- CSRC Home
- About CSD
- Projects / Research
- news & events
DRAFT National Checklist Program for IT Products - Guidelines for Checklist Users and Developers is now available for public comment.
March 26, 2015
Draft Special Publication 800-70 Revision 3, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 3 updates the previous version of the document, which was released in 2011, by streamlining the text and removing outdated content, as well as updating the requirements for United States Government Configuration Baselines (USGCB).
Comments on draft SP 800-70 Revision 3 should be sent by April 27, 2015 to firstname.lastname@example.org with "Comments SP 800-70" in the subject line.
Second Public Draft release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH)
March 4, 2015
NIST announces the second public comment release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH). The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management in an enterprise, focusing on the management of SSH user keys. It describes the primary categories of vulnerabilities in SSH user key management and recommends practices for planning and implementing SSH access management. The scope of this draft is significantly different from the original public comment draft; this draft includes both interactive and automated access management, not just the latter.
There is a comment template available to input comments to this draft document - (see link above to go to the CSRC Drafts page to get comment template). Please send your comments to NISTIR7966email@example.com by April 3, 2015.
NIST is pleased to announce the release of NIST Internal Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
March 4, 2015
NIST announces the release of the NIST Internal Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009, “Requirements for Smart Meter Upgradeability,” describes functional and security requirements for the secure upgrade—both local and remote—of Smart Meters. This report describes conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether Smart Meters and Upgrade Management Systems conform to the requirements of NEMA SG-AMI 1-2009. For each relevant requirement in NEMA SG-AMI 1-2009, the document identifies the information to be provided by the vendor to facilitate testing, and the high-level test procedures to be conducted by the tester/laboratory to determine conformance.
NIST is pleased to announce the release of NIST Internal Report (NISTIR) 8023, Risk Management for Replication Devices.
February 23, 2015
NIST Internal Report (NISTIR) 8023, Risk Management for Replication Devices is now available. A replication device (RD) is any device that reproduces (e.g., copies, prints, scans) documents, images, or objects from an electronic or physical source. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs. It provides basic information on common threats and vulnerabilities to RDs and provides an example RD risk assessment.”
Special Publication 800-82, Revision 2 Final Public Draft Guide to Industrial Control Systems (ICS) Security
February 9, 2015
NIST announces the final public draft release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:
Errata Update for Special Publication 800-53, Revision 4
January 29, 2015
NIST announces the release of an Errata Update for Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This update contains new mapping tables for ISO/IEC 27001: 2013
NIST Special Publication 800-163, Vetting the Security of Mobile Applications, has been approved as final
January 26, 2015
The purpose of Special Publication 800-163, Vetting the Security of Mobile Applications, is to help organizations understand the process for vetting the security of mobile applications, plan for the implementation of an app vetting process, develop app security requirements, understand the types of app vulnerabilities and the testing methods used to detect them, and determine if an app is acceptable for deployment on the organization's mobile devices.
NIST Computer Security Division released Revision 1 of Special Publication 800-57 Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
January 23, 2015
Special Publication 800-57, Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance, is intended primarily to help system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements. This document also provides information for end users regarding application options left under their control in a normal use of the application.
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, as well as a new section for Secure Shell (SSH).
The applications and protocols addressed in this revision are: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC), Encrypted File Systems (EFS) and Secure Shell (SSH).
Second Public Draft NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process, is available for review and public comment
January 23, 2015
NIST requests comments on a Second Public Draft of NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This revised document describes the principles, processes and procedures behind our cryptographic standards development efforts. Please send comments to firstname.lastname@example.org by March 27, 2015. Please see this announcement for additional information for reviewers. NIST Public Affairs Office also released a press release covering the release of the second draft of NISTIR 7977.
NISTIR 8018, Public Safety Mobile Application Security Requirements Workshop Summary, has been finalized and is now available
January 23, 2015
NIST announces the release of NIST Interagency Report (NISTIR) 8018, Public Safety Mobile Application Security Requirements Workshop Summary. The purpose of this publication is to capture the findings of a half-day workshop held by the Association of Public –Safety Communications Officials (APCO) in association with FirstNet and the Department of Commerce. The workshop’s goal was to identify and define mobile application security requirements relevant to public safety by building on APCO’s Key Attributes of Effective Apps for Public Safety and Emergency Response and their related efforts. Workshop discussions centered around the following topics: battery life, unintentional denial of service, mobile application vetting, data protection, location information, and identity management. In addition to providing a description of the workshop and capturing attendees’ input, NISTIR 8018 identifies possible areas of further research related to public safety mobile applications.