 2016 at 5:00PM EDT.

NIST’s SP 800 series publications are available at: http://csrc.nist.gov/publications/PubsSPs.html.


NIST Releases SP 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
April 13, 2016

Special Publication (SP) 800-85A-4 provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification, and SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.

These include:

  • Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object;

  • Tests for populating these newly added data objects in the PIV Card Application;
  • Tests to verify the on-card biometric comparison mechanism;
  • Tests to verify the correct behavior of secure messaging and the virtual contact interface; and
  • Tests to verify that the PIV Card Application enforces PIN length and format requirements.

NIST’s SP 800 series publications are available at: http://csrc.nist.gov/publications/PubsSPs.html.


NIST Announces Release of Draft NISTIR 8071, LTE Architecture Overview and Security Analysis
April 12, 2016

NIST requests comments on Draft NIST Internal Report (NISTIR) 8071, LTE Architecture Overview and Security Analysis. Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations. This document introduces high-level LTE concepts and discusses technical LTE security mechanisms in detail. Technical readers are expected to understand fundamental networking concepts and general network security. It is intended to assist those evaluating, adopting, and operating LTE networks, specifically telecommunications engineers, system administrators, cybersecurity practitioners, and security researchers.

Email comments to: nistir8071@nist.gov (a comment template is available).

Comments due by Wednesday, June 1, 2016.


NIST requests comments on Draft Special Publication (SP) 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies
April 5, 2016
 
NIST requests comments on Draft Special Publication (SP) 800-175A, Guideline for Using Cryptographic Standards in the Federal Government: Directives, Mandates and Policies. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government. SP 800-175A provides guidance on the determination of requirements for using cryptography. It includes a summary of the laws and regulations concerning the protection of the Federal government’s sensitive information, guidance regarding the conduct of risk assessments to determine what needs to be protected and how best to protect that information, and a discussion of the relevant security-related documents (e.g., various policy and practice documents). Please provide comments on SP 800-175A by Monday, May 9, 2016. Comments may be sent to SP800-175@nist.gov, with “Comments on SP 800-175A” as the subject.


NIST Released NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process
March 31, 2016
 
NIST announces the release of NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This document describes the principles, processes and procedures behind our cryptographic standards development efforts. The final version reflects the disposition of public comments received on two earlier versions, and will serve as the basis to guide NIST’s future cryptographic standards and guidelines activities. It will be reviewed and updated every five years, or more frequently if a need arises, to help ensure that NIST fulfills its role and responsibilities for producing robust, effective cryptographic standards and guidelines.
 
Please see this announcement for additional information. NIST Public Affairs Office also released a press release covering the release of NISTIR 7977.


NIST Released the Second Draft of Special Publication 800-177, Trustworthy Email
March 29, 2016
 
NIST requests comments on the second draft of Special Publication (SP) 800-177, Trustworthy Email. This draft is a complimentary guide to NIST SP 800-45 Guidelines on Electronic Mail Security and covers protocol security technologies to secure email transactions. This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP. This guide is written for the federal agency email administrator, information security specialists and network managers, but contains general recommendations for all enterprise email administrators.

The public comment period April 29th, 2016.
Email comments to SP800-177@nist.gov


NIST Released Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
March 29, 2016
 
NIST is pleased to announce the release of Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. This publication specifies and approves the FF1 and FF3 encryption modes of operation of the AES algorithm.
 
The previously approved encryption modes are not designed for non-binary data such as Social Security numbers (SSNs); in particular, the decimal representation of an encrypted SSN might consist of more than nine digits, so it would not look like an SSN.
 
By contrast, format-preserving encryption (FPE) methods such as FF1 and FF3 are designed for data that is not necessarily binary. In particular, given any finite set of symbols, like the decimal numerals, a method for FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format, including the length, as the original data. Thus, an FPE-encrypted SSN would be a sequence of nine decimal digits.

FPE modes facilitate the retrofitting of encryption technology to existing devices or software, where a conventional encryption mode might not be feasible. In particular, database applications may not support changes to the length or format of data fields.
 
More generally, FPE can support the “sanitization” of databases, i.e., the targeting of encryption to personally identifiable information (PII), such as SSNs.  The encrypted SSNs could still serve as an index to facilitate statistical research, perhaps across multiple databases. An important caveat to this application of FPE is that re-identification is sometimes feasible through the analysis of the unencrypted data and other information.
 
The commercial impetus comes from the payments industry, where FPE methods have already been deployed in merchants’ credit card readers. NIST is also considering for approval a third mode from that industry, the extension/revision of the VAES3 mode, which was named FF2 in the draft SP 800-38G that was released for public comment. This revision of FF2 is listed by the name “DFF” at the modes development page, at http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html.

NIST received patent disclosures that are claimed to apply to FPE modes. Letters of Assurance to NIST regarding the licensing of these patents are available at http://csrc.nist.gov/groups/ST/toolkit/BCM/current_modes.html.
 
NIST Public Affairs Office issued a press release about SP 800-38G.

NIST Announce the Release of 2 Draft Special Publications:
(1) Special Publication 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security &
(2) Draft Special Publication 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security

March 14, 2016
 
NIST requests public comments on two draft Special Publications (SPs) on telework and BYOD security: Draft SP 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, and Draft SP 800-114 Revision 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security. Organizations are increasingly threatened, attacked, and breached through compromised telework devices used by their employees, contractors, business partners, and vendors. These publications make recommendations for organizations (in SP 800-46 Revision 2) and users (in SP 800-114 Revision 1) to improve their telework and BYOD security practices.
 
The public comment period for both publications closes on April 15, 2016.
 
Send comments on Draft SP 800-46 Revision 2 to 800-46comments@nist.gov with "Comments SP 800-46" in the subject line.
Send comments on Draft SP 800-114 Revision 1 to 800-114comments@nist.gov with "Comments SP 800-114" in the subject line.  
 

Links to Draft SP 800-46 Rev. 2 and Draft SP 800-114 Rev. 1
Links to Draft SP 800-46 Rev. 2 Links to Draft SP 800-114 Rev. 1
SP 800-46 Rev. 2 (PDF) SP 800-114 Rev. 1 (PDF)
Comment Template SP 800-46 Rev. 2 (Excel) Comment Template SP 800-114 Rev. 1 (Excel)

 


NIST Announce the Release of Draft Special Publication 800-154, Guide to Data-Centric System Threat Modeling
March 14, 2016
 
NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides information on the basics of data-centric system threat modeling so that organizations can use it as part of their risk management processes instead of relying solely on conventional "best practice" recommendations.
 
The public comment period for the publication closes on April 15, 2016.
 
Send comments on Draft SP 800-154 to 800-154comments@nist.gov with "Comments SP 800-154" in the subject line.
 
Link to Draft SP 800-154 document (PDF)
Link to Comment Template for Draft SP 800-154 (Excel)


NIST Released Draft SP 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
March 11, 2016
 
NIST requests comments on Special Publication 800-175B,Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms. The SP 800-175 publications are intended to be a replacement for SP 800-21, Guideline for Implementing Cryptography in the Federal Government, but with a focus on using the cryptographic offerings currently available, rather than building one’s own implementation. SP 800-175B is intended to provide guidance to the Federal government for using cryptography and NIST’s cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. The cryptographic methods and services to be used are also discussed. The first document in the series (i.e., SP 800-175A) will be available shortly. Please provide comments on SP 800-175B by Friday, April 29, 2016. Comments may be sent to SP800-175@nist.gov, with “Comments on SP 800-175B” as the subject.


NIST Released SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection
March 7, 2016
 
NIST announces the release of final version of NIST Special Publication 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. VMs constitute the primary resource to be protected in a virtualized infrastructure, since they are the compute engines on which business/mission critical applications of the enterprise are run. Further, since VMs are end-nodes of a virtual network, the configuration of virtual network forms an important element in the security of VMs and their hosted applications. The virtual network configuration areas considered for VM protection in this document are – Network Segmentation, Network Path Redundancy, Firewall Deployment Architecture and VM Traffic Monitoring. The configuration options in each of these areas are analyzed for their advantages and disadvantages and security recommendations are provided.


NIST Special Publication 800-53 Revision 5, Pre-Draft Call for Comments
February 23, 2016
 
Recognizing the importance of maintaining the relevance and currency of Special Publication (SP) 800-53, NIST will update Revision 4 to Revision 5 during calendar year 2016 beginning with this pre-draft request for comments. NIST seeks the input of SP 800-53 customers to ensure Revision 5 will continue to deliver a comprehensive security and privacy control set that addresses current threats, technologies, and environments of operation while remaining functional and usable.
 
Please respond by April 1st 2016 to the call for comments to sec-cert@nist.gov.
 
To learn more, please visit the link below.
 
SP 800-53 Rev. 5 PRE-Draft Call for Comments


Draft Special Publication 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), Comment Period Has Been Extended
February 19, 2016
 
The comment period for Draft Special Publication 800-116 Revision 1 has been extended, and now closes at 5:00 EST (US and Canada) on March 1, 2016


NIST Announces the Release of DRAFT Special Publication 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines
February 18, 2016
 
NIST requests public comments on DRAFT SP 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines. This document serves to provide a NIST-standard definition to application containers, microservices which reside in application containers and system virtual machines. Furthermore, this document explains the similarities and differences between a Services Oriented Architecture (SOA) and Microservices as well as the similarities and differences between System Virtual Machines and Application Containers.
 
Link to Draft SP 800-180 (PDF) 
Link to Comment Template (Excel)
 
The public comment period will close on: March 18, 2016.
 
Send comments using the this template to sec-cloudcomputing@nist.gov with “Comments SP 800-180” in the subject line.


NIST Announces Release of Draft NISTIR 8103, Advanced Identity Workshop on Applying Measurement Science in the Identity Ecosystem: Summary and Next Steps
February 17, 2016
 

On January 12-13, 2016 the Applied Cybersecurity Division (ACD) in the National Institute of Standards and Technology’s (NIST) Information Technology Laboratory hosted the “Applying Measurement Science in the Identity Ecosystem” workshop to discuss the application of measurement science to digital identity management. Draft NISTIR 8103 summarizes the concepts and ideas presented at the workshop and serves as a platform to receive feedback on the major themes discussed at that event.

Link to Draft NISTIR 8103 (PDF)
Comment Template to use to submit comments to Draft NISTIR 8103 (Excel)

Comments on NISTIR 8103 should be emailed to NSTICworkshop@nist.gov.
The comment period closes on March 31st, 2016.

NIST Announces Release of DRAFT NISTIR 8063, Internet of Things (IoT) Trustworthiness
February 16, 2016
 
NIST requests public comments on DRAFT NISTIR 8063, Primitives and Elements of Internet of Things (IoT) Trustworthiness. This report describes research on creating a vocabulary, namely primitives and elements, for composing IOT. This report presents five primitives and six elements that form a design catalogue that can support trustworthiness. We envision their application to use cases, ontologies, formalisms, and other methods to specific IOT projects. These primitives apply well to systems with large amounts of data, scalability concerns, heterogeneity concerns, temporal concerns, and elements of unknown pedigree with possible nefarious intent. These primitives form the basic building blocks for a Network of ‘Things’ (NoT), including the Internet of Things (IoT). We see this as early research and earnestly seek feedback on the merits, utility, and feasibility of such a vocabulary.
 
The public comment period will close on: March 17, 2016.
 
Send comments and/or questions to iot@nist.gov with “Comments NISTIR 8063” in the subject line.


NIST announces release of Draft Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines for public comment
February 8, 2016
 
Draft SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. Draft SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials.
 
The public comment period closes on: March 14, 2016.
Send comments to piv_derived@nist.gov with “Comments on Draft SP 800-166” in the subject line.
 
The links for the Draft document and the comment template are given below:
Draft SP 800-166 - – Draft Document
Comment Template – - Excel file


A NIST Draft Whitepaper titled "Best Practices for Privileged User PIV Authentication" is available for public comment.
February 5, 2016
 
This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users.
 
The public comment period closes on: March 4, 2016.
Send comments to csip-pivforprivilege@nist.gov with “Comments on PIV Credential for privileged use” in the subject line.
 
Best Practices for Privileged User PIV Authentication
Comment Template (Excel)


NIST Announce the Release of DRAFT NISTIR 8105, Report on Post-Quantum Cryptography for Public Comment
February 3, 2016
 
NIST requests public comments on DRAFT NISTIR 8105, Report on Post-Quantum Cryptography. In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. This Internal Report shares the National Institute of Standards and Technology (NIST)’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.
 
The public comment period will close on: March 9, 2016.
Send questions to NISTIR8105-comments@nist.gov with “Comments NISTIR 8105” in the subject line.


NIST Released DRAFT NISTIR 8011, Automation Support for Security Control Assessments -
Volume 1: Overview
Volume 2: Hardware Asset Management -
now available for public comment.

February 2, 2016
 
The National Institute of Standards and Technology (NIST) is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.  
 
NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.
 
Link to Volume 1: Overview
Link to Volume 2: Hardware Asset Management

-OR- you can get to this draft with 2 volumes from the CSRC Draft Publications page.

Public comment period is open through March 18, 2016. Please submit public comments to sec-cert@nist.gov. Comments are accepted in any desired format.  


Special Publication 800-57, Part 1 Revision 4 has been approved as final.
January 28, 2016
 
NIST announces the completion of Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Public comments received during the review of this document are provided here.


NIST Released NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements
January 28, 2016
 
NIST announces the final release of NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. This document defines the test requirements that products must satisfy in order to be awarded an SCAP 1.2 validation. A list of changes is provided in the Summary of Changes section of the document


DRAFT SP 800-90 Series: Random Bit Generators
Recommendation for the Entropy Sources Used for Random Bit Generation

January 27, 2016
 
NIST announces the second draft of Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. NIST is planning to host a workshop on Random Number Generation to discuss the SP 800-90 series, specifically, SP 800-90B and SP 800-90C. More information about the workshop is available at: http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm.
 
The specific areas where comments are solicited on SP 800-90B are:

  • Post-processing functions (Section 3.2.2): We provided a list of approved post-processing functions. Is the selection of the functions appropriate?
  • Entropy assessment (Section 3.1.5): While estimating the entropy for entropy sources using a conditioning component, the values of n and q are multiplied by the constant 0.85. Is the selection of this constant reasonable?
  • Multiple noise sources: The Recommendation only allows using multiple noise sources if the noise sources are independent. Should the use of dependent noise sources also be allowed, and if so, how can we calculate an entropy assessment in this case?
  • Health Tests: What actions should be taken when health tests raise an alarm? The minimum allowed value of a type I error for health testing is selected as 2-50. Is this selection reasonable?

NIST Public Affairs Office published a news release regarding the second Draft SP 800-90B.

NIST requests comments on the revised (second) Draft SP 800-90B by 5:00PM EST on May 9, 2016. Please submit comments on Draft SP 800-90B using the comments template form (Excel Spreadsheet) to rbg_comments@nist.gov with “Comments on Draft SP 800-90B” in the subject line.


NIST Released NIST Interagency Report (NISTIR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research
January 22, 2016
 
NIST announces the final release of NIST Interagency Report (NISTIR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research. This report documents proof of concept research performed by NIST to determine how DPCs could be used to PIV-enable mobile devices and provide multi-factor authentication for an organization's mobile device users. This report captures DPC requirements, proposes an architecture that supports these requirements, and describe how this architecture could be implemented and operated.


Influence the Future of Cybersecurity Education—Join the NICE Working Group
January 21, 2016
Addressing the nation’s rapidly increasing need for cybersecurity employees, the National Initiative for Cybersecurity Education (NICE) is seeking members from the public and private sectors and academia to join its new working group and encourages interested individuals to participate in a kickoff teleconference the afternoon of January 27, 2016.

See the press release and NICE Working Group page for more details.


See news archive for previous years (2015-2011).