NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

News Archive - 2008


2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005


DRAFT Recommendation for EAP Methods Used in Wireless Network Access Authentication
December 23, 2008
NIST announces the release of draft Special Publication 800-120, Recommendation for EAP Methods Used in Wireless Network Access Authentication. This Recommendation specifies security requirements for authentication methods with key establishment supported by the Extensible Authentication Protocol (EAP) defined in IETF RFC 3748 for wireless access authentications to federal networks. Please submit comments to 800-120comments@nist.gov with "Comments on SP 800-120" in the subject line. The comment period closes on January 30, 2009.


NIST Announces the Release of NIST IR 7539 Symmetric Key Injection onto Smart Cards
December 18, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce the release of NIST Interagency Report 7539, Symmetric Key Injection onto Smart Cards. There is significant interest in conducting a fast, accurate, and highly secured authentication transaction using symmetric keys in PACS environments. This paper describes architectures for securely injecting secret keys onto smart cards which are used in PACS environment. Specifically, this paper suggests ways to load site specific symmetric keys onto a PIV Card after the card has been issued, which allows each smart card to share a unique secret key with each PACS with which it interacts. The paper presents four protocols that enable a Card Management System (CMS) to securely load site specific PACS symmetric keys. Each protocol presents unique security characteristics and uses the PIV Card’s card management key in different capacities.


NIST Released Draft Special Publication 800-63 Revision 1
December 12, 2008
 
Draft SP 800-63 Revision 1: E-Authentication Guideline is available for a second public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. The bulk of the changes since the previously posted draft of SP 800-63-1 concern assertion technologies and Kerberos. Comments will be accepted until January 30, 2009. Comments should be forwarded via email to eauth-comments@nist.gov.


NIST Released Draft Special Publication 800-56B
December 10, 2008
 
NIST requests comments on Draft SP 800-56B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography. This Recommendation provides the specifications of asymmetric-based key agreement and key transport schemes that are based on the Rivest Shamir Adleman (RSA) algorithm. Please provide comments to ebarker@nist.gov by February 12, 2009, with “Comments on SP 800-56B” in the subject line.


NIST Releases Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems
November 21, 2008
 
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publications 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This publication provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Specifically, this document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to Federal government facilities and assets. This document also proposes a PIV implementation maturity model to measure the progress of agencies' PIV implementations.


NIST Computer Security Division Releases 2 Draft Publications
FIPS Publication 186-3 Digital Signature Standard (DSS) AND Special Publication (SP) 800-102 Recommendation for Digital Signature Timeliness

November 12, 2008
 
Document #1 - Draft FIPS 186-3
As stated in today’s Federal Register Notice, NIST requests final comments on FIPS 186-3, the proposed revision of FIPS 186-2, the Digital Signature Standard. The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures using DSA, RSA and ECDSA. Please submit comments to ebarker@nist.gov with "Comments on Draft 186-3" in the subject line. The comment period closes on Friday, December 12, 2008.

Document #2 - Draft Special Publication 800-102
NIST requests comments on Draft SP 800-102, Recommendation for Digital Signature Timeliness. This Recommendation provides methods for obtaining assurance about the time that a message was signed. The concepts in this Recommendation were presented in the original public comment draft of FIPS 186,3, The Digital Signature Standard. Please provide comments to ebarker@nist.gov by December 19, 2008, with “Comments on SP 800-102” in the subject line.


NIST Special Publication 800-108 has been released
November 6, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publication 800-108. Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for the derivation of additional keying material from a secret cryptographic key using pseudorandom functions. This key can be either established through a key establishment scheme or shared through some other manner.


Special Publication 800-124 Guidelines on Cell Phone and PDA Security has been Released
October 31, 2008
 
NIST announces the release of Special Publication 800-124, Guidelines on Cell Phone and PDA Security. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights into making informed information technology security decisions on their treatment. SP 800-124 gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. Organizations can use the information presented in SP 800-124 to enhance security and reduce incidents involving cell phone and PDA devices.


NIST Announces the Release of 3 Special Publications (SPs): DRAFT SP 800-57 Part 3; SP 800-64 Revision 2 and SP 800-66 Revision 1
October 24, 2008
 
#1: Draft SP 800-57, Part 3
NIST announces the release of a draft of Part 3 of Special Publication 800-57, Recommendation for Key Management: Application-Specific Key Management Guidance. This Recommendation provides guidance when using the cryptographic features of current systems. It is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in the normal use of the application. Recommendations are given for a select set of applications, namely: PKI, IPsec, TLS, S/MIME, Kerberos, OTAR, DNSSEC and Encrypted File Systems. Other topics will be added at a later time, and commenters are invited to suggest such topics. Please submit comments to ebarker@nist.gov with "Comments on Draft 800-57, Part 3" in the subject line. The comment period closes on January 16th, 2009.
 
#2: SP 800-64 Rev. 2
NIST is pleased to announce the release of SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle. The purpose of this publication is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development, and testing.
 
#3: SP 800-66 Revision 1
NIST is pleased to announce the release of SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.


FIPS Publication 180-3 Secure Hash Standard (SHS) has been released
October 17, 2008
 
The National Institute of Standards and Technology (NIST) is pleased to announce the approval of Federal Information Processing Standard (FIPS) Publication 180-3, Secure Hash Standard (SHS), a revision of FIPS 180-2. The Federal Register Notice (FRN) of the approval is available here. The FIPS specifies five secure hash algorithms for use in computing a condensed representation, called a message digest, of electronic data. The five secure hash algorithms are used with other cryptographic algorithms, such as digital signature algorithms, keyed hash message authentication codes or in the generation of random numbers.


NIST Releases Special Publication 800-68 Revision 1
October 17, 2008
 
Special Publication (SP) 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, has been published as final. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005.


NIST Releases 3 Publications - 1 Draft (Special Publication 800-82) and 2 final Special Publications (800-115 and 800-121)
September 30, 2008
 
#1: DRAFT Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security -- The final public draft of SP 800-82 is available for public comment. It provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the second public draft, which was released in 2007. NIST requests comments on NIST SP 800-82 by November 30, 2008. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line. To view this document please visit the Drafts page on CSRC.
 
#2: Special Publication 800-121, Guide to Bluetooth Security, has been finalized. It describes the security capabilities of technologies based on Bluetooth, which is an open standard for short-range radio frequency communication. The document gives recommendations to organizations employing Bluetooth technologies on securing them effectively. SP 800-121 supersedes the original SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices, which was released in 2002 and was replaced in July 2008 by SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks.
 
#3: Special Publication 800-115, Technical Guide to Information Security Testing and Assessment, has been published as final. It seeks to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use. SP 800-115 replaces SP 800-42, Guideline on Network Security Testing, which was released in 2003.


Special Publication 800-73-2, Interfaces for Personal Identity Verification
September 24, 2008
NIST is pleased to announce the release of NIST Special Publication 800-73-2, Interfaces for Personal Identity Verification. Special Publication 800-73-2 (SP 800-73-2) specifies the PIV data model, command interface, client application programming interface and references to transitional interface specifications. The four parts that comprise SP 800-73-2 supersede the single document SP 800-73-1, published in April 2006. Comments received for first and second public draft of SP 800-73-2 have been addressed as are the errata items in SP 800-73-1. The high-level technical changes in SP 800-73-2 are summarized here. The Special Publication 800-73-2 document can be found by going to the Special Publications page.


Draft Special Publication 800-70 Revision 1, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment.
September 19, 2008

It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 1 replaces the original version of the document, which was released in 2005. NIST requests comments on draft SP 800-70 Revision 1 by October 31, 2008. Please submit comments to 800-70comments@nist.gov with "Comments SP 800-70" in the subject line.


SP 800-116, 2nd Draft, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems
September 10, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce a 2nd draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Major changes in this draft include selection of outcome-based PIV authentication mechanisms and addition of PACS conformance best practice guideline. Federal agencies and private organizations as well as individuals are invited to review the 2nd draft document and submit comments using the comment template form provided on the website.

Comments should be submitted to PIV_comments@nist.gov with "Comments on Public 2nd Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on September 24, 2008.


NIST IR 7516: Forensic Filtering of Cell Phone Protocols is now available
August 22, 2008
NIST Computer Security Division is proud to announce the release of NIST Interagency Report (IR) 7516, Forensic Filtering of Cell Phone Protocols. Phone managers are non-forensic software tools designed to carry out a range of tasks for the user. They are sometimes used by forensic investigators to recover data from a cell phone when no suitable forensic tool is available. While precautions can be taken to preserve the integrity of data on a cell phone, inherent risks exist. This report presents a technique for applying a forensic filter to phone manager protocol exchanges with a cell phone as a means to reduce the risks involved.


Draft Special Publication 800-37, Revision 1 - Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach
August 19, 2008
NIST, in cooperation with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), announces the completion of an interagency project to develop a common process to authorize federal information systems for operation. The initial public draft of NIST Special Publication 800-37, Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, is now available for a six-week public comment period. The publication contains the proposed new security authorization process for the federal government (currently commonly referred to as certification and accreditation, or C&A). The new process is consistent with the requirements of the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, promotes the concept of near real-time risk management based on continuous monitoring of federal information systems, and more closely couples information security requirements to the Federal Enterprise Architecture (FEA) and System Development Life Cycle (SDLC). The historic nature of the partnership among the Civil, Defense, and Intelligence Communities and the rapid convergence of information security standards and guidelines for the federal government will have a significant impact on the federal government's ability to protect its information systems and networks. The convergence of security standards and guidelines is forging ahead with the development of a series of new CNSS policies and instructions that closely parallel the NIST security standards and guidelines developed in response to FISMA. The CNSS policies and instructions which address the specific areas of security categorization, security control specification, security control assessment, risk management, and security authorization, coupled with the current NIST publications will provide a more unified information security framework for the federal government and its contracting base. The unified approach to information security is brought together in part by the update to NIST Special Publication 800-37, Revision 1, which provides a common security authorization process and references the NIST and CNSS publications for the national security and non national security communities, respectively. The convergence activities mentioned above along with tighter integration of security requirements into the FEA and SDLC processes will promote more consistent and cost-effective information security and trusted information sharing across the federal government. Comments on the IPD of SP 800-37, Revision 1 should be provided by September 30, 2008 and forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov.


NIST announces the release of the initial public draft (IPD) of exemplary Assessment Cases for the security control assessment procedures described in Appendix F of SP 800-53A Guide for Assessing the Security Controls in Federal Information Systems.
August 14, 2008
 
The Assessment Cases were developed by an interagency team to provide information system security assessors with worked examples identifying specific assessor action steps to accomplish for each of the assessment procedures in Special Publication 800-53A. The full suite of draft assessment cases are available at http://csrc.nist.gov/groups/SMA/fisma/assessment.html. Public review and comment is an integral part of the development of the Assessment Cases for improving the usefulness and effectiveness of the assessment cases in facilitating the assessment of security controls. Comments on the IPD Assessment Cases should be provided by September 30, 2008 and should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .


NIST Releases 2 Documents - Special Publication 800-60 Revision 1 Volume 1 and 2, and Draft NIST IR 7511
August 13, 2008
NIST is pleased to announce the release of Special Publication 800-60 Revision 1, Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories and Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories. This publication provides the basic guidelines for mapping types of information and information systems to security categories. The appendices contained in Volume II include security categorization recommendations and rationale for mission-based and management and support information types.
 
Draft NIST Interagency Report (IR) 7511, Security Content Automation Protocol (SCAP) Validation Program Test Requirements, Version 1.1 is now available for public comment. This report describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products. NIST requests comments on Draft NISTIR 7511 by September 15, 2008. Please submit comments to IR7511comments@nist.gov with "Comments IR 7511" in the subject line.


NIST Released the 2nd Draft of Special Publication 800-106 Randomized Hashing for Digital Signatures
August 1, 2008
NIST announces the release of the 2nd draft Special Publication 800-106, Randomized Hashing for Digital Signatures. This Recommendation provides a technique to randomize messages that are input to a cryptographic hash function during the generation of digital signatures. Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-106" in the subject line. The comment period closes on September 5th, 2008.


Federal Information Processing Standard (FIPS) 198-1 has been Released
July 29, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce approval of Federal Information Processing Standard (FIPS) Publication 198-1, The Keyed-Hash Message Authentication Code (HMAC), a revision of FIPS 198. The Federal Register Notice (FRN) of the approval is available here. The FIPS specifies a mechanism for message authentication using cryptographic hash functions in Federal information systems.


Comments Received for Draft Special Publication 800-108
July 25, 2008
Please see the following file for the comments on the draft Special Publication 800-108 received during public comment period.


NIST Announces the Release of 3 Special Publications - 1 Draft and 2 Final
July 25, 2008
 
NIST announces the release of three publications: draft Special Publication (SP) 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, and its associated beta NIST Windows Security Baseline Database; SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks; and SP 800-123, Guide to General Server Security.
 
Draft SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, is being released for public comment. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005. NIST requests comments on draft SP 800-68 Revision 1 by August 29, 2008. Please submit comments to 800-68comments@nist.gov with "Comments SP 800-68" in the subject line.
 
The beta NIST Windows Security Baseline Database is being released for public comment. The database contains information on security setting baselines for Microsoft Windows XP, Windows Vista, Internet Explorer 7 (IE7), and Windows Firewall that are specified in NIST security templates and in the Federal Desktop Core Configuration (FDCC) Major Version 1.0. The database allows interested parties to view security settings by baseline or by policy (e.g., FDCC), as well as to compare baselines to each other. The information in the database is intended to supplement Draft SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals. NIST requests comments on the beta Windows Security Baseline Database by August 29, 2008. Please submit comments to 800-68comments@nist.gov with "Comments Security Database" in the subject line.
 
SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, provides recommendations to organizations on securing their legacy Institute of Electrical and Electronics Engineers (IEEE) 802.11 wireless local area networks that cannot use IEEE 802.11i. SP 800-48 Revision 1 updates the original version of SP 800-48, which was released in November 2002. SP 800-48 Revision 1 complements, and does not replace, SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. People seeking information on IEEE 802.11i should consult SP 800-97.

SP 800-123, Guide to General Server Security, is intended to assist organizations in installing, configuring, and maintaining secure servers. SP 800-123 makes recommendations for securing a server's operating system and server software, as well as maintaining the server's secure configuration through application of appropriate patches and upgrades, security testing, log monitoring, and backups of data and operating system files. The document addresses common servers that use general operating systems and are deployed in both outward-facing and inward-facing locations.


NIST Announces the release of Special Publication 800-55 Revision 1
July 21, 2008
 
NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.


NIST announces the public comment release of the following 3 documents:
- Special Publication (SP) 800-121, Guide to Bluetooth Security,
- SP 800-107, Recommendation for Applications Using Approved Hash Algorithms, and
- SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy.

July 9, 2008
 
Draft SP 800-121, Guide to Bluetooth Security, describes the security capabilities of Bluetooth technologies and gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Much of SP 800-121 was originally included in draft NIST SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth, but based on public comments, the Bluetooth material has been removed from SP 800-48 and placed in its own publication. NIST requests comments on draft SP 800-121 by August 22, 2008. Please submit comments to 800-121comments@nist.gov with "Comments SP 800-121" in the subject line.
 
The release of the 2nd draft Special Publication 800-107, Recommendation for Applications Using Approved Hash Algorithms. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3, such as digital signature applications, Keyed-hash Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions (HKDFs). Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-107" in the subject line. The comment period closes on October 9, 2008.
 
Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy, provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based, and personal firewalls. SP 800-41 Revision 1 updates the original publication, which was released in 2002. NIST requests comments on draft SP 800-41 Revision 1 by August 15, 2008. Please submit comments to 800-41comments@nist.gov with "Comments SP 800-41" in the subject line.


NIST announces the release of two publications: Special Publication (SP) 800-113, Guide to SSL VPNs, and draft SP 800-124, Guidelines on Cell Phone and PDA Security
July 7, 2008
 
SP 800-113, Guide to SSL VPNs, seeks to assist organizations in understanding Secure Sockets Layer (SSL) virtual private network (VPN) technologies. The publication also makes recommendations for designing, implementing, configuring, securing, monitoring, and maintaining SSL VPN solutions. SP 800-113 provides a phased approach to SSL VPN planning and implementation that can help in achieving successful SSL VPN deployments. It also includes a comparison with other similar technologies such as IPsec VPNs and other VPN solutions.
 
Draft SP 800-124, Guidelines on Cell Phone and PDA Security, is available for public comment. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights for making informed information technology security decisions regarding their treatment. SP 800-124 gives details about the threats, technology risks, and safeguards for these devices. NIST requests comments on draft SP 800-124 by August 8, 2008. Please submit comments to 800-124comments@nist.gov with "Comments SP 800-124" in the subject line.


Release of 3 Special Publications (SP): SP 800-53A, SP 800-67 (updated), and SP 800-79-1
June 30, 2008
 
1. NIST announces the release of Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This publication provides comprehensive assessment procedures for the security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Assessment cases that can be used by federal agencies to supplement the assessment procedures are described in Special Publication 800-53A, Appendix J. The assessment cases are being developed by an interagency task force as part of the Assessment Case Development Project and will be posted on the NIST website at http://csrc.nist.gov/sec-cert O/A July 25, 2008.
 
2. NIST Special Publication 800-67 Version 1.1 Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher has been updated. Appendix E explains what has been updated in this document.
 
3. NIST is pleased to announce Special Publication 800-79-1, Guidelines for the Accreditation of Personal Identity Verification Card Issuers. This is a substantial improvement over SP 800-79 that takes into account: (a) the emergent business models (in-house, leased, shared etc) for Personal Identity Card Issuers (PCI), (b) lessons learnt in past accreditations and (c) the directives in OMB memorandums. The most significant change is the replacement of “Attributes” with an objective set of PCI controls and an assessment and accreditation methodology that assess the capability and reliability of a PCI based on these controls. Specifically the accreditation methodology consists of the following steps: (a) Derivation of PCI controls based on requirements in FIPS 201-1 and supporting documents, OMB Memorandums etc. (b) Providing a context for PCI controls by identifying a set of hierarchical concepts such as PCI Accreditation Topics and PCI Accreditation Focus Areas (c) Development of Assessment methods appropriate for each PCI control that will assess conformance to those underlying requirements and (d) guidance for evaluating the results of assessments in order to arrive at an accreditation decision.


OMB and FDCC
June 27, 2008
At the Office of Management and Budget's (OMB) request, NIST posted the production version 1.0 of the settings for he Federal Desktop Core Configuration (FDCC).


Request for Public Comment on XTS - AES
June 5, 2008
The P1619 Task Group of the Security in Storage Working Group (SISWG) of the Institute of Electrical and Electronics Engineers, Inc. (IEEE) has submitted the XTS-AES algorithm (XTS, for short) to NIST as an encryption mode of operation of the Advanced Encryption Standard (AES) block cipher. Although XTS does not provide authentication in order to avoid expansion of the data, it is designed to provide some protection against malicious manipulation of the encrypted data. NIST is proposing approval of XTS for government use after a period of public comment. Additional information is available in the Request for Public Comment on XTS.


Draft NIST Interagency Report (IR) 7502, The Common Configuration Scoring System (CCSS), is now available for public comment.
May 30, 2008
This document proposes a specification for CCSS, a set of standardized measures for the characteristics and impacts of software security configuration issues. NISTIR 7502 also provides several examples of how CCSS measures and scores would be determined for a diverse set of configuration issues. Once CCSS is finalized, CCSS data can assist organizations in making sound decisions as to how configuration issues should be addressed and can provide data to be used in quantitative assessments of host security. For more details on how to submit comments, please visit the Drafts page.


Draft Special Publication 800-123 is now available
May 6, 2008
Draft SP 800-123, Guide to General Server Security, is available for public comment. This document is intended to assist organizations in installing, configuring, and maintaining secure servers. SP 800-123 makes recommendations for securing a server's operating system and server software, as well as maintaining the server's secure configuration through application of appropriate patches and upgrades, security testing, log monitoring, and backups of data and operating system files. The document addresses common servers that use general operating systems and are deployed in both outward-facing and inward-facing locations. Comments need to be recieved by June 13, 2008. For more information regarding this draft, please visit CSRC Drafts page - link provided above.


Draft Special Publication 800-66 Revision is now available for Public Comment
May 1, 2008
NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself. Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008. Go to Drafts page to learn more about this draft.


DRAFT Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions
May 1, 2008
NIST announces the release of Draft Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for key derivation from a secret key using pseudorandom functions (PRF). . The comment period closes on June 28, 2008. To learn more about this draft, please visit the CSRC Drafts page.


FY 2007 Annual Compuater Security Division Report NIST Interagency Report (IR) 7442 Announcement
May 1, 2008
The NIST Computer Security Division is proud to announce the release of NIST Interagency Report (IR) 7442: Computer Security Division - 2007 Annual Report. This publication highlights the diverse research agenda that enabled the Computer Security Division to successfully respond to numerous challenges and opportunities in fulfilling its mission to provide standards and technology that protects information systems against threats to the confidentiality, integrity, and availability of information and services.


Special Publication 800-87 Revision 1 Released
April 30, 2008
NIST is pleased to announce Special Publication 800-87 (SP 800-87) Codes for the Identification of Federal and Federally-Assisted Organizations, Revision 1 - 2008. SP 800-87 Revision 1 - 2008 provides the organizational codes necessary to establish the Federal Agency Smart Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique (CHUID). Appendix A of SP 800-87 Revision 1 - 2008 lists the agency code updates incorporated in this revision.


PIV PACS Integration Workshop
April 8, 2008

The National Institute of Standards and Technology (NIST), will hold a public Personal Identity Verification (PIV) Physical Access Control Systems (PACS) Integration workshop on Thursday, May 1, 2008 at the NIST campus in Gaithersburg, MD from 9:30am to 3:30pm. The purpose of the workshop is the exchange of information among the PACS implementers, Federal agencies, and NIST. NIST will provide a briefing on SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), followed by a question and answer session. NIST will facilitate 10 minute individual presentations through which interested individuals may present observations to the group. All material presented will be made public. Individuals desiring to present their observations must contact Ketan Mehta (mehta_ketan@nist.gov) via email and provide an abstract and a power point slides in advance. Workshop registration is required to gain entry to the NIST facilities. Please visit http://www.nist.gov/public_affairs/confpage/conflist.htm to register. The cost of registration is $50. Registration closes on April 28, 2008.


Update on Federal Desktop Core Configuration (FDCC)
April 3, 2008
At the Office of Management and Budget's (OMB) request, NIST is administering public comment for proposed settings changes to the Federal Desktop Core Configuration (FDCC).


Second DRAFT Special Publication 800-39 Managing Risk from Information Systems: An Organizational Perspective
April 3, 2008
NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .


Draft Special Publication 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems
April 1, 2008
The National Institute of Standards and Technology (NIST) is pleased to announce a draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. This draft includes recommendations for increasing the use of asymmetric key architecture and credential validation. Federal agencies and private organizations as well as individuals are invited to review the draft document and submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on Public Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on May 12, 2008.


NIST Advanced Network Technologies Division has released DRAFT NIST Special Publication 500-267, A Profile for IPv6
April 1, 2008:
NIST Advanced Network Technologies Division has released NIST Special Publication 500-267, A Profile for IPv6 in the U.S. Government - Version 1.0 (PDF), which is now available for public comment. This document is not part of the 800 Series Computer Security Division Publications developed specifically for standards and guidelines, including minimum requirements, for providing adequate information security for all federal agency operations and assets as stated in the Federal Information Security Management Act. Rather, the goal of the profile, and associated proposed testing program, is to provide the technical basis upon which long term USG IPv6 adoption plans and policies can be based. It should be noted that the profile is not intended to be applicable to near term uses (e.g., June 2008 requirements described in M-05-22 (http://www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf). Instead, as a forward looking strategic plan, the profiles recommendations are targeted for 2010 and beyond.


Comment Period for Draft SP 800-73-2 has been EXTENDED
March 21, 2008:
The public comment period for Draft SP 800-73-2 has been extended. Public comment are now due by April 18th 2008, 5:00 pm EST.


Track Changes Now Available for Draft Special Publication 800-73-2 (Parts 1-3)
March 18, 2008
The following documents contain the tracked changes from the first to second draft SP800-73-2. Editorial and formatting changes are not tracked. Out of the 4 parts for this document, ONLY Part 4 had NO changes made to it. Please go to the Drafts page to view Part 1, Part 2, and Part 3 track changes.


DRAFT SP 800-64 Rev. 2 Security Considerations in the System Development Life Cycle
March 14, 2008
NIST Draft SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, is now available for public comment from CSRC Drafts page. The purpose of this draft revision is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development and testing.
 
Comments on Draft SP 800-64 Revision 2 will be accepted through April 28, 2008. Please visit drafts page (link provided above) to learn where to submit comments to.


Second Draft of Special Publication 800-73-2, Interfaces for Personal Identity Verification
March 7, 2008
NIST has posted a second draft of SP 800-73-2 for public comments. This draft incorporates some comments and suggestions that were received after the first public comment period had closed (see 3). The changes since the first draft include: 1) relaxation of the Global PIN security status limitations, 2) incorporation of an optional Global and PIV PIN discovery object, 3) addition of a discovery object for the PIV card application, 4) elimination of the previously proposed optional U-CHUID data object, and 5) resolutions of the first draft public comments. Please go to the DRAFTS page to view the Second Public Draft and to learn more about this draft along with where to forward comments to. A comment template form is also provided. Comments period closes on April 4th 2008.


NIST announces the final release of SP 800-61 Revision 1, Computer Security Incident Handling Guide, and SP 800-28 Version 2, Guidelines on Active Content and Mobile Code.
March 7, 2008
SP 800-61 Revision 1, Computer Security Incident Handling Guide, seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, but the primary focus of the document is detecting, analyzing, prioritizing, and handling incidents. SP 800-61 Revision 1 updates the original publication, which was released in 2004.
 
SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, provides an overview of active content and mobile code technologies in use today and offers insights for making informed IT security decisions on their application and treatment. Active content refers to electronic documents that contain embedded software components, including mobile code; examples of mobile code are JavaScript, VBScript, Java applets, and ActiveX controls. The publication gives details about the active content and mobile code threats, technology risks, and safeguards for end user systems. SP 800-28 Version 2 is a new version of SP 800-28, which was released in 2001.


Additional Information on OMB Memorandum M-07-16
March 4, 2008
The Office of Management and Budget (OMB) Memorandum M-07-16, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information", contains a requirement for logging and verifying sensitive database extracts. A frequently asked questions (FAQ) document that provides additional information on this requirement is now available.
 
General comments and questions on the FAQ and the database extract requirement may be addressed to John Barkhamer of OMB at John_W._Barkhamer@omb.eop.gov. Technical comments and questions may be addressed to dataextractfaq@nist.gov.


DRAFT Draft SP 800-63 Revision 1: E-Authentication Guideline Special Publication 800-63 Revision 1:
February 26, 2008
Draft SP 800-63-1 E-Authentication Guideline is available for public comment. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. Comments will be accepted until April 10, 2008. Please visit drafts page to learn more about this draft document and where to forward comments to.


DRAFT Special Publication 800-79-1
February 22, 2008
NIST has drafted a new version of the document “Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations (SP 800-79).” The revised document is titled “Guidelines for the Accreditation of Personal Identity Verification (PIV) Card Issuers (PCI’s)”. This document, after a review and comment period, will be published as NIST SP 800-79-1. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVaccreditation@nist.gov before March 30, 2008. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. This document is nowfinalized as SP 800-79-1.


NIST IR 7275 Revision 3
February 1, 2008
NIST announces the release of NIST Interagency Report (NISTIR) 7275 Revision 3, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. This report describes XCCDF, which is a standardized Extensible Markup Language (XML) format that can be used to hold structured collections of security configuration rules for a set of target systems. The XCCDF specification is designed to provide automated testing and scoring that can support FISMA compliance and other efforts. NISTIR 7275 Revision 3 specifies the data model and XML representation for version 1.1.4 of XCCDF; the previous revision of NISTIR 7275 addressed version 1.1.3 of XCCDF.


Presentations from HIPAA Workshop
January 25, 2008:
Presentations from the HIPAA Security Rule Implementation and Assurance A CMS & NIST Workshop are now available.


Free Federal Desktop Core Configuration (FDCC) Implementers Workshop
January 9, 2008
On January 24, 2008, there will be a Free Federal Desktop Core Configuration (FDCC) Implementers Workshop to be held at NIST. Workshop will address technical aspects of FDCC and corresponding Security Content Automation Protocol (SCAP) updates. Additional information relating to the workshop can be found at: http://www.nist.gov:80/public_affairs/confpage/080124.htm .

See news from 2007.