NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

News Archive - 2011


2013 | 2012 | 2011 | 2010 | 2009


NIST Computer Security Division is proud to announce the release of Special Publication 800-63-1, Electronic Authentication Guidelines
December 13, 2011
 
To view the full press release of Special Publication 800-63-1.

Click here to download / view Special Publication 800-63-1 Electronic Authentication Guideline in PDF file format.


NIST Computer Security Division Announce the Comment Release of DRAFT Special Publication 800-155, BIOS Integrity Measurement Guidelines
December 8, 2011
 
NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
 
NIST requests comments on draft SP 800-155 by January 20, 2012. Please submit comments to 800-155comments@nist.gov, with "Comments SP 800-155" in the subject line. This notice also appears on our CSRC Drafts Publications page as well.


Draft NIST Interagency Report 7831, Common Remediation Enumeration Version 1.0 is Available for Public Comment
December 7, 2011
 
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
 
NIST requests public comments on draft NISTIR 7831 by January 20, 2012. Comments should be sent to remediation-comments@nist.gov.


The Computer Security Division Announce Call for Participation for Cyber-Physical Systems (CPSs) Workshop
December 6, 2011
 
On April 23 and 24, 2012, the NIST ITL Computer Security Division will host a two-day workshop to explore cybersecurity needed for cyber-physical systems (CPSs), with a focus on research results and real-world deployment experiences. On the first day, speakers will address CPSs across multiple sectors of industry (e.g., automotive, aviation, healthcare). The second day will focus on cyber security needs of CPSs in the electric Smart Grid. A call for extended abstracts is attached. The extended abstracts will be used to invite potential speakers for the workshop. Click this link to view or download the call for abstracts that contains all details for submissions.


NIST Computer Security Division is Proud to Announce the Release of Special Publication 800-56C
December 1, 2011
 
The National Institute of Standards and Technology (NIST) is pleased to announce the release of Special Publication 800-56C. Recommendation for Key Derivation through Extraction-then-Expansion. This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure.


NIST is Proud to Announce the Release of 3 NIST Interagency Reports (NISTIR): NISTIR 7815, NISTIR 7791, and NISTIR 7806 (See Below for Full Announcement & Links)
Novemeber 18, 2011
 
NISTIR #1: NIST is proud to announce the release of NIST Interagency Report (NISTIR) 7815, Access Control for SAR Systems
This report describes concepts, issues, and recommendations surrounding the identification, encoding, testing, and deployment of policies used to control access to Suspicious Activity Report (SAR) records. In addition, this report defines an architectural and design specification of a privilege management system called the Policy Evaluation Testbed (PET) system that is used to support and demonstrate the application of access control policies to SAR records.
(here is URL to where this NISTIR can be found on the NISTIR page on CSRC).
 
NISTIR #2: NIST is proud to announce the release of NIST Interagency Report (NISTIR) 7791, Conformance Test Architecture and Test Suite for ANSI/NIST-ITL 1-2007
The Conformance Test Architecture and Test Suite described in this publication are designed to test implementations of ANSI/NIST ITL 1-2007. The code is currently designed to support testing of selected record types of the standard but can be extended to support other record types as required. A high-level overview of the architecture and test suite as well as software details and the code structure are provided. A quick start user guide and a comprehensive table of the standard’s requirements and the associated implemented conformance test assertions (over five-hundred and thirty) are included.
(here is URL to where this NISTIR can be found on the NISTIR page on CSRC)
 
NISTIR #3: NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 7806, ANSI/NIST-ITL 1-2011 Requirements and Conformance Test Assertions
This publication documents set of test assertions based on the requirements specified in the 4th draft of a new version of the ANSI/NIST-ITL standard (2011). Over twelve hundred test assertions have been identified and organized into a set of tables to assist in the development of a conformance test tool designed to test implementations of the new version of the ANSI/NIST-ITL standard for selected record types. These tables were contributed to the Conformance Testing Methodology (CTM) Working Group which was recently established by NIST/ITL to develop a CTM for the new version of the ANSI/NIST-ITL (AN-2011) standard. As the technical content of the AN-2011 draft standard evolves towards approval and publication (the final versison is already available), revised versions of these tables will be developed until they fully address the requirements of the approved AN-2011 standard. This publication documents the assertions developed and the terms, operands, and operators used in defining these assertions. Brief information on previous and ongoing conformance test tools development within NIST/ITL CSD is included.
(here is URL to where this NISTIR can be found on the NISTIR page on CSRC)


Special Publication 800-145, The NIST Definition of Cloud Computing has been Released
October 20, 2011
 
NIST announces the final release of Special Publication 800-145, The NIST Definition of Cloud Computing. This publication describes how cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition characterizes important aspects of cloud computing and is intended to serve as a means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing.


NIST Interagency Report 7275 Rev. 4, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2
September 30, 2011
 
NIST announces the final release of NIST Interagency Report (NISTIR) 7275 Revision 4, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. The Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 is the latest revision of an Extensible Markup Language (XML) based model that enables the standardized expression of security configuration rules. The intent of XCCDF is to provide a uniform foundation for expression and compliance assessment of security checklists and other configuration guidance, and thereby foster more widespread application of sound security practices. XCCDF 1.2 supports the Security Content Automation Protocol (SCAP) version 1.2.


Special Publication 800-137 (Final), Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
September 30, 2011
 
NIST is pleased to announce the final publication of Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations. Special Publication 800-137 provides guidelines for defining an information security continuous monitoring strategy and establishing an information security continuous monitoring program. The purpose of the guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility into organizational assets, and information about the effectiveness of deployed security controls.


Special Publication 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
September 30, 2011
 
NIST announces the final release of Special Publication (SP) 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.1 to 1.2 include the addition of the following components: Asset Reporting Format (ARF), Asset Identification, Common Configuration Scoring System (CCSS), and Trust Model for Security Automation Data (TMSAD), which provides support for digitally signing SCAP source and result content. SCAP 1.2 also includes new source and result data stream models, and it upgrades Open Vulnerability and Assessment Language (OVAL) support to version 5.10, Common Platform Enumeration (CPE) support to version 2.3, and Extensible Configuration Checklist Description Format (XCCDF) support to version 1.2.


NIST Computer Security Division is proud to announce the release of 4 Publications - 2 Draft Special Publications (SP) (SP 800-121 Rev. 1 and SP 800-153) and 2 NIST Interagency Reports (IR) (NISTIR 7802 and NISTIR 7788) - see details below for information about these 4 Publications
September 29, 2011
 
Publication #1: Draft Special Publication 800-153, Guidelines fro Securing Wireless Local Area Networks (WLANs)
NIST announces that Draft Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs), is available for public comment. The purpose of this publication is to provide organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. Recommendations in draft SP 800-153 cover topics such as standardized WLAN security configurations, dual connected WLAN client devices, and security assessments and continuous monitoring. This publication supplements, and does not replace, other NIST publications on WLAN security.
 
NIST requests comments on draft SP 800-153 by November 10, 2011. Please submit comments to 800-153comments@nist.gov, with "Comments SP 800-153" in the subject line.
 
Publication #2: Draft Special Publication 800-121 Revision 1, Guide to Bluetooth Security
NIST announces the public comment release of Draft Special Publication (SP) 800-121 Revision 1, Guide to Bluetooth Security. It describes the security capabilities of technologies based on Bluetooth, which is an open standard for short-range radio frequency communication. The document gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Significant changes from the original SP 800-121 include adding the latest vulnerability mitigation information for Secure Simple Pairing, and introducing and discussing Bluetooth v3.0 + High Speed and Bluetooth v4.0 Low Energy security mechanisms and recommendations.
 
NIST requests comments on draft SP 800-121 Revision 1 by November 10, 2011. Please send comments to 800-121comments@nist.gov, with "Comments on SP 800-121" in the subject line.
 
Publication #3: NIST Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0
NIST announces the final release of NIST Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0. This report defines the specification for version 1.0 of the Trust Model for Security Automation Data (TMSAD), which is designed to permit organizations to establish integrity, authentication, and traceability for security automation data. The trust model focuses on using digital signatures with Extensible Markup Language (XML) based security automation source and result documents. TMSAD supports the Security Content Automation Protocol (SCAP) version 1.2.
 
Publication #4: NIST IR 7788, Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs
NIST is pleased to announce the release of NIST Interagency Report (NISTIR) 7788, Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. Today’s information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. To accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This methodology can be used to evaluate and strengthen the overall security of enterprise networks.
 
Contact: Dr. Anoop Singhal    Phone: (301) 975-4432
Email: anoop.singhal@nist.gov
Project URL: http://csrc.nist.gov/groups/SNS/security-risk-analysis-enterprise-networks/


Initial Public Draft (IPD) of Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments
September 19, 2011
 
The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. Special Publication 800-30, Revision 1, is the fifth in the series of risk management and information security guidelines being developed by the Joint Task Force, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce, continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.
 
In today’s world of complex and sophisticated threats, risk assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. Risk assessments can help organizations:

  • Determine the most appropriate risk responses to ongoing cyber attacks or threats from man-made or natural disasters;
  • Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
  • Maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.
This publication changes the focus of Special Publication 800-30, originally published as a risk management guideline. NIST Special Publication 800-39 has now replaced Special Publication 800-30 as the authoritative source of comprehensive risk management guidance. The update to Special Publication 800-30 focuses exclusively on risk assessments, one of the four steps in the risk management process. The risk assessment guidance in Special Publication 800-30 has been significantly expanded to include more in-depth information on a wide variety of risk factors essential to determining information security risk (e.g., threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence). A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results.
 
In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level. To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.
 
The public comment period for NIST Special Publication 800-30, Revision 1, is September 19 through November 4, 2011. Please send comments to sec-cert@nist.gov


DRAFT Special Publication 800-107 Revised, Recommendation for Applications Using Approved Hash Algorithms
September 14, 2011
 
NIST requests comments on Draft (Revised) Special Publication 800-107. This Special Publication provides security guidelines for achieving the desired security strengths of several cryptographic applications that employ the approved cryptographic hash functions specified in FIPS 180-4. The current version of this document was published in February 2009. This revision includes the security properties for SHA-512/224 and SHA-512/256, provides additional security information about HMAC and revises the discussions on hash-based Key Derivation Functions. Please provide comments by October 31st, 2011 to Revised_SP-800-107_Comments@nist.gov, with “Comments on Revised SP-800-107” in the subject line.

NIST Announces the Final Release of Four NIST Interagnecy Reports (NISTIRs) - Common Platform Enumeration (CPE) Version 2.3
August 30, 2011
 
NIST announces the final release of four NIST Interagency Reports (NISTIRs) defining the Common Platform Enumeration (CPE) specification version 2.3. CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. Each of the four CPE 2.3 modules is defined in its own NISTIR:

  • NISTIR 7695, Common Platform Enumeration: Naming Specification Version 2.3 defines the CPE Naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings.
  • NISTIR 7696, Common Platform Enumeration: Name Matching Specification Version 2.3 provides the CPE Name Matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms.
  • NISTIR 7697, Common Platform Enumeration: Dictionary Specification Version 2.3 defines the CPE Dictionary specification, including the semantics of its data model and the rules associated with CPE dictionary creation and management.
  • NISTIR 7698, Common Platform Enumeration: Applicability Language Specification Version 2.3 provides the CPE Applicability Language specification, which allows construction of complex groupings of CPE names to describe IT platforms.


NIST is proud to announce the release of 2 Publications: (1) Draft Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping  AND   (2) Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems
August 12, 2011
 
Publication #1: Draft Special Publication 800-38F
NIST is pleased to announce that the Draft NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, is available for public comment. This publication describes cryptographic methods that are approved for "key wrapping," i.e., the protection of the confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two deterministic authenticated encryption modes of operation of the Advanced Encryption Standard (AES) algorithm: the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. The analogous mode with the Triple Data Encryption Algorithm (TDEA) as the underlying block cipher, called TKW, is also specified to support legacy applications.
 
Public comments on Draft NIST SP 800-38F may be submitted to EncryptionModes@nist.gov until October 1, 2011.
 
Publication #2: Special Publication 800-128
NIST is pleased to announce the final publication of Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems. Special Publication 800-128 provides guidelines for implementation of a security-focused configuration management (SecCM) process as well as supporting information for NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations. The fundamental concepts associated with SecCM and the process of applying SecCM practices to information systems are described.


Draft Special Publication 800-133, Recommendations for Cryptographic Key Generation
August 1, 2011
 
NIST requests comments on Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a cryptographic key. This Recommendation discusses the generation of the keys to be managed and used by NIST’s approved cryptographic algorithms. Please provide comments by September 30th, 2011 to SP-800-133_Comments@nist.gov, with “Comments on SP 800-133 Key Generation” in the subject line.


NIST Announce the Release of 2 Draft Publications: Second Draft of NISTIR 7275 Revision 4 Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2, and Draft SP 800-67 Rev. 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher.
July 27, 2011
 
DRAFT #1:
NIST announces the second public comment release of DRAFT NIST Interagency Report (NISTIR) 7275 Revision 4, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. The Extensible Configuration Checklist Description Format (XCCDF) Version 1.2 is the latest revision of an Extensible Markup Language (XML) based model that enables the standardized expression of security configuration rules. The intent of XCCDF is to provide a uniform foundation for expression and compliance assessment of security checklists and other configuration guidance, and thereby foster more widespread application of sound security practices. XCCDF 1.2 supports the Security Content Automation Protocol (SCAP) version 1.2.
 
Comment period closed on August 15, 2011.

NOTE: This draft (NISTIR 7275 Rev. 4) has been approved as final - Sept. 2011.
 
DRAFT #2:
NIST requests comments on a revision of Special Publication (SP) 800-67 Revision 1, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. This revision includes an update of references appropriate for the publication, and an identification of requirements that are not tested by NIST’s Cryptographic Algorithm Validation Program and Cryptographic Module Validation Program, but are required for secure use. The changes are highlighted in yellow for easy review. Comment period closed on August 31st, 2011.

NOTE: This draft (SP 800-67 Rev. 1) has been approved as final - January 2012.


Initial Public Draft (IPD) of Special Publication 800-53 Appendix J, Privacy Control Catalog
July 20, 2011
 
The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-53, Appendix J, Privacy Control Catalog. With the increasing dependency on information systems, dramatic advances in information technologies, and significant growth in new applications of those technologies in such areas as cloud computing, smart grid, and mobile computing, information security and privacy are taking on new levels of importance in the public and private sectors. Privacy, with respect to personally identifiable information, is a core value that can be achieved only with appropriate legislation, policies, and associated controls to ensure compliance with requirements. In today’s digital world, effective privacy for individuals depends on a solid foundation of information security safeguards in the information systems that are processing, storing, and transmitting personally identifiable information. Privacy and security controls in federal information systems, programs, and organizations are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations. Appendix J, Privacy Control Catalog, is a new addition to NIST’s family of standards and guidelines that will be incorporated into the 2011 update to Special Publication 800-53, Revision 4, projected for release in December 2011. Due to the importance and special nature of the material in this Appendix, it is being publicly vetted separately from the other changes to the publication which will be released later this year. The objectives of the Privacy Appendix are fourfold:

  • Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance;
  • Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations;
  • Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy controls deployed in federal information systems, programs, and organizations; and
  • Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.
The comment period closed on September 2, 2011.
Please send questions to sec-cert@nist.gov.


Draft NIST Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0 is available for public comment
July 13, 2011
 
NIST announces the public comment release of draft Interagency Report (IR) 7802, Trust Model for Security Automation Data (TMSAD) Version 1.0. This report defines the initial specification for version 1.0 of the Trust Model for Security Automation Data (TMSAD), which is designed to permit organizations to establish integrity, authentication, and traceability for security automation data. The trust model focuses on using digital signatures with Extensible Markup Language (XML) based security automation source and result documents. TMSAD supports the Security Content Automation Protocol (SCAP) version 1.2.
 
Comment period on draft IR 7802 closed on August 1, 2011.

NOTE: Draft NISTIR 7802 has been approved as final - Sept. 2011.


Draft Special Publication (SP) 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2
July 12, 2011
 
NIST announces the public comment release of Draft Special Publication (SP) 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.2, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.1 to 1.2 include the addition of the following components: Asset Reporting Format (ARF), Asset Identification, Common Configuration Scoring System (CCSS), and Trust Model for Security Automation Data (TMSAD), which provides support for digitally signing SCAP source and result content. SCAP 1.2 also includes new source and result data stream models, and it upgrades Open Vulnerability and Assessment Language (OVAL) support to version 5.10, Common Platform Enumeration (CPE) support to version 2.3, and Extensible Configuration Checklist Description Format (XCCDF) support to version 1.2.
 
Comment period for this draft closed on August 1, 2011.

NOTE: This draft (SP 800-126 Rev. 1) was approved as final - September 2011.


Second DRAFT Special Publication 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion
July 12, 2011
 
NIST requests comments on a second draft of Special Publication (SP) 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion. The initial draft was released in September, 2010, and the comment period closed on October 30, 2010. This second version incorporates resolutions to the comments received during the first comment period.
 
This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure. NIST is in the process of modifying SP 800-56A and SP 800-56B to include the extraction-then-expansion key derivation procedure specified in this draft Recommendation (800-56C).
 
Please submit comments to 800-56Ccomments@nist.gov with "Comments on SP 800-56C" in the subject line. The comment period closes on August 11, 2011.


Draft Special Publication 800-63 Revision 1 (Third Draft) E-Authentication Guidelines
June 28, 2011
 
Draft Special Publication 800-63 Revision 1: E-Authentication Guideline is available for a third public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision.
 
Note that this document may inform, but is not intended to constrict or constrain the development or use of standards for implementation of the National Strategy for Trusted Identities in Cyberspace (NSTIC). NIST SP 800-63 is specifically designated as a guideline for use by Federal agencies for electronic authentication. NSTIC, in contrast, has a broader charge: the creation of an Identity Ecosystem, “an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.” While NIST SP 800-63 may be a starting point for discussion on NSTIC, decisions on approaches to e-authentication in the Identity Ecosystem will be developed through a separate path. For more information, please see http://www.nist.gov/nstic/.
 
Comment period for this draft closed on July 29, 2011,

NOTE: This draft (SP 800-63-1) has been approved as final - Dec. 2011. Also, note that there is an updated version to SP 800-63-1 TO SP 800-63-2 which was approved as final - Aug. 2013.


Announcement of Proposal to Approve EAX'
June 21, 2011
 
NIST is pleased to announce a proposal to approve the EAX' block cipher mode of operation that is specified in Annex I of ANS C12.22-2008, American National Standard Protocol Specification for Interfacing to Data Communication Networks. That standard was developed by the American National Standards Institute (ANSI) C12 SC17 Committee. The National Electrical Manufacturers Association (NEMA) is the secretariat of the Committee and is the organization that publishes the standard.
 
NIST proposes to approve EAX' in support of the Smart Grid development efforts. In particular, EAX' was intended to satisfy the requirements of supervisory control and data acquisition (SCADA) messaging associated with Automated Meter Reading that operate in the context of an Advanced Metering Infrastructure. These requirements may be applicable to other small embedded devices communicating in SCADA environments.
 
The EAX' mode was submitted to NIST by four members of the ANSI SC17 Committee: Avygdor Moise, Edward Beroset, Tom Phinney, and Martin Burns. EAX' is a modified version of the EAX mode for authenticated encryption with associated data that was developed and submitted to NIST by Mihir Bellare of the University of California, San Diego and Philip Rogaway of the University of California, Davis.
 
The EAX' submission includes a complete specification; it is available for review at the modes development page, under the heading "authenticated encryption".
 
NIST requests comments on the proposal by July 22, 2011; comments may be submitted to EncryptionModes@nist.gov.
 
If NIST moves forward with the proposal, an additional period of public comment will be initiated on a draft special publication that specifies the mode.


NIST Interagency Report (NISTIR) 7694, Specification for the Asset Reporting Format 1.1 is now final and available
June 21, 2011
 
NIST announces the final publication of NIST Interagency Report (NISTIR) 7694, Specification for the Asset Reporting Format 1.1. The Asset Reporting Format (ARF) is a data model for expressing the transport format of information about assets and the relationships between assets and reports. This facilitates reporting, correlating, and fusing asset information throughout and between organizations. The intent of ARF is to provide a uniform foundation for the expression of reporting results, fostering more widespread application of sound IT management practices.


Update on Draft NIST Interagency Reports (IRs): 7695, Common Platform Enumeration: Naming Specification Version 2.3 and 7696, Common Platform Enumeration : Name Matching Specification Version 2.3
June 17, 2011
 
The comment period for thesse 2 drafts have been extended to Friday, June 24th, 2011. Link to: Draft NIST Interagency Reports: 7695, Common Platform Enumeration: Naming Specification Version 2.3 and
Draft NISTIR 7696, Common Platform Enumeration : Name Matching Specification Version 2.3

NIST Released NISTIR 7693, Specification for Asset Identification 1.1
June 17, 2011
 
NIST announces the final publication of NIST Interagency Report (NISTIR) 7693, Specification for Asset Identification 1.1. Asset identification plays an important role in an organization's ability to quickly correlate different sets of information about assets. NISTIR 7693 provides the necessary constructs to uniquely identify assets based on known identifiers and/or known information about the assets. The Asset Identification specification includes a data model, methods for identifying assets, and guidelines on how to use asset identification. It also discusses a number of use cases for asset identification.


Commerce Department Proposes a New Policy Framework to Strengthen Cybersecurity Protections for Businesses Online
June 9, 2011
To view the full announcement and to view the policy report, please go to NIST's press release.


Announcement of Proposal to Approve Two FFX schemes
June 9, 2011
 
NIST is pleased to announce a proposal to specify and approve two block cipher modes of operation for format preserving encryption (FPE). FPE is emerging as a useful cryptographic tool, whereby certain kinds of data, such as social security numbers or credit card numbers, may be selectively encrypted without changing their format. Consequently, FPE can be seamlessly retrofitted to existing applications to support the encryption of sensitive data.
 
Both of the modes that NIST proposes to approve are schemes that are compliant with the FFX framework that was submitted to NIST by Mihir Bellare of the University of California, San Diego, Philip Rogaway of the University of California, Davis, and Terence Spies of Voltage Security, Inc. The submission documentation for FFX is available at the modes development page, under the heading "Encryption Modes." The FFX framework is described in detail in the body of the specification [SP]. One FFX compliant scheme that NIST proposes to approve, called FF[radix] is specified in the addendum to the specification [SP2]. The second scheme that NIST proposes to approve, called VAES, is described in the additional documentation [AD] submitted by Joachim Vance of VeriFone Systems, Inc.
 
Also included in the documentation are Letters of Assurance from Voltage Security, Inc. and VeriFone Systems, Inc. [IP1 and IP2] in connection with intellectual property that those companies identified as possibly relevant to the implementation of FFX[radix] or VAES.
 
NIST proposes to recommend FFX[radix] as the preferred FPE scheme for interoperability. NIST will also consider approving other FFX schemes, in addition to VAES, on a case-by-case basis.
 
NIST requests comments on the proposal by July 8, 2011; comments may be submitted to EncryptionModes@nist.gov.
 
If NIST moves forward with the proposal, an additional period of public comment will be initiated on a draft special publication that specifies the modes.


Special Publication 800-82 Final Publication, Guide to Industrial Control Systems (ICS) Security
June 9, 2011
 
The National Institute of Standards and Technology (NIST) announces the final publication of Special Publication 800-82, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. Special Publication 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is the finalization of the final public draft, and includes updates with respect to the Risk Management Framework and current activities. To address the quickly changing industrial control system security landscape, NIST is targeting to revise Special Publication 800-82 in 2012.


NIST Released 2 Draft NISTIRs - 7697 and 7698 - both on the Common Platform Enumeration (CPE)
June 3, 2011
 
NIST announces the public comment release of two Draft NIST Interagency Reports (IR) on the Common Platform Enumeration (CPE) specification version 2.3. CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. Draft NISTIR 7697 (second public draft) defines the CPE Dictionary specification, including the semantics of its data model and the rules associated with CPE dictionary creation and management. Draft NISTIR 7698 (initial public draft) provides the CPE Applicability Language specification, which allows construction of complex groupings of CPE names to describe IT platforms.
 
Comment period on draft IRs 7697 and 7698 closed on June 24th, 2011.

NOTE: These 2 draft NISTIRs (7697 and 7698) have both been approved as final during the month of August 2011. Both NISTIRs are one after the other on the CSRC NISTIR page.


NIST is Proud to Announce the Release of NISTIR 7773, An Application of Combinatorial Methods to Conformance Testing for Document Object Model Events
May 25, 2011
 
NIST Interagency Report (IR) 7773, An Application of Combinatorial Methods to Conformance Testing for Document Object Model Events is now available on the NISTIR page. This report describes the use of combinatorial test methods to reduce the cost of testing for the Document Object Model Events standard while maintaining an equivalent level of assurance. More than 36,000 tests – all possible combinations of equivalence class values –were reduced by approximately a factor of 20 with no reduction in error detection effectiveness.


Draft Special Publication 800-90A Recommendation for Random Number Generation Using Determiniatic Random Bit Generators
May 6, 2011
 
NIST requests comments on a draft revision of Special Publication (SP) 800-90A,. Recommendation for Random Number Generation Using Deterministic Random Bit Generators.This is intended as a revision of the currently-posted version of SP 800-90. Two of the appendices in SP 800-90 provided information on entropy sources and RBG constructions. These topics will be discussed in further detail in SP 800-90B and SP 800-90C, respectively, which are under development. SP 800-90A takes into account the work on RBGs that has been conducted within Accredited Standards Committee X9 since the original publication of SP 800-90. A general list of the changes is provided at the end of Appendix H, and except for some editorial changes, the changes within the document are marked. Please send comments to RBG_comments@nist.gov by August 1, 2011, with “SP 800-90A comments” in the subject line.


NIST requests comments on a draft revision of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management: Part 1: General
May 6, 2011
 
NIST requests comments on a draft revision of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management: Part 1: General. This revision is intended to align the document with SP 800-131A, as well as to provide a general update of the document, including references to NIST publications that have been completed since the last revision of SP 800-57. A general list of the changes is provided at the end of Appendix D, and except for some editorial changes, the changes within the documented are marked. Please send comments to KeyManagement@nist.gov by July 1, 2011, with “SP 800-57, Part 1 comments” in the subject line.


NIST announces the Release of a Report by the University of Maryland on ICT Supply Chain Best Practices
April 28, 2011
 
NIST gladly announces the release of a report by the University of Maryland on ICT supply chain best practices. The report stems from a NIST grant awarded to UMD's Supply Chain Management Center to conduct a six-month study on industry SCRM best practices. The report is expected to be used as supplemental information in draft NIST IR 7622 as well as help guide the development of NIST's future work in ICT SCRM best practices.


NIST Released 2 - Second Draft NIST Interagency Reports (IRs): 7695, Common Platform Enumeration: Naming Specification Version 2.3 and 7696, Common Platform Enumeration : Name Matching Specification Version 2.3
April 28, 2011
 
NIST announces the public comment release of two Draft NIST Interagency Reports (IR) on Common Platform Enumeration (CPE) (Draft NISTIR 7695 and Draft NISTIR 7696). CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. The two new reports (2nd draft) propose specifications as part of CPE version 2.3. Draft NIST IR 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings. Draft NIST IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms.
 
NIST requests comments on draft IRs 7695, and 7696 by Friday, May 20th, 2011. Please submit all comments to cpe-comments@nist.gov.


NIST Released Special Publication 800-147, BIOS Protection Guidelines
April 28, 2011
 
NIST announces the final release of NIST Special Publication 800-147, BIOS Protection Guidelines. This document provides guidelines for preventing the unauthorized modification of Basic Input/Output System (BIOS) firmware on PC client systems. Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). This guide provides platform vendors with recommendations and guidelines for a secure BIOS update process. Additionally, it provides recommended best practices that are tightly coupled with the security guidelines for platform vendors. These practices can help computer administrators take advantage of the BIOS protection features as they become available.


Biometric Data Specification for Personal Identity Verification
April 18, 2011
 
NIST is pleased to announce the availability of the public comment draft of NIST Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification. The draft amends the 2007 specification SP 800-76-1 to include iris recognition and on-card fingerprint comparison, and to extend and refine the biometric sensor and performance specifications. Note that FIPS 201-2, the binding parent PIV specification, is simultaneously open for public comment (see http://csrc.nist.gov/publications/PubsDrafts.html#FIPS-201--2).
 
Written comments on SP 800-76-2 may be sent to: Patrick Grother, Information Access Division, Information Technology Laboratory, ATTN: Comments on Revision Draft SP 800-76-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7740, Gaithersburg, MD 20899-7740.
 
Electronic comments on SP 800-76-2 should be drafted using this template and sent to: piv_comments@nist.gov. Comments must be received by June 6, 2011.


Registration for the FIPS 201-2 Workshop Has Been Extended - 2 Days
April 11, 2011
 
The deadline to register for the FIPS 201-2 workshop has been extended by two days. Anyone wishing to attend the workshop in person, now can pre-register at http://www.nist.gov/allevents.cfm by close of business Wednesday, April 13, 2011, in order to enter the NIST facility and attend the workshop.


NIST Interagency Report (NISTIR) 7692, Specification for the Open Checklist Interactive Language (OCIL) Version 2.0 has been finalized
April 7, 2011
 
NIST announces the final release of NIST Interagency Report (IR) 7692, Specification for the Open Checklist Interactive Language (OCIL) Version 2.0. OCIL, which is used by the Security Content Automation Protocol (SCAP) version 1.1, provides a standardized, automated basis for expressing questionnaires and related information. OCIL can be used to collect information that requires interacting with people, such as asking them about training they have participated in, and also to harvest information stored during an organization's previous data collection efforts, such as audits. NIST IR 7692 defines OCIL version 2.0 and explains the requirements that products and questionnaires must meet to comply with the OCIL specification.


NIST Interagency Report (IR) 7771, Conformance Test Architecture for Biometric Data Interchange Formats - Version Beta 2.0
March 14, 2011
 
The NIST Interagency Report (IR) 7771, Conformance Test Architecture for Biometric Data Interchange Formats - Version Beta 2.0 discusses the technological characteristics of a recently released Conformance Test Architecture (CTA) that supports Conformance Test Suites (CTSs) designed to test implementations of biometric data interchange data formats. It is meant to provide information on CTA module communication methods, key CTA features and high-level sequence diagrams such as testing and decoding operations. It also addresses an introduction to testing binary data, structure testing by groups of fields and a discussion on test cases. Interaction between the CTA and CTSs is discussed. Ongoing work on related tools development is also presented. The information included is useful to end-users, testing laboratories and implementers of products that intend to conform to national and international biometric data interchange standards. Software downloads of the CTA and available CTSs, related information and sample data are available at: http://www.nist.gov/itl/csd/biometrics/biocta_download.cfm


NIST is Pleased to Announce the Public Comment Draft FIPS 201-2 and Associated Public Workshop
March 8, 2011
 
The NIST Computer Security Division is pleased to announce Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. Draft FIPS 201-2 amends FIPS 201-1 and includes adaptation to changes in the environment since the publication of FIPS 201-1, and specific changes requested by Federal agencies and implementers. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the proposed changes. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD to present the Draft FIPS 201-2.
 
Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on Revision Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7730, Gaithersburg, MD 20899-7730.
 
Electronic comments may be sent to: piv_comments@nist.gov. Comments must be received by June 6, 2011.
 
Both FIPS 201-1 and Draft FIPS 201-2 are available electronically from the NIST web site at: http://csrc.nist.gov/publications/PubsFIPS.html. A summary of changes reflected in Draft FIPS 201-2 is available in the Federal Register Notice (FRN).
 
The public workshop on Draft FIPS 201-2 will be held Monday and Tuesday, April 18 and 19, 2011 at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Draft. The agenda, webcast and related information for the public workshop will be available before the workshop on the NIST Computer Security Resource Center Web site at http://csrc.nist.gov. Anyone wishing to attend the workshop in person, must pre-register at http://www.nist.gov/allevents.cfm by close of business Monday, April 11, 2011, in order to enter the NIST facility and attend the workshop.


NIST Computer Security Division Released Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View
March 1, 2011
 
The National Institute of Standards and Technology (NIST) announces the final publication of Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View. NIST Special Publication 800-39 is the fourth in the series of risk management and information security guidelines being developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce continues to collaborate on the development of a unified information security and risk management framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.
 
NIST Special Publication 800-39, the capstone publication in the Joint Task Force publications, provides guidance to federal agencies and their contractors on how to manage information security risk associated with the operation and use of information systems. For decades, organizations have managed risk at the information system level. This information system focus provided a very narrow, stovepiped, perspective that constrained risk-based decisions by senior leaders/executives to the tactical level—devoid, in many cases, of any direct linkage or traceability to the important organizational missions/business functions being carried out by enterprises. The concentration on information systems security resulted in a focus on vulnerability management at the expense of strategic risk management applied across enterprises.
 
Special Publication 800-39 introduces a three-tiered risk management approach that recommends federal agencies focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how information security risk is assessed, responded to, and monitored over time in the context of critical missions and business functions. The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes—making these processes risk aware. Risk-aware mission/business processes drive enterprise architecture decisions and facilitate the development and implementation of an effective, embedded information security architecture that provides a roadmap for allocating safeguards and countermeasures to information systems and the environments in which those systems operate.
 
The multitiered risk management approach (moving from organization to missions to systems) ensures that strategic considerations (including top-level organizational goals and objectives), drive investment and operational decisions with regard to managing risk to organizational operations (including mission, function, image, and reputation), organizational assets, individuals, other organizations (collaborating or partnering with federal agencies and contractors), and the Nation. This type of risk-based decision making is especially important with respect to how organizations address advanced persistent threats which have the potential through sophisticated cyber attacks, to degrade or debilitate information systems supporting the critical applications and operations of the federal government.


NIST Computer Security Division is Proud to Announce the Release of 2 Special Publications: Special Publication 800-126 Revision 1 and Special Publication 800-51 Revision 1
February 25, 2011
 
(1) NIST announces the final release of Special Publication (SP) 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.8.
 
(2) NIST announces the final release of Special Publication (SP) 800-51 Revision 1, Guide to Using Vulnerability Naming Schemes. This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). SP 800-51 Revision 1 gives an introduction to both naming schemes and makes recommendations for end-user organizations on using the names produced by these schemes. The publication also presents recommendations for software and service vendors on how they should use vulnerability names and naming schemes in their product and service offerings. SP 800-51 Revision 1 replaces the original SP 800-51, which was released in 2002.


NIST Seeks Input for Planned 2011 Update of Security Control Catalog For Federal Information Systems and Organizations (Special Publication 800-53)
February 24, 2011
 
Recommended Security Controls for Federal Information Systems and Organizations. Suggestions should be sent to sec-cert@nist.gov by April 29, 2011. The target date......
read more >


NIST Computer Security Division is Proud to Announce the Release of 2 Publications: (1) Special Publication 800-70 Revision 2 and (2) NIST Interagency Report (IR) 7764
February 23, 2011
 
(1) NIST announces the final release of Special Publication (SP) 800-70 Revision 2, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 2 updates the previous version of the document, which was released in 2009, primarily by adding Security Content Automation Protocol (SCAP) oriented guidance and content related to the United States Government Configuration Baseline (USGCB).
 
(2) NIST releases NIST Interagency Report (IR) 7764, Status Report on the Second Round of the SHA-3 Cryptographic Hash Algorithm Competition. This report summarizes the evaluation of fourteen second-round candidates, and the selection of five SHA-3 finalists – BLAKE, Grøstl, JH, Keccak and Skein – that are to advance to the third (and final) round of the competition.


NIST Interagency Report (IR) 7298 Revision 1, The NIST Information Security Glossary of Key Information Security Terms is now available
February 17, 2011
 
The NIST Interagency Report (IR) 7298 Revision 1, NIST Information Security Glossary of Key Information Security Terms includes most of the current terms & definitions used in NIST information security publications and those in the CNSS Instruction # 4009 (Glossary of Information Assurance terms).
 
It is meant to be a reference for Federal government agencies and any other users/organizations who find it useful. For each term in the glossary, there are one or more definitions with sources cited. A given term may have more than one definition, depending on the context in which it is used.
 
Comments and/or suggestions are always welcome. (email)


NIST Released Draft Special Publication 800-147, BIOS Protection Guidelines
February 11, 2011
 
NIST announces the public comment release of the draft NIST Special Publication 800-147, BIOS Protection Guidelines. This guide is intended to identify, prioritize, and mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic Input/Output System (BIOS). This guide identifies the security controls and procedures required to mitigate a subset of these threats. In particular, it includes requirements and guidelines for a secure BIOS update process targeting platform vendors, with additional recommendations for managing the BIOS in an operational environment.
 
NIST requests comments on draft NIST SP 800-147 by March 13th, 2011. Please submit all comments to 800-147comments@nist.gov.


NIST and the Computer Security Division is proud to announce the release of DRAFT FIPS Publication 180-4, Secure Hash Standard (SHS)
February 11, 2011
 
NIST announces the release of draft Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS). Draft FIPS 180-4 is a proposed revision of FIPS 180-3. Draft FIPS 180-4 adds a general procedure for creating an initialization hash value and two additional secure hash algorithms: SHA-512/224 and SHA-512/256, and removes a requirement that padding must be done before hash computation begins. SHA-512/224 and SHA-512/256 may be more efficient alternatives to SHA-224 and SHA-256, respectively, on platforms that are optimized for 64-bit operations. Removing the restriction on the padding operation in the secure hash algorithms will potentially create more flexibility and efficiency in implementing the secure hash algorithms in many computer network applications. The Federal Register Notice (FRN) of this publication is located here. Examples of the implementation of the secure hash algorithms SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256, can be found at http://www.nist.gov/CryptoToolkitExamples.
 
Comments should be sent to Proposed180-4@nist.gov with the phrase “Comments on Draft FIPS 180-4” in the subject line. Comments must be received on or before May 12, 2011.


NIST is Proud to Announce the Release of 2 Draft Documents: DRAFT Special Publication 800-131B, Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths AND DRAFT Special Publication 800-131C, Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3
February 10, 2011
 
NIST requests comments on Draft Special Publication (SP) 800-131B, Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths. SP 800-131B provides details about the validation of the cryptographic algorithms and cryptographic modules in transition, as specified in SP 800-131A. Please send comments to CryptoTransitions@nist.gov by March 31, 2011, with “SP 800-131B comments” in the subject line.
AND
NIST requests comments on Draft Special Publication (SP) 800-131C, Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3. SP 800-131C addresses both the cryptographic algorithm validations and the cryptographic module validations that are conducted by NIST’s Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP), respectively. Please send comments to CryptoTransitions@nist.gov by March 31, 2011, with “SP 800-131C comments” in the subject line.


DRAFT NISTIR 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework
February 10, 20111
 
NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
 
NIST requests comments on draft NISTIR 7670 by March 11th, 2011. Please submit all comments to remediation-comments@nist.gov.


DRAFT NISTIR 7511 Revision 2, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements was updated
February 10, 2011
 
Draft NIST Interagency Report (IR) 7511, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements was updated. Updated to include US Government Configuration Baseline (USGCB) test requirements for Windows 7 and IE8. Please go to the Drafts page to view updated draft.


Jeremy Grant Selected to Manage Establishment of National Program Office for NSTIC
February 8, 2011
 
The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) is pleased to announce that Jeremy Grant is joining the NIST team as a senior executive advisor Mr. Grant has been selected to manage the establishment of a National Program Office for the National Strategy for Trusted Identities in Cyberspace (NSTIC).
 
Mr. Grant comes to NIST with a diverse background and deep understanding of identity and cybersecurity issues, having served in a range of leadership positions spanning government and industry. He began his career as a legislative aide in the U.S. Senate, where he where he drafted the legislation which laid the groundwork for the Department of Defense and GSA smart card and PKI efforts. Mr. Grant then joined the Intelligent Technologies Division at MAXIMUS, a government services firm, where he led the division’s Security and Identity Management practice, and played a major role in a number of major federal identity and security programs. He then spent three years with Washington Research Group as the firm’s identity and cybersecurity market analyst. Most recently, Jeremy served as Chief Development Officer for ASI Government (formerly Acquisition Solutions, Inc.), a consulting firm focused on helping government agencies improve results through the application of better acquisition, organizational and program management practices. Jeremy is a former co-chair of the Identity Management Committee at TechAmerica (previously the Information Technology Association of America). He graduated with distinction from the University of Michigan with dual concentrations in biology and political science.
 
NSTIC is to be a new initiative created as a result of the Obama Administration’s Cyberspace Policy Review, which called for building “a cybersecurity-based identity management vision and strategy that addresses privacy and civil-liberties interests, leveraging privacy-enhancing technologies for the nation” as of one of ten near-term action items. NSTIC will be focused on establishing identity solutions and privacy-enhancing technologies to improve the security and convenience of sensitive online transactions through the process of authenticating individuals, organizations, and underlying infrastructure.
 
The National Program Office, to be established within the Department of Commerce, will be responsible for bringing the public and private sectors together to meet this challenge. Specific responsibilities will include:

  • Building consensus on legal, technical and policy frameworks necessary to achieve the NSTIC vision, including ways to enhance privacy, free expression and open markets;
  • Working with industry to identify where new standards or collaborative efforts may be needed to enable Americans to use – and businesses and other entities to accept – stronger, more secure online authentication technologies;
  • Coordinating collaboration across government stakeholders, including agencies such as the General Services Administration and Department of Homeland Security, as well as state and local governments; and
  • Guiding NSTIC pilot projects and other NSTIC-related implementations.
More information regarding NSTIC can be found at http://www.nist.gov/nstic or by contacting William (Curt) Barker at wbarker@nist.gov.


DRAFT NISTIR 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture
February 3, 2011
 
NIST announces the public comment release of Draft NIST Interagency Report (IR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The architecture design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
 
NIST requests comments on draft IR 7756 by March 11, 2011. Please submit all comments to fe-comments@nist.gov.


NIST is pleased to announce the release of two DRAFT Special Publications (SP): SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing; and SP 800-145, A NIST Definition of Cloud Computing. NIST is also pleased to announce the release of one final publication, NIST SP 800-125, Guide to Security for Full Virtualization Technologies.
January 28, 2011
 
DRAFT NIST Special Publication 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.
 
DRAFT NIST Special Publication 800-145 restates the existing NIST cloud computing definition as a formal NIST publication.
 
NIST requests comments and suggested changes to both draft documents. Please submit the comments on the SP drafts to 800-144comments@nist.gov and 800-145comments@nist.gov no later than 28 February 2011.
 
NIST Special Publication 800-125 discusses security concerns associated with full virtualization technologies for server and desktop systems, and gives recommendations for addressing these concerns.
 
NIST requests comments from the public and private sectors on these publications.


NIST is Proud to Announce the Release of Special Publication 800-131A, Transitions Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
January 13, 2011
 
NIST announces the completion of Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. This Recommendation provides the approach for transitioning from the use of one algorithm or key length to another, as initially addressed in Part 1 of SP 800-57.


NIST is Proud to Announce the Release of Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identification Verification
January 5, 2011
 
NIST announces that Special Publication 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, has been released. The document has been modified 1) to align the set of acceptable RSA public key exponents with FIPS 186-3 and 2) to permit the use of SHA-1 after 12/31/2010 when signing revocation information, under limited circumstances.

back to top page to links for other Archived News (2009-current year).