- csrc home
- news & events
Special Publication 800-82, Revision 1, Guide to Industrial Control Systems (ICS) Security
May 15, 2013
NIST announces the release of Special Publication 800-82, Revision 1, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
Special Publication 800-82, Revision 1 includes the ICS material transferred from Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, Appendix I. Special Publication 800-82, Revision 1 is being released concurrent with Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, to preserve the continuity of that ICS material. The ICS material is now located in Appendix G of Special Publication 800-82, Revision 1.
Additionally, NIST is planning a major update to Special Publication 800-82 (Special Publication 800-82, Revision 2) that will include:
Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, and Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, are now available
May 13, 2013
#1 -- NIST announces that Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to align with Candidate Final FIPS 201-2. Major changes in draft SP 800-73-4 include:
Periodic Errata Updates for SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
May 9, 2013
NIST will provide periodic errata updates to Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, as needed. The errata updates can be editorial or substantive in nature. The specific changes will be listed in the Errata table on page xvii of the publication. The date of the errata update will be noted on the front cover of the publication under the original publication date.
The first errata update of SP 800-53, Revision 4 is now available from the CSRC Special Publications page.
The markup version of Appendices D, F, and G for SP 800-53, Revision 4 are now available - on the Special Publications page.
Questions or comments can be sent to firstname.lastname@example.org.
NIST Announces the Final Release of SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
April 30, 2013
NIST announces the final release of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the most comprehensive update to the security controls catalog since its inception in 2005. The publication was developed by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems as part of the Joint Task Force, an interagency partnership formed in 2009. This update was motivated principally by the expanding threat space—characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. In addition, Special Publication 800-53 has been expanded to include eight new families of privacy controls based on the internationally accepted Fair Information Practice Principles.
Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This "Build It Right" strategy is coupled with a variety of security controls for "Continuous Monitoring" to give organizations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.
To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.
Finally, there have been several new features added to this revision to facilitate ease of use by organizations. These include:
The security and privacy controls in Special Publication 800-53, Revision 4, have been designed to be largely policy/technology-neutral to facilitate flexibility in implementation. The controls are well positioned to support the integration of information security and privacy into organizational processes including enterprise architecture, systems engineering, system development life cycle, and acquisition/procurement. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.
Special Publication 800-53 Revision 4 is available here. A markup version of Appendices D, F, and G containing security control and security control baseline changes from SP 800-53, Revision 3 to Revision 4 will be available NLT May 7, 2013. There will be additional download instructions for the markup appendices provided by a subsequent notification from the FISMA Implementation Project.
An updated (April 30, 2013) FISMA Implementation Project Schedule is available at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.
Questions or comments can be sent to email@example.com.
Draft Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations
April 22, 2013
NIST announces the public comment release of draft Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations. ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document provides Federal agencies with a definition of ABAC and considerations for using ABAC to improve information sharing within organizations and between organizations while maintaining control of that information.
NIST requests comments on draft SP 800-162 by May 31, 2013. Please send comments to firstname.lastname@example.org with the subject "Comments SP 800-162"
Draft NIST Interagency Report (IR) 7924, Reference Certificate Policy now available for Public Comment
April 11, 2013
NIST announces the public comment release of Draft Interagency Report (IR) 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
This new draft document, based on the Federal Public Key Infrastructure Common Policy, was developed with a particular emphasis on identifying stronger computer, lifecycle and network security controls.
NIST requests comments on Draft IR 7924 by Friday, June 7, 2013. Please send comments to email@example.com, using this public comment template (MS Word).
Final Public Draft of NIST Special Publication 800-53 Revision 4
February 5, 2013
NIST announces the release of Draft Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft). Special Publication 800-53, Revision 4, represents the culmination of a two-year initiative to update the guidance for the selection and specification of security controls for federal information systems and organizations. This update, the most comprehensive since the initial publication of the controls catalog in 2005, was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, and the Committee on National Security Systems. NIST received and responded to several thousand comments during the extensive public review and comment period.
The proposed changes included in Special Publication 800-53, Revision 4, support the federal information security strategy of “Build It Right, Then Continuously Monitor” and are directly linked to the current threat space (i.e., capabilities, intentions, and targeting of adversaries) as well as the attack data collected and analyzed over a substantial period of time. In this update, there is renewed emphasis on security controls that can be implemented to increase the reliability, trustworthiness, and resiliency of information systems, system components, and information system services—especially in those systems, components, and services supporting critical organizational missions and business operations (including, for example, critical infrastructure applications). In particular, the major changes in Revision 4 include:
Final Approval of NIST Interagency Report (IR) 7511 Revision 3 is now available
February 5, 2013
NIST announces the release of NIST Interagency Report (NISTIR) 7511 Revision 3, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. NISTIR 7511 defines the requirements that must be met by products to achieve SCAP 1.2 Validation. Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in producing SCAP validated products.
DRAFT Special Publication 800-63-2, Electronic Authentication Guideline is now available for comment
February 1, 2013
NIST announces the release of Draft Special Publication 800-63-2, Electronic Authentication Guideline for public review and comment. This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrain the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication will supersede NIST Special Publication 800-63-1.
This draft is a limited update of Special Publication 800-63-1 and substantive changes are made only in section 5. Registration and Issuance Processes. The substantive changes in the revised draft are intended to facilitate the use of professional credentials in the identity proofing process, and to reduce the need to use postal mail to an address of record to issue credentials for level 3 remote registration. Other changes to section 5 are minor explanations and clarifications. New or revised text is highlighted in the review draft. Other sections of NIST Special Publication 800-63-1 have not been changed in this draft.
Please submit comments on the revision to firstname.lastname@example.org with the subject line: “Draft SP 800-63-2 Comments”. The comment period closes on March 4, 2013.
Policy Machine now has webpages on CSRC website
January 31, 2013
NIST is pleased to announce a new project web site reporting on the findings of its Policy Machine research … a unification of access control and data services.
Update Status on (Draft) NIST Special Publication 800-53 Revision 4
January 18, 2013
NIST anticipates the release of Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal information Systems and Organizations (Final Public Draft) on Tuesday, February 5th. The final public comment period will run from February 5th through March 1st. Final publication is expected by the end of April.
NIST Computer Security Division released a paper "The Role of the National Institute of Standards and Technology in Mobile Security".