NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

News Archive - 2009


2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005


NIST Released Special Publication 800-57 Part 3
December 28, 2009
 
NIST announces the publication of NIST Special Publication (SP) 800-57, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. This SP is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in normal use of the application. Recommendations are given for a select set of applications, namely: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Transport Layer Security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC) and Encrypted File Systems (EFS).


NIST Released Draft Special Publication 800-126 Revision 1
December 15, 2009
 
NIST announces the public comment release of Special Publication (SP) 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.6.
 
NIST requests comments on draft SP 800-126 Revision 1 by January 23, 2010. Please submit comments to 800-126comments@nist.gov with “Comments SP 800-126” in the subject line.


FIPS-140-3, Revised DRAFT Security Requirements for Cryptographic Modules
December 11, 2009
 
The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008 (to view the Federal Register Notice about released of revised Draft FIPS 140-3). While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010. Please use the template provided. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with "Comments on the Revised Draft FIPS 140-3" in the subject line.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these comments is also available on CSRC.

NOTE: Please continue to direct all your questions regarding the FIPS 140-2 standard and the cryptographic modules testing and validation to the CMVP, contacts listed here.


OMB Requesting Comments on Metrics for Annual FISMA Reporting by Federal Agencies
December 8, 2009
OMB is requesting comments on potential metrics for annual FISMA reporting by Federal agencies. These metrics represent a new approach, which focuses on improving security, not just compliance. These metrics should encourage agencies to take concrete steps to improve their security posture by implementing monitoring tools, strengthening areas such as identity and configuration management, and reporting on four new categories: remote access management, identity and access management, data level controls, real-time security awareness and management. Please send comments to OMB-Metrics@nist.gov by January 4, 2010.


NIST Announces the Release of DRAFT NIST IR 7657, Privilege Management
November 25, 2009
 
NIST announces that draft NIST IR 7657, Privilege Management, is now available for public comment. The first draft of the document is based on the discussions and conclusions of the Privilege Management Workshop held on September 1-3, 2009 at the Gaithersburg, Maryland facilities of the National Institute of Standards and Technology (NIST). The view of privilege management expressed in this document generally aligns with the architectural and service framework for privilege management presented in the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance document [FICAM-09]. This document includes additional material and editing resulting from in-scope comments made by Workshop participants.
 
The Editor of this draft Interagency Report respectfully requests that you observe the following guidelines in providing comments:

  • Any general comments that do not include specific suggested modifications, additions, or deletions will be appreciated, of course, but will not result in changes to the draft.
  • For your specific comments, identify a line number or range of line numbers in the draft to which your comment pertains.
  • For your specific comments, identify each comment as one of the following types:
    • minor editorial comment: a minor editorial comment may suggest a grammatical change for clarity, substitution of a word better suited to the thought, correction of a typo, and so on. Provide the specific text that should be inserted, modified, or deleted. The editor will accept or reject the suggestion as he sees fit. In the case of figures, a minor editorial comment may suggest small changes for clarity. Rationale for suggestions will be helpful.
    • suggested content modification/correction/addition: comments of this type deal with content. Modifications are for clarity or flow; corrections are for technical accuracy; and additions are for completeness within the established scope of the topic in question. Also, a modification can be a suggested deletion of a sentence considered distracting or out of scope. However, type (B) comments should not be used to provide new material that extends the scope of the particular topic in question. If you feel that such material should be included in the report, please use a type (C) comment. The editor will accept, reject, or modify type (B) comments as he deems fit. Rationale for suggested changes will be very helpful. In cases where the comment is beyond the expertise of the editor, he will consult with the NIST-NSA Privilege Management Team for assistance in processing the comment. Modifications and corrections must be provided as specific text to use to effect the modification or correction; additions must be provided as specific text to use as the addition.
    • major disagreement: a major disagreement can concern what is in the draft as well as what is not in the draft. For this type of comment, please provide the exact text that documents your position; this text will be incorporated into the NIST IR as provided, annotated as disagreement, with attribution.
  • You can provide your comments in an email--HTML or plaintext--or as an attachment to an email--plaintext, RTF, Word, or PDF format. Comments sent in any other form will not be processed.
  • NIST requests comments on Draft NIST IR 7657 by January 25, 2010. Please submit comments to draftprivmgt@nist.gov. The NIST-NSA Privilege Management team reserves the right to ignore comments received after the deadline.


NIST Releases Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
November 17, 2009
 
NIST announces the publication of the Final Public Draft of Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This publication represents the second in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its support contractors. The initial publication produced by the task force, NIST Special Publication 800-53, Revision 3, was historic in nature—in that it created a unified security control catalog reflecting the information security requirements of both the national security community and the nonnational security community. NIST Special Publication 800-37, Revision 1, completes the transformation of the traditional process employed by the federal government to certify and accredit federal information systems to a near real-time assessment and authorization. The revised process provides greater emphasis on: (i) building information security capabilities into information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) understanding and accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of information systems.
 
The most significant change in the Final Public Draft of Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The revised RMF-based process has the following characteristics:

  • Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
  • Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
  • Integrates information security more closely into the enterprise architecture and system development life cycle;
  • Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
  • Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
  • Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function).
The risk management process described in this publication focuses on the strategic, enterprise-centric, near realtime-based approaches to security assessment and system authorization and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions.
 
NIST requests comments on the Final Public Draft of Special Publication 800-37, Revision 1, by December 31, 2009. Please submit comments to sec-cert@nist.gov. Final publication is expected in February 2010.


Special Publication 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP) is now available
November 5, 2009
 
NIST announces the release of Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.0, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications.


NIST Interagency Report 7617 is now Available
November 3, 2009
 
NIST announces the release of NIST IR 7617 Mobile Forensic Reference Materials: A Methodology and Reification.


Draft Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems
October 27, 2009
 
NIST announces that Draft SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, has been released for public comment. SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.
 
Draft SP 800-34 Revision 1 is an update to the original SP 800-34, which was published in 2002.
 
NIST requests comments on draft SP 800-34 Revision 1 by January 6, 2010. Please submit comments to draft800-34-comments@nist.gov with "Comments SP 800-34" in the subject line.


Update on Proposed Reorganization of ITL
October 22, 2009
 
Based on the feedback we continue to receive, ITL has decided to put our proposed reorganization on hold. We have received expressions of both support and concern from various stakeholders. We are seriously considering this input and plan to re-evaluate how to ensure that our structure is as flexible and efficient as possible in meeting the many challenges and opportunities ahead. ITL welcomes input (itl_inquiries@nist.gov) and looks forward to continued conversations on this matter.


PIV Software - Partial CSP Version 1.3 has been Released
October 22, 2009

NIST is pleased to announce the release of reference implementation of a Partial CSP Version 1.3, Cryptographic Service Provider for Windows Logon. This existing PIV demonstration software is updated to decompress zipped certificates that are available on production PIV Cards. With this update, the CSP can be used to demonstrate Windows XP Logon with production PIV Cards. Note that this CSP does NOT implement all functions required of a production CSP. Please use the accompanying documentation to install the CSP and configure Windows XP operating system.


Industrial Control System (ICS) Security Workshop
Friday, October 23, 2009
 
Pooks Hill Marriott Hotel     Bethesda, Maryland
Agenda & Registration information - click link to view information.


NIST IR 7621, Small Business Information Security: The Fundamentals (final) is now available
October 9, 2009
 
NIST Computer Security Division announces that NISTIR 7621, Small Business Information Security: The Fundamentals, has been released. NISTIR 7621 is intended to help small businesses and small organizations implement the fundamental components of an effective information security program.


NIST Announces the Release of Draft Special Publication 800-78-2: Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)
October 6, 2009
 
NIST is pleased to announce the release of Draft Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in draft SP 800-78-1:
 

  • The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in Draft SP800-78-2 as a key agreement scheme for the PIV card.
  • The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, draft SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
  • For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in draft SP 800-78-1.
The changes are incorporated in the document as well in a track-change version. Comments should be submitted to piv_comments@nist.gov with "Comments on SP800-78-2" in the subject line using the Comments Template Form (Excel Spreadsheet). The comment period closes at 5:00 EST on November 12, 2009.


NIST's Computer Security Division Announces the Release of a Video for the Small Business Community Titled "Information Technology Security for Small Business. It's not just good business. It's essential business."
October 1, 2009
 
Gives small business owners a glimpse into the resources from NIST, SBA, and the FBI that will help protect them from cyber crime. The video describes computer hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computer made into bots. It encourages small business owners to define their security needs, establish IT security practices, and stay current. IT security is not only good business, it is essential business.

Click here to go to the Small Business Community section of the CSRC website to view the video.


NIST Announces the Release of Special Publication 800-70 Revision 1: National Checklist Program for IT Products--Guidelines for Checklist Users and Developers and NIST IR 7581 System and Network Security Acronyms and Abbreviations
September 30, 2009
 
NIST announces the release of Special Publication (SP) 800-70 Revision 1, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. It also makes recommendations regarding checklist use and development, as well as defining the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 1 replaces the original version of the document, which was released in 2005.
 
NIST announces the release of NIST Interagency Report (IR) 7581, System and Network Security Acronyms and Abbreviations. The report contains a list of acronyms and abbreviations for selected system and network security terms, along with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of security publications. Readers are encouraged to submit additional security acronyms and abbreviations, particularly for emerging technologies, for consideration as additions to future versions of the report.


NIST Released draft NIST IR 7628: Smart Grid Cyber Security Strategy and Requirements
September 25, 2009
 
NIST announces that draft NIST IR 7628, Smart Grid Cyber Security Strategy and Requirements, is now available for public comment. The first draft of the document contains the overall security strategy for the Smart Grid and the products developed from this strategy, for example, development of vulnerability classes, identification of well-understood security problems that need to be addressed, selection and development of security-relevant use cases, identification and analysis of interfaces identified in the six functional priority areas and selection of a suite of security documents that will be used as the base for the selection and tailoring of security requirements. This is the first draft of the NISTIR; the next draft is scheduled to be posted for comment in December 2009.
 
NIST requests comments on Draft NIST IR 7628 by November 25, 2009. Please submit comments to csctgdraftcomments@nist.gov


NIST Announces the Release of 4 Documents (1 Draft SP & 3 Final SPs): Draft Special Publication (SP) 800-127, SP 800-41 Revision 1, SP 800-102 and SP 800-120
September 22, 2009
 
Publication #1: Draft SP 800-127 --
NIST announces the public comment release of Draft Special Publication 800-127, Guide to Security for WiMAX Technologies. Worldwide Interoperability for Microwave Access (WiMAX) is a wireless metropolitan area network communications technology based on the IEEE 802.16 standard. WiMAX technologies were originally developed to provide last-mile broadband wireless access, but are now more focused on cellular-like mobile architectures. Draft SP 800-127 explains the basics of WiMAX, provides information on the security capabilities of WiMAX, and gives recommendations on securing WiMAX technologies effectively. It also explains the security differences among the major versions of the IEEE 802.16 standard.
 
NIST requests comments on draft SP 800-127 by October 30, 2009. Please submit comments to 800-127comments@nist.gov with "Comments SP 800-127" in the subject line.
 
Publication #2: SP 800-41 Revision 1 --
NIST announces the release of Special Publication 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy. It provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based, and personal firewalls. SP 800-41 Revision 1 updates the original publication, which was released in 2002.
 
Publication #3: SP 800-102 --
NIST announces the completion of Special Publication 800-102, Recommendation for Digital Signature Timeliness. Establishing the time when a digital signature was generated is often a critical consideration. A signed message that includes the (purported) signing time provides no assurance that the private key was used to sign the message at that time unless the accuracy of the time can be trusted. With the appropriate use of digital signature-based timestamps from a Trusted Timestamp Authority (TTA) and/or verifier-supplied data that is included in the signed message, the signatory can provide some level of assurance about the time that the message was signed.
 
Publication #4: SP 800-120 --
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publication 800-120. Recommendation for EAP Methods Used in Wireless Network Access Authentication. This Recommendation formalizes core security requirements for EAP methods when employed by the U.S. Federal Government for wireless authentication and key establishment.


NIST Draft Special Publication SP 800-85B-1 PIV Data Model Conformance Test Guidelines is now available for comment
September 11, 2009
 
NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 25, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.


Special Publication 800-56B Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography is now available
August 31, 2009
NIST announces the completion of Special Publication (SP) 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. This Recommendation provides the specifications of key establishment schemes that are based on a standard developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.44, Key Establishment using Integer Factorization Cryptography. SP 800-56B provides asymmetric-based key agreement and key transport schemes that are based on the Rivest Shamir Adleman (RSA) algorithm.


NIST Computer Security Division Releases 2 Draft Documents: NIST IR 7621 Small Business Information Security: The Fundamentals and Special Publication 800-81R1 Secure Domain Name System (DNS) Deployment Guide
August 26, 2009
 
Draft Document #1:
NIST Computer Security Division announces that Draft NISTIR 7621, Small Business Information Security: The Fundamentals, has been released for public comment. NISTIR 7621 is intended to help small businesses and small organizations implement the fundamental components of an effective information security program.
 
NIST requests comments on draft NISTIR 7621 by September 16, 2009 Please submit comments to Richard.Kissel@nist.gov, with “Comments NISTIR 7621” in the subject line.
 
Draft Document #2:
NIST has drafted another revision of the document “Secure Domain Name System (DNS) Deployment Guide" (SP 800-81) .This revision addresses all the comments and feedback received for the first revision through public comments in March 2009, in addition to adding 3 more subsections described below. After addressing the public comments received in this round, it will be published as NIST SP 800-81r1. Federal agencies and private organizations as well as individuals are invited to review this draft and submit comments to NIST by sending them to SecureDNS@nist.gov before September 30, 2009. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. A brief description of the 3 new subsections is given below:

What is New in this revision leading to SP 800-81r1:
   (1) Guidelines on Procedures for migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5).
   (2) Guidelines for Procedures for migrating to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6).
   (3) Deployment Guidelines for Split-Zone under different scenarios (Section 11.7).


Draft NIST Interagency Report 7609, Cryptographic Key Management Workshop Summary (June 8-9, 200) Now Available for Comment.
August 19, 2009
NIST announces that the Draft NIST Interagency Report 7609, Cryptographic Key Management Workshop Summary (June 8-9, 2009), is available for public comment. The Cryptographic Key Management (CKM) workshop was initiated by the NIST Computer Security Division to identify and develop technologies that would allow organizations to leap ahead of normal development lifecycles to vastly improve the security of future sensitive and valuable computer applications. The workshop was the first step in developing a CKM framework. This summary provides the highlights of the presentations, organized by both topic and by presenter. Please provide comments by September 18, 2009 to ebarker@nist.gov, with “Comments on the Key Management Workshop Report” in the subject line.


Draft Special Publication 800-38E Now Available for Public Comment
August 17, 2009
NIST announces that the Draft NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices, is available for public comment. This document approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one additional requirement, as an option for protecting the confidentiality of data on block-oriented storage devices. This mode does not provide authentication, in order to avoid expansion of the data; however, it does provide some protection against malicious manipulation of the encrypted data.
 
The XTS-AES mode was submitted to NIST by the IEEE P1619 Task Group. On June 5, 2008, NIST initiated a 90-day period of public comment on the proposal to approve XTS-AES by reference to IEEE Std 1619-2007; during the comment period, IEEE made available free-of-charge the specification of the mode in that standard, and other relevant excerpts. NIST decided to proceed with the proposal after considering the public comments that NIST received, and follow-up comments from the IEEE P1619 Task Group, both available at the modes public comment page.
 
Comments on the text of the Draft NIST SP 800-38E may be submitted to EncryptionModes@nist.gov until September 17, 2009.


The National Institute of Standards and Technology (NIST) is pleased to announce the release of NIST Interagency Report 7611, Use of ISO/IEC 24727 -- Service Access Layer Interface for Identity (SALII): support for development and use of interoperable identity credentials
August 14, 2009
 
The Interagency Report details properties and capabilities of ISO/IEC 24727 to achieve identity credential interoperability -- enabling client-applications to access identity credentials from different issuers. Specifically, the document explores this new standard by discussing existing Federal identity credentials, such as PIV, and the PIV application demonstrations developed by NIST. The capabilities of ISO/IEC 24727 are illustrated through a proof-of-concept scenario where the PIV Card interacts with applications (Windows Logon, Linux Logon, Email Signing and Encryption) through the ISO/IEC 24727 framework thus achieving credential independence from client-application.
 
The document provides a high-level discussion and strives to minimize technical details. An additional publication elaborating the technical discussion, including an ISO/IEC 24727 reference implementation, will be provided after the proof-of-concept implementation.


NIST Releases Draft Special Publication 800-73-3, Interfaces for Personal Identity Verification
August 13, 2009
NIST announces that Draft Special Publication (SP) 800-73-3, Interfaces for Personal Identity Verification, has been released for public comment. Draft SP 800-73-3 introduces new, optional features including:
 
(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
 
(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-1; and
 
(3) provisions for Non-Federal Issuer (NFI) credentials. Draft SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.
 
Except for minor editorial changes, all changes can be reviewed with the track-change version of Draft SP 800-73-3. (link provided above)
 
NIST requests comments on draft SP 800-73-3 by 5:00pm EDT on September 13, 2009. Please submit your comments, using the comment template form to PIV_comments@nist.gov with "Comments on Public Draft SP 800-73-3" in the subject line.


Draft NIST Interagency Report (IR) 7581 is available for review and comment
August 11, 2009
NIST announces that draft NIST IR 7581, System and Network Security Acronyms and Abbreviations, is now available for public comment. The report contains a list of acronyms and abbreviations for selected system and network security terms, along with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network security publications. Readers are encouraged to submit additional security acronyms and abbreviations, particularly for emerging technologies, for consideration as additions to the report.
 
NIST requests comments on Draft NIST IR 7581 by September 11, 2009. Please submit comments to securityacronyms@nist.gov.


NIST Releases Special Publication 800-53 Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
July 31, 2009
NIST announces the final publication of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems. The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. In addition to the expansion of the security control catalog, Special Publication 800-53, Revision 3 contains significant changes including:

  • A simplified, six-step Risk Management Framework;
  • Additional security controls and control enhancements for advanced cyber threats;
  • Recommendations for prioritizing or sequencing security controls during implementation or deployment;
  • Revised security control structure with a new references section;
  • Elimination of security requirements from Supplemental Guidance sections;
  • Guidance on using the Risk Management Framework for legacy information systems and for external providers of information system services;
  • Updates to security control baselines consistent with current threat information and known cyber attacks;
  • Organization-level security controls for managing information security programs;
  • Guidance on the management of common controls within organizations; and
  • Strategy for harmonizing FISMA security standards and guidelines with international security standard ISO/IEC 27001.

The important changes described in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. Following the final publication of Special Publication 800-53, Revision 3, the collaborative work between the national security and non national security communities will continue with updates to other key publications such as:

  • NIST Special Publications 800-37, Applying the Risk Management Framework to Federal Information Systems;
  • NIST Special Publication 800-39, Integrated Enterprise-wide Risk Management: Organization, Mission, and Information Systems View;
  • NIST Special Publication 800-30, Guide for Conducting Risk Assessments; and
  • NIST Special Publication 800-53A, Guide for Assessing Security Controls in Federal Information Systems and Organizations.
The schedule for the development of all key FISMA-related publications based on new milestones established among the participating partners in the Joint Task Force Transformation Initiative can be found at: http://csrc.nist.gov/groups/SMA/fisma/schedule.html.


NIST Releases Draft Special Publication 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP)
July 31, 2009
 
NIST announces that Draft Special Publication (SP) 800-126, The Technical Specification for the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-126 also provides an overview of SCAP, focusing on how software developers can integrate SCAP technology into their product offerings and interfaces.
 
NIST requests comments on draft SP 800-126 by August 31, 2009. Please submit comments to 800-126comments@nist.gov with "Comments SP 800-126" in the subject line.


Comments Received on White Paper: The Transitioning of Cryptographic Algorithms and Key Sizes
July 27, 2009
Comments received as of July 24, 2009.
 
Announcement From July 2: Comments are requested on the white paper "The Transitioning of Cryptographic Algorithms and Key Sizes" by August 3, 2009. Please provide comments to CryptoTransitions@nist.gov.


Draft Special Publication 800-65 Revision 1 has been Released
July 14, 2009
NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments. NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.


FISMA Implementation Project Announced New Publications Milestone Schedule
July 7, 2009
The FISMA Implementation Project has announced a new milestone schedule for its key publications in development or undergoing modification. These publications include:

  • SP 800-53, Revision 3: Recommended Security Controls for Federal Information Systems and Organizations, (Projected Final: July 31, 2009)
  • SP 800-37, Revision 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Formerly Guide for the Security Certification and Accreditation of Federal Information Systems), (Projected Final: October 2009)
  • SP 800-39: Integrated Enterprise-wide Risk Management: Organization, Mission, and Information Systems View (Formerly Managing Risk from Information Systems: An Organizational Perspective), (Projected Final: December 2009)
  • SP 800-53A, Revision 1: Guide for Assessing the Security Controls in Federal Information Systems and Organizations, (Projected Final: January 2010)
  • SP 800-30, Revision 1: Guide for Conducting Risk Assessments (Formerly Risk Management Guide for Information Technology Systems), (Projected Final: January 2010)

The original completion dates for the publications listed above have been changed to reflect the new priorities associated with the Information Security Transformation Initiative (the current project underway with the Department of Defense, the Office of the Director of National Intelligence, and Committee on National Security Systems to develop a common set of information security standards and guidelines for the federal government and its contractors). Any future changes to the milestone dates will be posted on the NIST web site as soon as the information is available from the Joint Task Force Transformation Initiative Working Group.


White Paper: The Transitioning of Cryptographic Algorithms and Key Sizes
July 2, 2009
Comments are requested on the white paper "The Transitioning of Cryptographic Algorithms and Key Sizes" by August 3, 2009. Please provide comments to CryptoTransitions@nist.gov.


Video Recording of Cryptographic Key Management Workshop - now available
June 22, 2009
Video recordings of the Cryptographic Key Management Workshop that was held on June 8-9, 2009 are available using the “Cryptographic Key Management Workshop”.


NIST Computer Security Division announces the release of two documents (1 draft NIST IR and 1 final Special Publication (SP)).
June 16, 2009
 
#1: SP 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, has been published as final. SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework. The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it also provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002.

#2: The second public draft of NIST IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.


Mark-up Version of SP 800-53 Revision 3 now available
June 10, 2009
The mark-up copy of Draft Special Publication 800-53 Rev. 3 is NOW available. Please accept our apologies for the delay of releasing this mark-up copy.


FIPS Publication 186-3 has been released
June 10, 2009
NIST announces the adoption of FIPS 186-3, The Digital Signature Standard (see the Federal Register Notice). FIPS 186-3 is a revision of FIPS 186-2. The FIPS specifies three techniques for the generation and verification of digital signatures: DSA, ECDSA and RSA. This revision increases the length of the keys allowed for DSA, provides additional requirements for the use of ECDSA and RSA, and includes requirements for obtaining assurances necessary for valid digital signatures.


NIST Announces the Release of the Final Public Draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations
June 3, 2009
 
NIST announces the release of the final public draft of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. The final public draft of Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The updated security control catalog incorporates best practices in information security from the United States Department of Defense, Intelligence Community, and Civil agencies, to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.
 
The standardized set of management, operational, and technical controls provide a common specification language for information security for federal information systems processing, storing, and transmitting both national security and non national security information. The revised security control catalog also includes state-of-the-practice safeguards and countermeasures needed by organizations to address advanced cyber threats capable of exploiting vulnerabilities in federal information systems. The important changes in Special Publication 800-53, Revision 3 are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the Nation. The final publication of Special Publication 800-53, Revision 3 is targeted for July 31, 2009. Comments will be accepted until July 1, 2009 and should be sent to sec-cert@nist.gov. NIST will post the markup version of Special Publication 800-53, Revision 3, on or around June 10, 2009.


Risk Management Framework (RMF) - FAQs and Quick Start Guides (QSGs) Now Available
May 15, 2009
 
NIST’s Computer Security Division has released Frequently Asked Questions (FAQs) and Quick Start Guides (QSGs) for Step 1 Categorize and Step 6 Monitor of the Risk Management Framework (RMF). The FAQs and QSGs for steps 2-5 are still in development and will become available when finalized. The RMF 6-step chart posted on the website contains links to NIST Special Publications (SP), Federal Information Processing Standards (FIPS), FAQs and QSGs associated with the respective steps in the RMF.


Working Definition of Cloud Computing Released
May 14, 2009
 
NIST announces that its working definition of cloud computing is available. Researchers worked in collaboration with industry and government to draft the definition that serves as a foundation for its research and future publication on the topic. Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. Researchers are studying cloud architectures, economics, security and deployment strategies for the federal government.
 
Comments on the definition can be sent to cloud@nist.gov


Draft Special Publication 800-117
May 5, 2009
 
NIST announces that Draft Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains how IT product and service vendors can adopt SCAP's capabilities within their offerings.
 
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.


Draft Special Publication 800-118
April 21, 2009
 
NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.


Special Publication 800-85A-1
April 3, 2009
 
NIST is pleased to announce the release of SP800-85A-1 PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and the PIV Middleware interfaces for conformance to specifications in SP 800-73-2 (Interfaces for Personal Identity Verification). The document is a revision for the earlier version (March 2006), which reflected TA and DTR from the superseded SP 800-73-1, 2006 Edition. The new SP 800-85A-1 is based on TA and DTRs from SP 800-73-2 (September 2008 Edition) and includes the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here.


Draft Special Publication (SP) 800-16 Rev. 1, Information Security Training Requirements: A Role- and Performance-Based Model
March 20, 2009
 
NIST announces the release of the Initial Public Draft (IPD) of Special Publication 800-16, Revision 1, Information Security Training Requirements: A Role- and Performance-Based Model. This publication is now available for public comment.
 
The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.


NIST Computer Security Division Released 2 NIST IRs (1 Draft and 1 Final)
March 6, 2009
#1: Draft NIST Interagency Report (IR) 7564, Directions in Security Metrics Research, is now available for public comment. This report provides an overview of the security metrics area and identifies possible avenues of research that could be pursued to advance the state of the art.
 
NIST requests that comments be submitted by electronic mail by March 27, 2009. Please send them to IR7564comments@nist.gov with "Comments IR 7564" in the subject line.
 
#2. NIST Interagency Report (IR) 7536, 2008 Computer Security Division Annual Report is now available. Please note - the electronic version on CSRC is not the final printed version. The final printed version should be available by the end of March to first week of April if you would like to see a colorful version.


Draft SP 800-53, Revision 3 (Markup) is now available
February 27, 2009
 
The following document provides a line-by-line comparison between SP 800-53, Revision 2 and Draft SP 800-53, Revision 3. It should also be noted that the section of the publication addressing scoping considerations for scalability, was inadvertently omitted from the public draft and will be reinstated in the final publication.


NIST Computer Security Division Released 2 Draft Documents: Draft Special Publication 800-81 Revision 1 and also Draft NIST IR 7517 - see below for details
February 27, 2009
 
#1 --- NIST has drafted a new version of the document “Secure Domain Name System (DNS) Deployment Guide (SP 800-81)”. This document, after a review and comment cycle will be published as NIST SP 800-81 Revision 1. There will be two rounds of public comments and this is our posting for the first one. Federal agencies and private organizations as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to SecureDNS@nist.gov before March 31, 2009. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. To learn more about this document please visit the DRAFTS page on CSRC. Once on drafts page, there is a short list of the changes that has been made to this draft document from the original SP 800-81 released in 2006.
 
#2 --- Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.


NIST Releases DRAFT Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security
February 24, 2009
 
NIST announces that Draft Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, has been released for public comment. SP 800-46 Revision 1 is intended to help organizations understand and mitigate the risks associated with the technologies they use for telework. The guide emphasizes the importance of securing sensitive information stored on telework devices and transmitted across external networks, and it also provides recommendations for selecting, implementing, and maintaining the necessary security controls. Draft SP 800-46 Revision 1 is a comprehensive update to the original SP 800-46, which was published in 2002.
 
NIST requests comments on draft SP 800-46 Revision 1 by March 27, 2009. Please submit comments to 800-46comments@nist.gov with "Comments SP 800-46" in the subject line.


NIST Computer Security Division has announced the Safeguarding Health Information: Building Assurance Through HIPAA Security – A CMS & NIST HIPAA Security Rule Conference website is now available
February 23, 2009
 
Information regarding the Safeguarding Health Information: Building Assurance through Security – A CMS & NIST HIPAA Security Rule Conference is now available on the CSRC website. This conference will be held on May 18-19, 2009 at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD. For more information regarding this conference along with the agenda, registration & hotel accommodations, directions to NIST and conference contacts can be found at the conference website on CSRC.


NIST announces the release of Special Publication 800-106 and Special Publication (SP) 800-107
February 20, 2009
 
NIST announces the release of Special Publication 800-106, Randomized Hashing for Digital Signatures. This Recommendation provides a technique to randomize the input messages to hash functions prior to the generation of digital signatures to strengthen security of the digital signatures.
 
NIST announces the release of Special Publication 800-107, Recommendation for Using Approved Hash Algorithms. This Recommendation provides guidance on using the Approved hash algorithms in digital signatures applications, Keyed-hash Message Authentication Codes (HMACs), key derivation functions (KDFs) and random number generators.


Comments Received for Draft Special Publication 800-120
February 19, 2009<
Please see the following file for the comments received on the draft Special Publication 800-120 during the public comment period.


Draft SP800-85A-1 "PIV Card Application and Middleware Interface Test Guidelines (SP800-73-2 compliance)"
February 6, 2009
NIST has a revised version of NIST Special Publication (SP) 800-85A “PIV Card Application and Middleware Interface Test Guidelines (SP 800-73 compliance)”. The revised document is titled Draft SP 800-85A-1 "PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-2 compliance)”. The revisions include the additional tests necessary to test some of the optional features added to the PIV Data Model and Card Interface as well as the PIV Middleware through specifications SP 800-73-2 Parts 1, 2 and 3. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85A-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to PIVtesting@nist.gov with "Comments on Public Draft SP 800-85A-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on February 28, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication..


DRAFT SP 800-53 Rev.3, Recommended Security Controls for Federal Information Systems and Organizations
February 5, 2009
NIST announces the release of the Initial Public Draft (IPD) of Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations. This is the first major update of Special Publication 800-53 since its initial publication in December 2005. We have received excellent feedback from our customers during the past three years and have taken this opportunity to provide significant improvements to the security control catalog. In addition, the changing threat environment and growing sophistication of cyber attacks necessitated specific changes to the allocation of security controls and control enhancements in the low-impact, moderate-impact, and high-impact baselines. We also continue to work closely with the Department of Defense and the Office of the Director of National Intelligence under the auspices of the Committee on National Security Systems on the harmonization of security control specifications across the federal government. And lastly, we have added new security controls to address organization-wide security programs and introduced the concept of a security program plan to capture security program management requirements for organizations. The privacy-related material, originally scheduled to be included in Special Publication 800-53, Revision 3, will undergo a separate public review process in the near future and be incorporated into this publication, when completed. Comments will be accepted until March 27, 2009. Comments should be forwarded via email to sec-cert@nist.gov.


NIST Announces the release of 2 Draft documents: (1) DRAFT Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) and (2) DRAFT NIST IR 7497
January 13, 2009
(1)  NIST announces that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), is now available for public comment. SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.
 
NIST requests comments on draft SP 800-122 by March 13, 2009. Please submit comments to 800-122comments@nist.gov with "Comments SP 800-122" in the subject line.

(2)  NIST Interagency Report (IR) 7497, Draft Security Architecture Design Process for Health Information Exchanges (HIEs), is intended to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that applies them specifically to the HIE domain. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.

Please submit your comments to draft-nistir7497-comments@nist.gov. The comment period for draft NIST IR 7497 closes on Friday March 13, 2009.

See news from 2008.