NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

News Archive - 2007


2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005


Special Publication 800-53 Revision 2
December 27, 2007
NIST announces the release of Special Publication 800-53, Revision 2, Recommended Security Controls for Federal Information Systems. This special update incorporates guidance on appropriate safeguards and countermeasures for federal industrial control systems. NIST’s Computer Security Division (Information Technology Laboratory) and Intelligent Systems Division (Manufacturing Engineering Laboratory), in collaboration with the Department of Homeland Security and organizations within the federal government that own, operate, and maintain industrial control systems, developed the necessary industrial control system augmentations and interpretations for the security controls, control enhancements, and supplemental guidance in Special Publication 800-53. The industrial control system augmentations and interpretations for Special Publication 800-53 will facilitate the employment of appropriate safeguards and countermeasures for these specialized information systems that are part of the critical infrastructure of the United States.
 
The changes to Special Publication 800-53, Revision 1 in updating to Revision 2, include: (i) a new Appendix I, Industrial Control Systems; (ii) an updated low security control baseline with the addition of security control CP-4, Contingency Plan Testing and Exercises; and (iii) an updated Appendix A, References Section. The regular two-year update to Special Publication 800-53 will occur, as previously scheduled, in December 2008.


Draft Special Publication 800-53A (final public draft), Guide for Assessing the Security Controls in Federal Information Systems
December 18, 2007
NIST announces the release of Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Please visit the Drafts page to download/view and learn more about this document. Comments will be accepted until January 31, 2008. Final publication of NIST Special Publication 800-53A is expected in March 2008.


NIST Interagency Report 7452: Secure Biometric Match-on-Card Feasibility Report (NIST IR 7452)
November 30, 2007
NIST is pleased to announce the release of NIST Interagency Report 7452, Secure Biometric Match-on-Card Feasibility Report. NIST conducted the feasibility study to understand the effects of combining asymmetric cryptography with Biometric Match-on-Card. The report describes the tests that were conducted to obtain timing metrics for the SBMOC transaction and provides a summary of the test results.


Special Update - Special Publication 800-53 Revision 2
November 29, 2007
To align OMB policy and NIST FISMA security standards and guidelines, NIST will add the Contingency Plan Testing and Exercises security control (CP-4) to the security control baseline for low impact systems (Appendix D) and the security control catalog (Appendix F) in NIST Special Publication 800-53, Revision 1. The change will be effective with the publication of the Industrial Control System update to Special Publication 800-53 (to be released as Revision 2) in December 2007. The testing of contingency plans is a current OMB requirement for all information systems under OMB Memorandum M-07-19, FY 2007, Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. See original announcement from November 16. (to go straight to Drafts page to get Draft SP 800-53 Rev. 2)


NIST Special Publication 800-38D
November 26, 2007
NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC has been finalized. This Recommendation specifies and approves Galois/Counter Mode (GCM), an authenticated encryption mode of the Advanced Encryption Standard (AES) algorithm.


NIST Issues Call for a New “Hash” Algorithm
November 20, 2007
NIST Issues Call for a New “Hash” Algorithm. NIST has opened a public competition to develop a new cryptographic “hash” algorithm, which converts a variable length message into a short “message digest” that can be used for digital signatures, message authentication and other applications. The competition is NIST’s response to recent advances in the cryptanalysis of hash functions. The new hash algorithm will be called “SHA-3” and will augment the hash algorithms currently specified in FIPS 180-2, Secure Hash Standard. NIST issued the Call for a New Cryptographic Hash Algorithm (SHA-3) Family in a Federal Register Notice on November 2, 2007. Entries for the competition must be received by Oct. 31, 2008. Details about the competition are available at http://www.nist.gov/hash-competition .


Draft Special Publication 800-53, Revision 2, Appendix I
November 16, 2007
NIST announces the release of Draft Special Publication 800-53, Revision 2, Appendix I, Recommended Security Controls for Federal Information Systems, an out-of-cycle update to Special Publication 800-53, Revision 1 specifically targeted at industrial control systems. This special update is required due to the urgent need to provide guidance on appropriate safeguards and countermeasures for federal industrial control systems. NIST’s Computer Security Division (Information Technology Laboratory) and Intelligent Systems Division (Manufacturing Engineering Laboratory), in collaboration with the Department of Homeland Security and organizations within the federal government that own, operate, and maintain industrial control systems, developed the necessary industrial control system augmentations and interpretations for the security controls, control enhancements, and supplemental guidance in Special Publication 800-53. The proposed industrial control system augmentations and interpretations for Special Publication 800-53 will facilitate the employment of appropriate safeguards and countermeasures to these specialized information systems that are part of the critical infrastructure of the United States.

The only change that will be made to Revision 1 in updating to Revision 2, will be the replacement of the entire Appendix I, Industrial Controls Systems in Revision 1 by a new Appendix I. Consequently, the content of this release only contains the draft of the new Appendix I.

Appendix I provides industrial control system-specific:

  • Tailoring guidance;
  • Security control enhancements;
  • Supplements to the security control baselines; and
  • Supplemental guidance.

Comments will be accepted until December 14, 2007. Upon completion of the public review of the draft of the new Appendix I, appropriate updates will be made and the entire publication will be published as Revision 2 in December 2007. The normal, two-year revision cycle for Special Publication 800-53 will take place as planned in December 2008. Visit the drafts page to view document and how to submit comments to draft.


NIST Announces the Release of Three Publications:
November 13, 2007:
Special Publication (SP) 800-111, Guide to Storage Encryption Technologies for End User Devices, SP 800-114, User's Guide to Securing External Devices for Telework and Remote Access, and Draft SP 800-115, Technical Guide to Information Security Testing.

SP 800-111, Guide to Storage Encryption Technologies for End User Devices, is published as final. It is intended to assist organizations in understanding storage encryption technologies for end user devices, such as laptops, PDAs, smart phones, and removable media, and in planning, implementing, and maintaining storage encryption solutions. The publication provides practical, real-world recommendations for three classes of storage encryption techniques: full disk encryption, volume and virtual disk encryption, and file/folder encryption. SP 800-111 also discusses important security elements of a storage encryption deployment, including cryptographic key management and authentication.

SP 800-114, User's Guide to Securing External Devices for Telework and Remote Access, is published as final. It is intended to help teleworkers secure the external devices they use for telework, such as personally owned desktop and laptop computers and consumer devices (e.g., cell phones, personal digital assistants [PDA]). The publication focuses on security for telework involving remote access to an organization's nonpublic computing resources. It provides practical, real-world advice on securing telework computers' operating systems and applications and teleworkers' home networks, and it also gives basic recommendations for securing consumer devices. SP 800-114 also provides tips on considering the security of a device owned by a third party before deciding whether it should be used for telework.

Draft SP 800-115, Technical Guide to Information Security Testing, is available for public comment. It seeks to assist organizations in planning and conducting technical information security testing, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security testing processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use. Draft SP 800-115 is intended to replace SP 800-42, Guideline on Network Security Testing, which was released in 2003. Please visit the drafts page to learn how to submit comments to this draft document.


Draft SP 800-60 Revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories and Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
November 8, 2007
Special Publication 800-60 Revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories and Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, is now available for public comment at http://csrc.nist.gov/publications/PubsDrafts.html. The draft revision to Volume I contains the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in draft Volume II include security categorization recommendations and rationale for mission-based and management and support information types. Go to the Drafts page to download/view this document and learn more about this draft document.


Draft Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective
October 25, 2007:
NIST announces the release of the initial public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a disciplined, structured, flexible, extensible, and repeatable approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization. Comments will be accepted through December 14, 2007. Email comments to: sec-cert@nist.gov


Draft NIST Special Publication 800-73-2, Interfaces for Personal Identity Verification
October 4, 2007:
This document is now available for a 30 day public comment period. When published in final form, the four parts that comprise SP 800-73-2 will supercede the single-part SP 800-73-1, published in April 2006 . The changes include 1) incorporation of separately published errata, 2) modifications required by SP 800-78-1 , 3) explanation of a cryptographic algorithm and key size discovery procedure, 4) introduction of an optional Unsigned CHUID data object, and 5) addition of a Card Authentication Key-based use case. Other editorial improvements have been made to the document. Please visit the Drafts page to download / view and learn more about this document. The comment period closes at 5:00 EST (US and Canada) on November 4, 2007.


Draft NISTIR 7328 Released
September 29, 2007
NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Comments will be accepted through November 30, 2007.


NIST announces the release of five publications:
1. Special Publication (SP) 800-44 version 2, Guidelines on Securing Public Web Servers,
2. Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security,
3. Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide,
4. Draft SP 800-82, Guide to Industrial Control Systems (ICS) Security, and;
5. Draft SP 800-110, Information System Security Reference Model.

September 28, 2007
SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final.  It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers. This publication replaces the original version of SP 800-44, which was released in 2002. SP 800-44 version 2 is available at http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf.

Draft SP 800-55 Revision 1, Performance Measurement Guide for Information Security, is now available at http://csrc.nist.gov/publications/PubsDrafts.html. It is a guide for the development, selection, and implementation of measures to be used at the information system and program levels. This draft guideline indicates the effectiveness of security controls applied to information systems and supporting information security programs. Draft SP 800-55 Rev1 supersedes Draft SP 800-80, Guide for Developing Performance Metrics for Information Security.

Comments on Draft SP 800-55 Revision 1 will be accepted through November 16, 2007. Comments should be submitted via email to 800-55R1comments@nist.gov, or forwarded to the Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-55 Rev1, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930.

Draft SP 800-61 Revision 1, Computer Security Incident Handling Guide, is available for public comment. It seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. It is available at http://csrc.nist.gov/publications/PubsDrafts.html. SP 800-61 Revision 1 updates the original publication, which was released in 2004.

NIST requests comments on draft SP 800-61 Revision 1 by November 9, 2007. Please submit comments to 800-61comments@nist.gov with "Comments SP 800-61" in the subject line.

The second public draft of SP 800-82, Guide to Industrial Control Systems (ICS) Security, is available for public comment. It provides guidance on how to secure ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.  This publication is an update to the first public draft, which was released in 2006.  This version of SP 800-82 is available as both a markup draft (http://csrc.nist.gov/publications/PubsDrafts.html) that indicates the changes from the first public draft and a clean draft.

NIST requests comments on draft SP 800-82 by November 30, 2007.  Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

Draft SP 800-110, Information System Security Reference Model, is now available at http://csrc.nist.gov/publications/PubsDrafts.html .
The Information System Security Reference Model and its associated XML taxonomy and schema are intended to:

  • Serve as a guideline for software tool developers and federal agencies that wish to develop an automated process for managing an information security program; and
  • Enable greater interoperability between information system security tools, resulting in more practical and cost-effective information security program management.

Comments on draft SP 800-110 will be accepted through November 16, 2007.  Comments should be submitted via email to 800-110comments@nist.gov, or forwarded to the Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-110, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930.


NIST Announces the Release of Two Publications
August 31, 2007
NIST announces the release of two publications: Draft Special Publication (SP) 800-28 version 2, Guidelines on Active Content and Mobile Code, and NIST Interagency Report (NIST IR) 7435, The Common Vulnerability Scoring System (CVSS) and Its Applicability to Federal Agency Systems.
To learn more about Draft Special Publication 800-28 version 2, how to offer comments and to download/view this draft document please visit the Drafts Publications page (click link).
NIST IR 7435 is published as final. CVSS provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. This publication defines and describes the CVSS standard, provides advice on performing scoring, and discusses how Federal agencies can incorporate Federal Information Processing Standards (FIPS) 199 impact ratings into their CVSS scores to generate scores that are specifically tailored to particular Federal agency environments.
NIST Re-Release Special Publication 800-78-1
August 30, 2007
NIST announced the re-release of Special Publication 800-78-1, Cryptographic Algorithms and Key Sizes for Personal Identity Verification on August 2nd, 2007. NIST has added a clarification regarding the effective date of this document. Please see Section 1.4 of the document on the PIV Program FIPS 201 Supporting Documents web page for the clarification.
NIST Announces the Publication of Special Publication (SP) 800-95
August 29, 2007
NIST announces the publication of Special Publication (SP) 800-95, Guide to Secure Web Services. SP 800-95 seeks to assist organizations in understanding the challenges in integrating information security practices into Service Oriented Architecture (SOA) design and development based on Web services. The publication also provides practical, real-world guidance on current and emerging standards applicable to Web services, as well as background information on the most common security threats to SOAs based on Web services. SP 800-95 presents information that is largely independent of particular hardware platforms, operating systems, and applications. Supplementary security devices (i.e., perimeter security appliances) are considered outside the scope of this publication. Interfaces between Web services components and supplementary controls are noted as such throughout this publication on a case-by-case basis.
NIST Announces Special Publications Available for Public Comment
August 2, 2007
NIST announces that the following draft Special Publications (SP) are now available for public comment:
1) SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth,
2) SP 800-111, Guide to Storage Encryption Technologies for End User Devices
3) SP 800-113, Guide to SSL VPNs
Please click link to the Draft Publication to learn more details about the draft and how to provide comments.
Response to OMB Memoranda M-07-11 and M-07-18
July 31, 2007
Response to OMB Memoranda M-07-11 and M-07-18; under the direction of OMB and in collaboration with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided the following resources to help agencies test, implement, and deploy the Microsoft Windows XP and Vista Federal Desktop Core Configuration (FDCC) baseline.
  • Technical FAQs for FDCC baseline
  • FDCC draft documentation, group policy objects (GPOs), Microsoft virtual hard disks (VHDs), and security content automation protocol (SCAP) content
The VHDs and GPOs should only be used for testing purposes and should not be deployed in an operational environment without extensive testing.

Comments and questions may be addressed to fdcc@nist.gov

NIST announces a workshop on Applying NIST Special Publication 800-53, Revision 1; Recommended Security Controls for Federal Information Systems, to Industrial Control Systems
July 26, 2007
NIST announces a workshop on Applying NIST Special Publication 800-53, Revision 1; Recommended Security Controls for Federal Information Systems, to Industrial Control Systems; August 16 (1-5 PM) & August 17 (9-Noon), 2007; Marriott Knoxville Hotel Knoxville, TN. The workshop is for representatives from national and international industrial control system (ICS) communities (e.g., electric, oil, gas, water, manufacturing) to share information, obtain direct inputs, and determine their level of interest in voluntarily adopting and using NIST’s ICS augmentation of NIST Special Publication (SP) 800-53, Revision 1. Use of NIST’s ICS augmentation of SP 800-53, Revision 1, which is mandatory for federally owned/operated ICS, specifies the minimum information security controls that must be implemented in an ICS based on its security impact categorization. Contact Keith Stouffer (keith.stouffer@nist.gov) or Stu Katzke (skatzke@nist.gov) for more information.

CANCELLED Workshop
July 26, 2007
NIST announces a workshop on Applying FIPS 199 and SP 800-60 to Industrial Control Systems (ICS); September 5-6, 2007; NIST; Administration Building, Lecture Room E Gaithersburg, MD 20899. The workshop, specifically intended for federal agencies that own or operate industrial control systems (ICS), will address the application of FIPS 199: Standards for Security Categorization of Federal Information and Information Systems, February 2004, to ICS. The goal of this workshop is to develop guidance (technical and non-technical) that federal agencies can use in applying FIPS 199 to their ICS. Contact Keith Stouffer (keith.stouffer@nist.gov) or Stu Katzke (skatzke@nist.gov) for more information.

WORKSHOP CANCELLED


Release of SP 800-106
July 18, 2007
NIST announces the release of draft Special Publication 800-106, Randomized Hashing Digital Signatures. This Recommendation provides a technique to randomize the input messages to hash functions prior to the generation of digital signatures to strengthen security of the digital signatures.

Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-106" in the subject line. The comment period closes on September 17, 2007.
Release of SP 800-107
July 18, 2007
NIST announces the release of draft Special Publication 800-107, Recommendation for Using Approved Hash Algorithms This Recommendation provides guidance on using the Approved hash algorithms in digital signatures applications, Keyed-hash Message Authentication Codes (HMACs), key derivation functions (KDFs) and random number generators.

Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-107" in the subject line. The comment period closes on September 17, 2007.
Draft FIPS 140-3 Proposed Revision
July 13, 2007
Draft Federal Information Processing Standard (FIPS) 140-3 Publication, Security Requirements for Cryptographic Modules. Draft FIPS 140-3 is the proposed revision of FIPS 140-2. The draft specifies five security levels instead of the four found in FIPS 140-2; has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing. Please submit electronic comments to: FIPS140-3@nist.gov, with "Comments on Draft 140-3" in the subject line. Comments must be received on or before October 11, 2007.
SP 800-53 Released for Public Comments
July 13, 2007
NIST announces the release, for public comment, of proposed augmentations to NIST Special Publication 800-53, Revision 1 for industrial control systems (ICS); specifically to Appendix I: Industrial Control Systems and to Appendix F, Security Control Catalogue. The draft Appendix F was created by augmenting Appendix F in the December 2006 version of SP 800-53, Revision 1 to better address ICS. When developing the augmentation, the original text in Appendix F of SP 800-53 was not changed. Appendix I in SP 800-53 was changed to be consistent with the draft Appendix F ICS. Comments will be accepted through August 31, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-ics@nist.gov.
SP 800-54 introduces BGP
July 13, 2007

NIST Special Publication 800-54 introduces the Border Gateway Protocol (BGP), explains its importance to the Internet, and provides a set of best practices that can help in protecting BGP. Best practices described in the publication are intended to be implementable on nearly all currently available BGP routers without the installation of additional hardware or software.
SP 800-104 Published
June 29, 2007
NIST is pleased to announce the publication of Special Publication 800-104, A Scheme for PIV Visual Card Topography. This document provides additional recommendations on the Personal Identity Verification (PIV) Card color-coding for designating employee affiliation. This document is intended to refine FIPS 201 to enable reliable visual verification of the PIV Card.
Draft SP 800-38D Revised
June 27, 2007
NIST has recently revised the Draft NIST Special Publication 800-38D, which specifies the Galois/Counter Mode (GCM). The document is available for your review from the draft publications page on the NIST CSRC web site.
Feasibility Study of Secure Biometric Match-On-Card: Invitation to Participate
June 19, 2007
Feasibility Study of Secure Biometric Match-On-Card: Invitation to Participate -The National Institute of Standards and Technology (NIST) will conduct a feasibility study of Secure Biometric Match-On-Card (SBMOC) technology, and invites providers of such technology to submit devices to be tested. The goal of the feasibility study is to determine if the state-of-the-practice in smart card products and biometrics technology have advanced to enable a new mode of operation. To implement this mode, certain functional and security properties must be achieved by the SBMOC technology while meeting performance requirement for a biometric authentication transaction. Complete technical requirements are presented in the Test Approach document.
Submission providers should complete and transmit the Intention to Participate form to NIST by 20 Jul 2007. Providers may transmit a submission package to NIST, as described in Materials Transfer Agreement, at any time before 20 Aug 2007.
On completion of the tests, NIST will publish a report indicating the number of successful submissions tested, and certain general qualities of the submissions stated in the Test Approach.
FIPS 198-1 Released
June 12, 2007
NIST announces the release of Draft Federal Information Processing Standard (FIPS) 198-1 Publication, The Keyed-Hash Message Authentication Code (HMAC). The draft FIPS 198-1 is the proposed revision of FIPS 198. The draft specifies a keyed-hash message authentication code, a mechanism for message authentication using cryptographic hash functions and shared secret keys. Comments will be accepted through September 10, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to proposed198-1@nist.gov with "Comments on Draft 198-1" in the subject line. Click here to review the Federal Register Notice for Draft FIPS PUB 198-1.
FIPS 180-3 Released
June 12, 2007
NIST announces the release of Draft Federal Information Processing Standard (FIPS) 180-3 Publication, Secure Hash Standard (SHS). The draft FIPS 180-3 is the proposed revision of FIPS 180-2. The draft specifies five secure hash algorithms (SHAs) called SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 which are used to condense input messages to fixed-length messages, called message digests. These algorithms produce 160, 256, 384, and 512-bit message digests, respectively. Comments will be accepted through September 10, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to Proposed180-3@nist.gov with "Comments on Draft 180-3" in the subject line. Click here to review the Federal Register Notice for Draft FIPS PUB 180-3.
Draft SP 800-53A Released
June 4, 2007
NIST announces the release of draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This publication provides guidelines for developing security assessment plans and a comprehensive catalog of assessment procedures that can be used to determine the effectiveness of security controls in federal information systems. Comments will be accepted through July 31, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert@nist.gov.
NIST Releases Draft and Final Publications
June 1, 2007
NIST announces the release of the following draft and final publications:

1. Draft SP 800-44 version 2, Guidelines on Securing Public Web Servers
2. Draft SP 800-46 version 2, User’s Guide to Securing External Devices for Telework and Remote Access

These two draft SPs, summaries, and dates for public comment can be found at the CSRC Draft Publications page (or click document title link from above).

The three final publications are:

1. SP 800-101, Guidelines on Cell Phone Forensics
2. NISTIR 7387, Cell Phone Forensics
3. NISTIR 7275 revision 2, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.3
SP 800-101, Guidelines on Cell Phone Forensics, provides general principles and technical information to aid organizations in developing appropriate policies and procedures for preserving, acquiring, and examining digital evidence found on cell phones, and for reporting the results. Cell phones are an emerging but rapidly growing area of computer forensics. The publication also explains the relationship between key aspects of cell phone technology and the operation and use of available forensic tools.
NISTIR 7387, Cell Phone Forensic Tools: An Overview and Analysis Update, provides an overview of current forensic software tools designed for the acquisition, examination, and reporting of data residing on cellular handheld devices. It is a follow-on publication to NISTIR 7250, which originally reported on the topic, and includes several additional tools. The publication reviews the capabilities and limitations of each tool in detail through a scenario-based methodology.
NISTIR 7275 Revision 2, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.3, describes XCCDF, which is a standardized XML format that can be used to hold structured collections of security configuration rules for a set of target systems. The XCCDF specification is designed to provide automated testing and scoring that can support FISMA compliance and other efforts. NIST IR 7275 specifies the data model and Extensible Markup Language (XML) representation for version 1.1.3 of XCCDF; the previous revision of NIST IR 7275 addressed version 1.1 of XCCDF.
NIST Completes Review of SP 800-53-A
May 29, 2007
NIST has completed its revision and restructuring of Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, and plans to release the document for review and comment on Monday, June 4, 2007. The document contains significant changes from the second public draft and is therefore, being released as a third public draft. Comments on Special Publication 800-53A will be accepted through July 31, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert@nist.gov. Based on the number of comments received during the public comment period, NIST will decide on whether or not a final draft is necessary. Final publication of Special Publication 800-53A is expected during the first quarter of FY 2008. General information about the FISMA Implementation Project, including all of the FISMA-related security standards and guidelines can be found on the main web site at http://csrc.nist.gov/sec-cert.
SP 800-98 Released
April 27, 2007
NIST announces the release of NIST SP 800-98, Guidelines for Securing Radio Frequency Identification (RFID) Systems. SP 800-98 provides an overview of RFID technology, the associated security and privacy risks, and recommended practices that will help organizations mitigate these risks, safeguard sensitive information, and protect the privacy of individuals.
Guide to NIST Computer Security Documents Released
April 27, 2007
Can't find the (FIPS PUB, Special Publication, NIST IR, ITL Security Bulletin) document that you're looking for?

In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting the Guide to NIST Computer Security Documents. In addition to being listed by type and number, the Guide presents three ways to search for documents: by Topic Cluster, by Family, and by Legal Requirement. This Guide is current through the end of FY 2006.
PRISMA Database Available
April 27, 2007
The PRISMA Database is a companion to NIST IR 7358 and is now available for download and to use. To learn more about the the PRISMA Database, visit the PRISMA Website at http://prisma.nist.gov/. By clicking the NIST IR 7358 link will allow you to view/download the NIST IR document along with a link to the PRISMA database.
IR 7399 Released
April 9, 2007
NIST Computer Security Division is proud to announce the release of NIST Interagency Report (IR) 7399 Computer Security Division - 2006 Annual Report.
Three Publications Released
February 20, 2007
NIST announces the release of the following final publications:
  1. SP 800-45 Version 2, Guidelines on Electronic Mail Security
  2. SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
  3. SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP 800-45 Version 2, Guidelines on Electronic Mail Security, is intended to aid organizations in the installation, configuration, and maintenance of secure mail servers and mail clients. It presents recommendations for securing mail server operating systems and applications, protecting mail servers through the supporting network infrastructure, and administering mail servers securely. SP 800-45 Version 2 also provides guidance on protecting individual email messages, securing access to mailboxes, and securely configuring mail clients. This publication replaces the original version of SP 800-45, which was released in 2002.
SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), seeks to assist organizations in understanding intrusion detection system and intrusion prevention system technologies and in designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention system (IDPS) solutions. It provides practical, real-world guidance for each of four classes of IDPS products: network-based, wireless, network behavior analysis software, and host-based. The publication also provides an overview of complementary technologies that can detect intrusions, such as security information and event management software. It focuses on enterprise IDPS solutions, but most of the information in the publication is also applicable to standalone and small-scale IDPS deployments. This publication replaces NIST SP 800-31, Intrusion Detection Systems.
SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network (WLAN) security. IEEE 802.11i provides security enhancements over the previous 802.11 security method, Wired Equivalent Privacy (WEP), which has several well-documented security deficiencies. IEEE 802.11i introduces a range of new security features that are designed to overcome the shortcomings of WEP. This document explains these security features and provides specific recommendations to ensure the security of the WLAN operating environment. It gives extensive guidance on protecting the confidentiality and integrity of WLAN communications, authenticating users and devices using several methods, and incorporating WLAN security considerations into each phase of the WLAN life cycle. The document complements, and does not replace, NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices.
IR 7358 Released
February 12, 2007
NIST is pleased to announce the release of NIST Interagency Report 7358, Program Review for Information Security Management Assistance (PRISMA). This NIST Interagency Report provides an overview of the NIST Program Review for Information Security Management Assistance (PRISMA) methodology. The PRISMA methodology is a means of employing a standardized approach to review and measure the information security posture of an information security program.
IR 7359 Released
February 12, 2007
NIST is pleased to announce the release of NIST Interagency Report 7359, Information Security Guide for Government Executives. The purpose of this publication is to inform executives about various aspects of information security that they will be expected to implement and oversee in their respective organizations. The Information Security for Government Executives provides a broad overview of information security program concepts to assist senior leaders in understanding how to oversee and support the development and implementation of information security programs.
SP 800-104 Released
January 29, 2007
NIST is proud to announce the release of Draft Special Publication 800-104, A Scheme for PIV Visual Card Topography. NIST Draft Special Publication 800-104, A Scheme for PIV Visual Card Topography, is now available for a 30 day public comment period. This document provides additional recommendations on the Personal Identity Verification (PIV) Card color-coding for designating employee affiliation. This document is intended to refine FIPS 201 to enable reliable visual verification of the PIV Card. To learn more about this draft document and how to submit comments, please visit the CSRC DRAFTS Publications page. The comment period closes at 5:00 PM EST (US and Canada) on February 28, 2007.
SP 800-76-1 Released
January 25, 2007
NIST is pleased to announce the release of NIST Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification. This document is a revision for the earlier version of February 2006. The changes include incorporation of the published errata document and public comments, clarification on performance testing and certification procedures, and caution regarding fingerprint minutiae generation. Additional typographical fixes and aesthetic changes have been incorporated in this document.
NIST Information Security Seminar Announced
January 24, 2007
The first NIST Information Security Seminar for CIOs, CISOs, and IGs which was held on January 10, 2007 was very well received. However, numerous people had requested that their support contractors attend. To meet this need, we will hold the session again for all Federal employees and support contractors with information security responsibilities. This repeat performance will be held at NIST in Gaithersburg, Maryland on Thursday, February 1, 2007 from 9:30 am - 12:30 PM. Registration is free, however all attendees must register in order to gain access to the NIST campus. Additionally, all support contractors must be sponsored by a Federal employee. The agenda, registration information, NIST campus access requirements, and directions to NIST can be found at:
http://csrc.nist.gov/sec-cert/ca-events.html. Please note that the registration will close on Tuesday, January 30, 2007 at 12:00 PM.
Comments on FIPS 186-3 Wanted
January 24, 2007
NIST received many comments when Draft FIPS 186-3 was posted for public comment during the spring of 2006 (see http://csrc.nist.gov/CryptoToolkit/tkdigsigs.html). Several comments concerned the number of tests required for primality testing. In response, NIST surveyed the latest literature available on this topic and is providing alternatives for consideration (see http://csrc.nist.gov/CryptoToolkit/tkdigsigs.html). Please provide comments to Elaine Barker at NIST by February 23rd, 2007, inserting “Comments on FIPS 186-3 Primality Testing” in the subject line. NIST is particularly interested in comments relating to the security of the new proposal versus the values currently used in Draft FIPS 186-3.
Development of New Cryptographic Hash Algorithms Announced
January 23, 2007
NIST announces the commencement of an effort to develop new cryptographic hash algorithm(s) for the revision of Federal Information Processing Standard (FIPS) 180-2, the Secure Hash Standard. To start the process, NIST is publishing draft minimum acceptability requirements, submission requirements, and evaluation criteria for candidate algorithms to solicit public comment. Comments must be received by NIST on or before April 27, 2007 (See http://www.nist.gov/hash-function for details).
Updated Database Application Released
January 17, 2007
NIST announces the release of an updated Database Application for Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. The database application will allow users to browse the catalog of security controls, display the security controls in selected views or groups by control family, class, or baseline (e.g., management controls, moderate baseline controls, or contingency planning controls), search the catalog of controls for keywords, and export information from the database into a variety of popular data formats that may be needed for automated tool support.
Security Seminar Slides Available
January 11, 2007
The presentation slides from the inaugural NIST Security Seminar held at the Department of Commerce on January 10th for federal CIOs, IGs, and CISOs, are now available at http://csrc.nist.gov/sec-cert/fisma-news.html. The security seminar presented an overview of the NIST Risk Management Framework and the recent updates to security controls in NIST Special Publication 800-53, Revision 1.

See news from 2006.