NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

Computer Security Division News - 2015

NIST Releases Draft NISTIR 8058, Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content
May 1, 2015
 
NIST announces the public comment release of Draft NIST Internal Report (NISTIR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Over time, certain stylistic conventions regarding the authoring of SCAP 1.2 content have become best practices. They improve the quality of SCAP content in several ways, such as improving the accuracy and consistency of results, avoiding performance problems, reducing user effort, lowering content maintenance burdens, and enabling content reuse. This document has been created to capture the best practices and encourage their use by SCAP content authors and maintainers.

Please send comments to NISTIR8058-comments@nist.gov with “Comments Draft NISTIR 8058” in the subject line. Comments will be accepted through June 1, 2015.


NIST is pleased to announce the release of NIST Internal Report (NIST IR) 8041, Proceedings of the Cybersecurity for Direct Digital Manufacturing (DDM) Symposium
April 15, 2015
 
NIST IR 8041, Proceedings of the Cybersecurity for Direct Digital Manufacturing (DDM) Symposium is now available. Direct Digital Manufacturing involves fabricating physical objects from a data file using computer-controlled processes with little to no human interaction. This publication contains speaker abstracts, presentation summaries and slides, and working session results of a one-day symposium hosted by the NIST Computer Security Division on February 3, 2015 to explore cybersecurity needed for DDM.


NIST is pleased to announce the release of NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations.
April 9, 2015
 
Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated and deployed, as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services.
 
Special Publication 800-161: (i) provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations; (ii) integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multi-tiered, SCRM-specific approach, including guidance on assessing supply chain risk and applying mitigation activities; and, (iii) builds on existing practices from multiple disciplines and is intended to increase the ability of organizations to strategically manage ICT supply chain risks over the entire life cycle of systems, products, and services.
 
For information on NIST’s ICT SCRM Program, please visit: http://csrc.nist.gov/scrm/


NIST Requests Comments on SP 800-63-2, Electronic Authentication Guideline
April 9, 2015
 
NIST requests comments on SP 800-63-2, Electronic Authentication Guideline. This document describes the technical requirements necessary to meet the four Levels of Assurance that are specified in the OMB memorandum M-04-04, E-Authentication Guidance for Federal Agencies. Please send questions and comments by May 22, 2015. For More Information, Please Visit the CSRC E-Authentication webpage.


NIST Released Draft NISTIR 8053, De-Identification of Personally Identifiable Information
April 7, 2015
 
NIST requests comments on an initial public draft report on NISTIR 8053, De-identification of personally Identifiable Information. This document describes terminology, process and procedures for the removal of personally identifiable information (PII) from a variety of electronic document types.
 
Background:
This draft results from a NIST-initiated review of techniques that have been developed for the removal of personally identifiable information from digital documents. De-identification techniques are widely used to removal of personal information from data sets to protect the privacy of the individual data subjects. In recent years many concerns have been raised that de-identification techniques are themselves not sufficient to protect personal privacy, because information remains in the data set that makes it possible to re-identify data subjects.
 
We are soliciting public comment for this initial draft to obtain feedback from experts in industry, academia and government that are familiar with de-identification techniques and their limitations.
 
Comments will be reviewed and posted on the CSRC website. We expect to publish a final report based on this round of feedback. The publication will serve as a basis for future work in de-identification and privacy in general.
 
Note to Reviewers:
NIST requests comments especially on the following:

  • Is the terminology that is provided consistent with current usage?
  • Since this document is about de-identification techniques, to what extent should it discuss differential privacy?
  • To what extent should this document be broadened to include a discussion of statistical disclosure limitation techniques?
  • Should the glossary be expanded? If so, please suggest words, definitions, and appropriate citations?

Please send comments to draft-nistir-deidentify@nist.gov by May 15, 2015.

DRAFT NISTIR 8053 links:
Draft Document File (PDF)
Comment Template Spreadsheet (Excel)


DRAFT Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
April 2, 2015
 
NIST announces the release of Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations (Final Public Draft).
 
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry; and (iii) when the information systems where the CUI resides are not operated by organizations on behalf of the federal government. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
 
The final draft of NIST Special Publication 800-171 contains some significant changes based on the comments received from both the public and private sectors. The changes include:

  • Clarifying the purpose, scope, and applicability of the publication;
  • Defining the underlying assumptions and expectations for federal agencies and nonfederal organizations in applying the recommended CUI security requirements;
  • Explaining how the publication relates to the Controlled Unclassified Information (CUI) federal rule and the Federal Acquisition Regulation (FAR) clause to be sponsored by the National Archives and Records Administration (NARA);
  • Adjusting the CUI security requirements to ensure complete coverage and traceability to federal policies, standards, and guidance;
  • Providing tables that illustrate the mapping of CUI security requirements to security controls in NIST Special Publication 800-53 and ISO /IEC 27001;
  • Providing tables that illustrate the tailoring actions on the NIST Special Publication 800-53 moderate security control baseline; and
  • Adding guidance on using the content of the mapping tables to support implementation of the NIST Framework for Improving Critical Infrastructure Cybersecurity.
The final publication of SP 800-171 is targeted for June 2015 after the final public comment period. Please send comments to sec-cert@nist.gov with "Comments Draft SP 800-171” in the subject line. Comments will be accepted through May 12, 2015


NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks
March 31, 2015
 
In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks. This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process


DRAFT National Checklist Program for IT Products - Guidelines for Checklist Users and Developers is now available for public comment.
March 26, 2015
 
Draft Special Publication 800-70 Revision 3, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 3 updates the previous version of the document, which was released in 2011, by streamlining the text and removing outdated content, as well as updating the requirements for United States Government Configuration Baselines (USGCB).
 
Comments on draft SP 800-70 Revision 3 should be sent by April 27, 2015 to 800-70comments@nist.gov with "Comments SP 800-70" in the subject line.


Second Public Draft release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH)
March 4, 2015
 
NIST announces the second public comment release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH). The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management in an enterprise, focusing on the management of SSH user keys. It describes the primary categories of vulnerabilities in SSH user key management and recommends practices for planning and implementing SSH access management. The scope of this draft is significantly different from the original public comment draft; this draft includes both interactive and automated access management, not just the latter.
 
There is a comment template available to input comments to this draft document - (see link above to go to the CSRC Drafts page to get comment template). Please send your comments to NISTIR7966-comments@nist.gov by April 3, 2015.


NIST is pleased to announce the release of NIST Internal Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
March 4, 2015
 
NIST announces the release of the NIST Internal Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009, “Requirements for Smart Meter Upgradeability,” describes functional and security requirements for the secure upgrade—both local and remote—of Smart Meters. This report describes conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether Smart Meters and Upgrade Management Systems conform to the requirements of NEMA SG-AMI 1-2009. For each relevant requirement in NEMA SG-AMI 1-2009, the document identifies the information to be provided by the vendor to facilitate testing, and the high-level test procedures to be conducted by the tester/laboratory to determine conformance.


NIST is pleased to announce the release of NIST Internal Report (NISTIR) 8023, Risk Management for Replication Devices.
February 23, 2015
 
NIST Internal Report (NISTIR) 8023, Risk Management for Replication Devices is now available. A replication device (RD) is any device that reproduces (e.g., copies, prints, scans) documents, images, or objects from an electronic or physical source. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs. It provides basic information on common threats and vulnerabilities to RDs and provides an example RD risk assessment.”


Special Publication 800-82, Revision 2 Final Public Draft Guide to Industrial Control Systems (ICS) Security
February 9, 2015
 
NIST announces the final public draft release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
 
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:

  • Updates to ICS threats and vulnerabilities,
  • Updates to ICS risk management, recommended practices and architectures,
  • Updates to current activities in ICS security,
  • Updates to security capabilities and tools for ICS,
  • Additional alignment with other ICS security standards and guidelines,
  • New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays,
  • An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS,
There is a comment template form available for comments & there is a mark-up copy showing changes made from the first public draft to this final draft.
Public comment period: February 9 through March 9, 2015.
Email comments to: nist800-82rev2comments@nist.gov


Errata Update for Special Publication 800-53, Revision 4
January 29, 2015
 
NIST announces the release of an Errata Update for Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This update contains new mapping tables for ISO/IEC 27001: 2013


NIST Special Publication 800-163, Vetting the Security of Mobile Applications, has been approved as final
January 26, 2015
 
The purpose of Special Publication 800-163, Vetting the Security of Mobile Applications, is to help organizations understand the process for vetting the security of mobile applications, plan for the implementation of an app vetting process, develop app security requirements, understand the types of app vulnerabilities and the testing methods used to detect them, and determine if an app is acceptable for deployment on the organization's mobile devices.


NIST Computer Security Division released Revision 1 of Special Publication 800-57 Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
January 23, 2015
 
Special Publication 800-57, Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance, is intended primarily to help system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements. This document also provides information for end users regarding application options left under their control in a normal use of the application.
 
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, as well as a new section for Secure Shell (SSH).
 
The applications and protocols addressed in this revision are: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC), Encrypted File Systems (EFS) and Secure Shell (SSH).


Second Public Draft NISTIR 7977, NIST Cryptographic Standards and Guidelines Development Process, is available for review and public comment
January 23, 2015
 
NIST requests comments on a Second Public Draft of NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This revised document describes the principles, processes and procedures behind our cryptographic standards development efforts. Please send comments to crypto-review@nist.gov by March 27, 2015. Please see this announcement for additional information for reviewers. NIST Public Affairs Office also released a press release covering the release of the second draft of NISTIR 7977.


NISTIR 8018, Public Safety Mobile Application Security Requirements Workshop Summary, has been finalized and is now available
January 23, 2015
 
NIST announces the release of NIST Interagency Report (NISTIR) 8018, Public Safety Mobile Application Security Requirements Workshop Summary. The purpose of this publication is to capture the findings of a half-day workshop held by the Association of Public –Safety Communications Officials (APCO) in association with FirstNet and the Department of Commerce. The workshop’s goal was to identify and define mobile application security requirements relevant to public safety by building on APCO’s Key Attributes of Effective Apps for Public Safety and Emergency Response and their related efforts. Workshop discussions centered around the following topics: battery life, unintentional denial of service, mobile application vetting, data protection, location information, and identity management. In addition to providing a description of the workshop and capturing attendees’ input, NISTIR 8018 identifies possible areas of further research related to public safety mobile applications.


See news archive for previous years (2014-2010).