NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's CSRC:

CSRC News - 2016

NIST announces release of Draft Special Publication (SP) 800-166, Derived PIV Application and Data Model Test Guidelines for public comment
February 8, 2016
 
Draft SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. Draft SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials.
 
The public comment period closes on: March 14, 2016.
Send comments to piv_derived@nist.gov with “Comments on Draft SP 800-166” in the subject line.
 
The links for the Draft document and the comment template are given below:
Draft SP 800-166 - – Draft Document
Comment Template – - Excel file


A NIST Draft Whitepaper titled "Best Practices for Privileged User PIV Authentication" is available for public comment.
February 5, 2016
 
This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users.
 
The public comment period closes on: March 4, 2016.
Send comments to csip-pivforprivilege@nist.gov with “Comments on PIV Credential for privileged use” in the subject line.
 
Best Practices for Privileged User PIV Authentication
Comment Template (Excel)


NIST Announce the Release of DRAFT NISTIR 8105, Report on Post-Quantum Cryptography for Public Comment
February 3, 2016
 
NIST requests public comments on DRAFT NISTIR 8105, Report on Post-Quantum Cryptography. In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. This Internal Report shares the National Institute of Standards and Technology (NIST)’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.
 
The public comment period will close on: March 9, 2016.
Send questions to NISTIR8105-comments@nist.gov with “Comments NISTIR 8105” in the subject line.


NIST Released DRAFT NISTIR 8011, Automation Support for Security Control Assessments -
Volume 1: Overview
Volume 2: Hardware Asset Management -
now available for public comment.

 
The National Institute of Standards and Technology (NIST) is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.  
 
NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.
 
Link to Volume 1: Overview
Link to Volume 2: Hardware Asset Management

-OR- you can get to this draft with 2 volumes from the CSRC Draft Publications page.

Public comment period is open through March 18, 2016. Please submit public comments to sec-cert@nist.gov. Comments are accepted in any desired format.  


Special Publication 800-57, Part 1 Revision 4 has been approved as final.
January 28, 2016
 
NIST announces the completion of Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Public comments received during the review of this document are provided here.


NIST Released NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements
January 28, 2016
 
NIST announces the final release of NISTIR 7511 Revision 4, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements. This document defines the test requirements that products must satisfy in order to be awarded an SCAP 1.2 validation. A list of changes is provided in the Summary of Changes section of the document


DRAFT SP 800-90 Series: Random Bit Generators
Recommendation for the Entropy Sources Used for Random Bit Generation

January 27, 2016
 
NIST announces the second draft of Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. NIST is planning to host a workshop on Random Number Generation to discuss the SP 800-90 series, specifically, SP 800-90B and SP 800-90C. More information about the workshop is available at: http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm.
 
The specific areas where comments are solicited on SP 800-90B are:

  • Post-processing functions (Section 3.2.2): We provided a list of approved post-processing functions. Is the selection of the functions appropriate?
  • Entropy assessment (Section 3.1.5): While estimating the entropy for entropy sources using a conditioning component, the values of n and q are multiplied by the constant 0.85. Is the selection of this constant reasonable?
  • Multiple noise sources: The Recommendation only allows using multiple noise sources if the noise sources are independent. Should the use of dependent noise sources also be allowed, and if so, how can we calculate an entropy assessment in this case?
  • Health Tests: What actions should be taken when health tests raise an alarm? The minimum allowed value of a type I error for health testing is selected as 2-50. Is this selection reasonable?

NIST Public Affairs Office published a news release regarding the second Draft SP 800-90B.

NIST requests comments on the revised (second) Draft SP 800-90B by 5:00PM EST on May 9, 2016. Please submit comments on Draft SP 800-90B using the comments template form (Excel Spreadsheet) to rbg_comments@nist.gov with “Comments on Draft SP 800-90B” in the subject line.


NIST Released NIST Interagency Report (NISTIR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research
January 22, 2016
 
NIST announces the final release of NIST Interagency Report (NISTIR) 8055, Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research. This report documents proof of concept research performed by NIST to determine how DPCs could be used to PIV-enable mobile devices and provide multi-factor authentication for an organization's mobile device users. This report captures DPC requirements, proposes an architecture that supports these requirements, and describe how this architecture could be implemented and operated.


Influence the Future of Cybersecurity Education—Join the NICE Working Group
January 21, 2016
Addressing the nation’s rapidly increasing need for cybersecurity employees, the National Initiative for Cybersecurity Education (NICE) is seeking members from the public and private sectors and academia to join its new working group and encourages interested individuals to participate in a kickoff teleconference the afternoon of January 27, 2016.

See the press release and NICE Working Group page for more details.


See news archive for previous years (2015-2011).