NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

News & Events

News -- 2012

DRAFT NISTIR 7848, Specification for the Asset Summary reporting Format 1.0
May 8, 2012
 
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
 
NIST requests public comments on draft NISTIR 7848 by June 6, 2012. Comments should be sent to asr-comments@nist.gov.

Proposed Change to Federal Information Processing Standard 186-3, the Digital Signature Standard
April 10, 2012
 
NIST requests comments on proposed changes to Federal Information Processing Standard 186-3, the Digital Signature Standard. The Federal Register Notice requests that electronic comments be sent by May 25, 2012 to: fips_186-3_change_notice@nist.gov, with 186-3 Change Notice in the subject line. The proposed revisions are available on the CSRC DRAFTS page - links are provided on the Drafts page for the (1) Proposed Change Notice for FIPS 186-3, (2) current approved FIPS 186-3 document released June 2009.

The Federal Register Notice is available at: (1) PDF file from Federal Register.gov website which is on our CSRC website -OR- (2) from the Federal Register.gov website at: https://www.federalregister.gov/articles/2012/04/10/2012-8573/announcing-draft-revisions-to-federal-information-processing-standard-fips-186-3-digital-signature

SECOND Public DRAFT of NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems
March 23, 2012
 
NIST announces the second public draft of NIST Interagency Report (NISTIR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems. This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain.
 
NIST requests comments on draft NISTIR 7622 by May 25, 2012 (NOTE: Due date has been extended from May 11 TO May 25). Please submit comments to scrm-nist@nist.gov with "Comments NISTIR 7622" in the subject line. Comments should be submitted using the comments template (Microsoft Excel file).

The same announcement with links to this draft can also be located on the CSRC Drafts page.

Markup Copies of Appendix D, F, and G for Draft Special Publication 800-53 Revision 4 is now available
March 8, 2012
 
NIST announces the markup version of NIST Special Publication 800-53, Revision 4 (Initial Public Draft), Security and Privacy Controls for Federal Information Systems and Organizations. The markup includes: Appendix D (Security Control Baselines—Summary), Appendix F (Security Control Catalog), and Appendix G (Information Security Programs).

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 180–4, Secure Hash Standard (SHS); a Revision of FIPS 180–3
March 6, 2012
 
The Secretary of Commerce has approved Federal Information Processing Standard (FIPS) Publication 180-4, Secure Hash Standard (SHS). FIPS 180-4 updates FIPS 180-3 by providing a general procedure for creating an initialization value, adding two additional secure hash algorithms to the Standard (SHA-512/224 and SHA-512/256) and removing a restriction that padding must be done before hash computation begins, which was required in FIPS 180-3. The Federal Register Notice of the approval of FIPS 180-4 is available to review.

DRAFT Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (Initial Public Draft)
February 28, 2012
 
NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the culmination of a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations. The project was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security. The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period. In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements;
  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance;
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls.
Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT). In most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as “cloud” or “mobile computing” controls or placed in one section of the catalog. Rather, the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches. The breadth and depth of the security and privacy controls in the control catalog must be sufficiently robust to protect the wide range of information and information systems supporting the critical missions and business functions of the federal government—from the Department of Homeland Security, to the DoD warfighters, to the Federal Aviation Administration, to the Social Security Administration. As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, cyber security programs—capable of addressing the most sophisticated of threats on the horizon.
 
Public comment period: February 28th through April 6th, 2012.
 
Public comment period: February 28th through April 6th, 2012. This will be the only comment period. Publication of the final document is anticipated in July 2012. Comments can be sent to: sec-cert@nist.gov.
 
To support the public review process, NIST will publish a markup version of Appendices D, F and G. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or the other appendices.

Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs)
February 21, 2012
 
NIST announces the final release of Special Publication (SP) 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs). The purpose of this publication is to provide organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. Recommendations in SP 800-153 cover topics such as standardized WLAN security configurations, dual connected WLAN client devices, and security assessments and continuous monitoring. This publication supplements, and does not replace, other NIST publications on WLAN security.

Report Issued by University of Maryland's Supply Chain Management Center
February 3, 2011
 
NIST is pleased to announce the release of a report by the University of Maryland’s Supply Chain Management Center. The report, which stems from a NIST grant, inventories existing ICT supply chain initiatives and formulates a framework for defining ICT supply chain risk management (SCRM) architectures. The report builds on the work from a previous NIST grant to the University of Maryland, which profiles the ICT SCRM governance strategies and practices of over 200 key Federal government vendors. These reports will help guide NIST’s work in the area of ICT SCRM.

DRAFT Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide
February 1, 2012
 
NIST announces the public comment release of draft Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide. It seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, as well as detecting, analyzing, prioritizing, and handling incidents. SP 800-61 Revision 2 updates the previous revision, which was released in 2008. A detailed change-log is provided in Appendix H.
 
NIST requests comments on draft SP 800-61 Revision 2 by March 16th, 2012. Please submit comments to 800-61rev2-comments@nist.gov with "Comments SP 800-61" in the subject line.

NIST Released Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing
January 22, 2012
 
NIST is pleased to announce the release of Special Publications (SP): SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing. SP 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.

NIST Released Draft NIST Interagency Report (IR) 7817, A Credential Reliability and Revocation Model for Federated Identities
January 18, 2012
 
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7817, A Credential Reliability and Revocation Model for Federated Identities. NISTIR 7817 investigates credential and attributes revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, this document also suggests a model for credential reliability and revocation services that serves to eliminate some of the missing requirements.
 
NIST requests public comments on draft NISTIR 7817 by February 17, 2012. Comments should be sent to URRS@nist.gov.

 

For 2011 News & Previous years archived news