NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

govdelivery bubble icon Sign Up for Email Alerts from NIST's Computer Security Division:

News Archive - 2012


2013 | 2012 | 2011 | 2010 | 2009


NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key-Wrapping
December 21, 2012
 
NIST announces the release of Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping. This publication describes cryptographic methods for the protection of the confidentiality and integrity of cryptographic keys. In addition to clarifying that some previously-approved methods are permitted for key wrapping, this publication specifies two deterministic authenticated-encryption modes of operation of the Advanced Encryption Standard (AES) algorithm: the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. An analogue of KW, called TKW, with the Triple Data Encryption Algorithm (TDEA) as the underlying block cipher, is also specified to support legacy applications.
 
A specification of the AES Key Wrap had been available since 2001 on the Computer Security Resource Center web site; SP 800-38F officially approves this method. The AES Key Wrap With Padding mode is a variant that provides a specific padding scheme in order to promote interoperability; this variant was originally specified in 2009 under the auspices of the Internet Engineering Task Force, in Request for Comment 5649.


DRAFT NISTIR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation is available for comment
December 21, 2012
 
NIST announces the public comment release of Draft Interagency Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation.
 
NIST requests comments on Draft IR 7904 by Thursday, January 31, 2013. Please send comments to ir7904-comments@nist.gov, with the subject "IR 7904 Comments".


NIST Computer Security Division Announces the Release of DRAFT NISTIR 7298, Revision 2: NIST Glossary of Key Information Security Terms
December 6, 2012
 
NIST Interagency Report (IR) 7298 Revision 2, NIST Glossary of Key Information Security Terms is the latest revision of the NIST Information Security Glossary and Information Assurance Glossary.
 
This update to NIST Interagency Report (IR) 7298 Revision 1 is open for public comment and deadline to submit comments is January 15, 2013. If you have questions regarding this document, please send email to: Secglossary@nist.gov


NIST Released NISTIR 7817, A Credential Reliability and Revocation Model for Federated Identities
November 30, 2012
 
NIST announces the release of NIST Interagency Report (NISTIR) 7817, A Credential Reliability and Revocation Model for Federated Identities. NISTIR 7817 describes and classifies the different types of identity providers serving federations. For each classification, the document identifies perceived improvements or gabs when the credentials are used in authentication services and recommends counter measures to eliminate some of identified gaps. With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services (URRS) model that strives improve authentication services for federations.


NIST Announces the Release of NIST Interagency Report (IR) 7896, Third Round Report of the SHA-3 Cryptographic Hash Algorithm Competition
November 16, 2012
 
NIST opened a public "SHA-3" competition in November 2007 to develop a new cryptographic hash algorithm. On October 2, 2012, NIST announced Keccak as the winner and the new SHA-3 algorithm. The selection process of the third and final round of the competition is summarized in NIST Interagency Report (IR) 7896, Third-Round Report of the SHA-3 Cryptographic Hash Algorithm Competition.


NIST Announces the Release of Special Publication 800-133, Recommendation for Cryptographic Key Generation
November 16, 2012
 
NIST announces the completion of NIST Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. This Recommendation discusses the generation of the keys to be used with NIST-approved cryptographic algorithms. The keys are either generated using mathematical processing on the output of approved Random Bit Generators, or generated based upon keys that are generated in this fashion.


NIST Computer Security Division Announces the Release of NIST Interagency Report (IR) 7878, Combinatorial Coverage Measurement
November 13, 2012
 
This report (NISTIR 7878) describes measures of combinatorial coverage that can be used in evaluating the degree of t-way coverage of any test suite, regardless of whether it was initially constructed for combinatorial coverage. The measures are useful in evaluating the thoroughness of the test suite and estimating residual risk after testing.


Links to keynote presentations on Emerging Risk Management and Cyber Security Strategies are available at:
November 9, 2012
Continuous Monitoring – FCW Executive Briefing Cybersecurity 2013 – Security Management Strategies
Keynote Presentation by Dr. Ron Ross
and
Risk Management – Managing the Problem ITSAF 2012
Closing Remarks by Dr. Ron Ross


Status Update on Draft Special Publication 800-53 Revision 4 (Draft)
November 8, 2012
 
Status Update on NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations

NIST continues to work on the final changes to SP 800-53, Revision 4. At the present time, our best estimate for completion (either final publication or final draft) is the end of January 2013. We are working as rapidly as possible to complete the publication and will keep you informed on a regular basis as to its current status. The publication delays have been largely driven by the size and complexity of the update and the continuing interaction with our partners and working groups to address the information security issues of greatest concern to our customers.

For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its contractors under the Joint Task Force Transformation Initiative. NIST SP 800-53, Revision 4, is a critical component in the unified framework.


NIST and NIST's Computer Security Division Announced the SHA-3 WINNER
October 3, 2012
 
NIST announced KECCAK as the winner of the SHA-3 Cryptographic Hash Algorithm Competition and the new SHA-3 hash algorithm in a press release issued on October 2, 2012. KECCAK was designed by a team of cryptographers from Belgium and Italy, they are:

  • Guido Bertoni (Italy) of STMicroelectronics,
  • Joan Daemen (Belgium) of STMicroelectronics,
  • Michaël Peeters (Belgium) of NXP Semiconductors, and
  • Gilles Van Assche (Belgium) of STMicroelectronics.
A more detailed announcement is available here. This selection marked the end of the SHA-3 competition. A report on the final round of the competition will be published in the near future.


NISTIR 7511 Revision 3.04, DRAFT Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements is now available for comment / review
September 28, 2012
 
Draft NIST Interagency Report (IR) 7511 Revision 3
, Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP 1.2 Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
For your convenience, this link will take you to the earlier draft revisions of NISTIR 7511 on the CSRC Drafts page.
 
This update to Draft NISTIR 7511 Revision 3.04 is open for a 2-week comment period. If you have questions regarding this document, please send email to: IR7511comments@nist.gov . The deadline to submit comments is Friday, October 12, 2012.


NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments has been Released
September 18, 2012
 
The National Institute of Standards and Technology (NIST) announces the release of the final version of its updated risk assessment guideline, Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. The publication, over eighteen months in the making, represents the fifth in the series of publications developed by the Joint Task Force—a partnership among NIST, the Department of Defense, the Office of the Director of National Intelligence, and the Committee on National Security Systems, to create a unified information security framework for the federal government.
 
Risk assessments play a critical role in the development and implementation of effective information security programs and help organizations address a range of security-related issues from advanced persistent threats to supply chain concerns. The results of risk assessments are used by organizations to develop specific courses of action that can provide effective response measures to the identified risks as part of a broad-based risk management process.
 
The comprehensive guidance in Special Publication 800-30, Revision 1 uses the key risk factors of threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of weaknesses in information systems and environments of operation, to help senior leaders and executives understand and assess the current information security risks to their organizations and information technology infrastructures. The risk assessment guidance has been designed to have maximum flexibility so the process can meet the needs of many types of organizations and communities of interest, large and small, including for example, financial institutions, healthcare providers, software developers, manufacturing organizations, military planners and operators, and law enforcement organizations.
 
The risk assessment guidance is consistent with the process for managing information security risk described in NIST Special Publication 800-39 that includes framing risk, assessing risk, responding to risk and monitoring risk over time—risks to the organization’s operations (including missions, functions, image, and reputation), the organization’s critical assets, individuals who are part of the organization or who the organization serves, other entities involved in partnerships or collaborative efforts with the organization, and the Nation at large (including critical infrastructure). The guidance also supports the three-tier, enterprise-wide risk management approach which focuses on: the organization’s governance structures; the organization’s core missions/business functions, mission/business processes, and enterprise architecture; and the organization’s information systems that are essential for mission/business success. Copies of Special Publication 800-30, Revision 1, can be obtained from the NIST Computer Security Division web site at: http://csrc.nist.gov/publications.


NIST Interagency Report (IR) 7874, Guidelines for Access Control System Evaluation Metrics is now available.
September 18, 2012
 
NIST Interagency Report (IR) 7874, Guidelines for Access Control System Evaluation Metrics, has been released as final. This report provides Federal agencies with background information on access control (AC) properties, and to help access control experts improve their evaluation of the highest security AC systems by discussing the administration, enforcement, performance, and support properties of AC mechanisms that are embedded in each AC system. This document extends the information in NIST IR 7316, Assessment of Access Control Systems, which demonstrates the fundamental concepts of policy, models, and mechanisms of AC systems.


NIST Computer Security Division Released DRAFT Guidelines to Media Sanitization
September 6, 2012
 
NIST announces the release of Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for public review and comment. SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types and risk based approaches organizations can apply to establish and maintain a media sanitization program.

Please submit public comments to 800-88r1Comments@nist.gov. The comment period closes on November 30, 2012.


NIST Released DRAFT Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies
September 5, 2012
 
NIST announces the public comment release of draft NIST Special Publication (SP) 800-40 Revision 3, Guide to Enterprise Patch Management Technologies. Patch management is the process for identifying, acquiring, installing, and verifying patches for products and systems. This publication is designed to assist organizations in understanding the basics of enterprise patch management technologies. It explains the importance of patch management and examines the challenges inherent in performing patch management. It provides an overview of enterprise patch management technologies and it also briefly discusses metrics for measuring the technologies’ effectiveness. Draft NIST SP 800-40 Revision 3 replaces the previous release (version 2), which was published in 2005.
 
NIST requests comments on draft SP 800-40 Revision 3 by Friday, October 5. Please send comments to 800-40comments@nist.gov, with the subject "SP 800-40 Comments"


NIST is Proud to Announce the Release of 2 DRAFT Publications: Special Publication 800-90 B, Recommendation for the Entropy Sources Used for Random Bit Generation -- AND -- Special Publication 800-90C, ecommendation for Random Bit Generator (RBG) Constructions
September 5, 2012
 
NIST requests comments on two Draft publications for random bit generation: Draft SP 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation and Draft SP 800-90C, Recommendation for Random Bit Generator (RBG) Constructions.
 
Draft Special Publication 800-90B specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and thetests for the validation of entropy sources. A list of questions relating to SP 800-90B is also provided for reviewers.
 
Draft Special Publication 800-90C specifies constructions for the implementation of random bit generators (RBGs). An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bitgenerator (NRBG). The constructed RBGs consist of DRBG mechanisms as specified SP 800-90A and entropy sources as specified in SP 800-90B. SP 800-90A is available at http://csrc.nist.gov/publications/PubsSPs.html#800-90A.
 
Please send comments to rbg_comments@nist.gov by December 5, 2012. For the comments on SP 800-90B, please put “Comments on Entropy Sources” in the subject line. For the comments on SP 800-90C, please put “Comments on RBG Constructions” in the subject line.


Request for Additional Comments on DRAFT Security Requirements for Cryptographic Modules (Second Draft)
August 30, 2012
 
NIST seeks additional comments (Federal Register Notice released August 30, 2012) on specific sections of Federal Information Processing Standard 140-3 (Second Draft), Security Requirements for Cryptographic Modules, to clarify and resolve inconsistencies in the public comments received in response to the Federal Register (74 FR 91333) notice of December 11, 2009 (the Second Draft is provided here). The list of these specific sections can be found here . Comments on sections not specifically listed will not be considered.
 
All new comments on these specific sections must be received on or before October 1, 2012 using the comment template provided below (revised-fips140-3_comments-template.dot). Written comments may be sent to:
Chief, Computer Security Division, Information Technology Laboratory
Attention: Dr. Michaela Iorga
National Institute of Standards and Technology
100 Bureau Drive, Mail Stop 8930,
Gaithersburg, MD 20899-8930.
Electronic comments may also be sent to: FIPS140-3@nist.gov, with a Subject: “Additional Comments - FIPS 140-3 (Second Draft).”
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these comments is also available on CSRC.


Special Publication 800-107 Revision 1, Recommendation for Using Approved Hash Algorithms
August 24, 2012
 
NIST announces the release of Special Publication 800-107, Revision 1, Recommendation for Using Approved Hash Algorithms. In this revision, the security properties of SHA-512/224 and SHA-512/256 are addressed, the discussion of the security of HMAC values has been expanded, the Randomized Hashing for Digital Signature discussion has been revised, and the Hash-based Key Derivation Function section has been rewritten to incorporate the “extraction-then-expansion” key derivation procedure specified in SP 800-56C and to discuss different approved hash-based key derivation functions.


NIST Computer Security Division released a paper "The Role of the National Institute of Standards and Technology in Mobile Security".
August 23, 2012
 
Earlier this year the President signed a Memorandum issuing the Digital Government Strategy, which was designed to build a 21st Century digital government that delivers better services to the American people. The strategy recognizes the potential for mobile devices to be increasingly vulnerable to malicious or accidental security and privacy breaches, and the resulting need to continually review new technologies to ensure protections are sufficiently put into place.
 
As a part of the strategy, NIST was asked to report on its ongoing work in mobility, including the applicability of NIST’s standards and guidelines to mobile devices and platforms. As a non-regulatory agency of the Department of Commerce, NIST has the responsibility to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
 
This paper presents an overview of the work of the National Institute of Standards and Technology (NIST) in security and privacy for mobile technology as well as an overview on how NIST standards and guidelines can be applied in the mobile environment.
 
"The Role of the National Institute of Standards and Technology in Mobile Security"


NIST announces the draft release of Special Publication (SP) 800-56A, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (Draft Revision).
August 20, 2012
 

NIST announces the release of draft revision of Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. SP 800-56A specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman and MQV key establishment schemes. The revision is made on the March 2007 version. The main changes are listed in Appendix D.

Please submit comments to 56A2012rev-comments@nist.gov with "Comments on SP 800-56A (Revision)" in the subject line. The comment period closes on October 31, 2012.


NIST announces the draft release of Special Publication (SP) 800-152, A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS).
August 8, 2012
 

NIST is developing a draft Special Publication 800-152 that will be entitled “A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)”. This Profile will be based on the Special Publication 800-130, entitled “A Framework for Designing Cryptographic Key Management Systems.” The Framework covers topics that should be considered by a product or system designer when designing a CKMS and specifies requirements for the design and its documentation. The Profile, however, will cover not only a CKMS design, but also its procurement, installation, management, and operation throughout its lifetime.

An initial draft of the Profile requirements is now available for public comment and for discussion by participants of the CKM Workshop scheduled for September 10-11. Details of the workshop are available at http://www.nist.gov/itl/csd/ct/ckm_workshop_2012.cfm.

Please provide comments by October 10, 2012 to ckmsdesignframework@nist.gov, with "Comments on SP 800-152 Profile Requirements" in the subject line.


NIST announces the final release of Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide.
August 8, 2012
 

Special Publication 800-61 Revision 2 seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication details guidelines on establishing an effective incident response program, as well as detecting, analyzing, prioritizing, and handling incidents, including coordination and information sharing. SP 800-61 Revision 2 updates the previous revision, which was released in 2008. A detailed change log is provided in Appendix H.


NIST is pleased to announce the availability of test Personal Identity Verification (PIV) Cards.
July 26, 2012
 

In order to facilitate the development of applications and middleware that support the Personal Identity Verification (PIV) Card, the National Institute of Standards and Technology (NIST) has developed a set of test PIV Cards. The set of test PIV Cards contains sixteen smart cards that are loaded with a PIV Card Application, as specified in Special Publication 800-73-3. The PIV Card Applications on the smart cards are loaded with test data and keys that are similar to what might appear on actual PIV Cards, with the exception that the certificates on the test PIV Cards were issued from a test public key infrastructure. Information about the test cards is available on the PIV Test Cards website. The test cards are available for purchase as a NIST Special Database.


Baltimore ISSA InfoSec Summit Held at NIST
September 13, 2012
NIST Gaithersburg, Maryland

The Baltimore Information Systems Security Association Chapter would like to invite you to their Third Annual InfoSec Summit. We are holding the event at the National Institute of Standards and Technology (NIST) Headquarters in Gaithersburg, Maryland September 13. The Summit runs from 7:30 am to 4 pm. There will be four tracks-Privacy & Legal Issues, Forensics, Security Management and Cloud Computing Security. Event speakers include representatives from NCIS, NIST, ACLU, SANS, GSA, SSA, Tenable and Computer Associates. The cost is $150 for 7 CPEs. breakfast and lunch. To register and for more information, please visit the Summit website at http://infosec-summit.issa-balt.org/

NIST Computer Security Division Chief Donna Dodson will be speaking on cloud computing security in the afternoon.

For more information, please contact the NIST Contact, Evelyn Brown, NIST Public Business and Affairs Office - Phone: (301) 975-5661 or Email: evelyn.brown@nist.gov .


NIST Computer Security Division is Proud to Announce the Release of 2 Draft Special Publications: Draft Special Publication 800-83 (SP) Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops AND Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS)
July 25, 2012
 
1. Draft SP 800-83 Revision 1:
NIST announces the public comment release of Draft Special Publication 800-83 (SP) Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. Draft SP 800-83 Revision 1 updates the original SP 800-83, which was released in 2005.
 
NIST request comments on draft SP 800-83 Revision 1 by Friday, August 31. Please send comments to 800-83comments@nist.gov, with the subject "SP 800-83 Comments".
 
2. Draft SP 800-94 Revision 1:
NIST announces the public comment release of Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.
 
NIST request comments on draft SP 800-94 Revision 1 by Friday, August 31. Please send comments to 800-94comments@nist.gov, with the subject "SP 800-94 Comments".

These 2 Drafts (SP 800-83 Rev. 1 and SP 800-94 Rev. 1) can also be found on the CSRC Drafts page.


Revision 3 of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1: General
July 10, 2012

NIST announces the completion of Revision 3 of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1: General. This publication contains basic key management guidance, including the security services that may be provided and the key types that may be employed in using cryptographic mechanisms, the functions involved in key management, and the protections and handling required for cryptographic keys. This revision aligns the document with SP 800-131A , as well as providing a general update of the document.


DRAFT NISTIR 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
July 10, 2012

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard.

NIST requests public comments on draft NISTIR 7823 by COB August 9, 2012. Electronic comments should be sent to: Michaela Iorga (NIST Computer Security Division) at michaela.iorga@nist.gov, with a Subject line: NIST IR 7823 Comments

Comment Form for Draft NISTIR 7823


Draft Special Publication (SP) 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise
July 10, 2012
 
NIST announces the public comment release of Draft Special Publication (SP) 800-124 Revision 1, Guidelines for Managing and Securing Mobile Devices in the Enterprise. The purpose of this publication is to help organizations centrally manage and secure mobile devices against a variety of threats. This publication provides recommendations for selecting, implementing, and using centralized management technologies, and it explains the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.

NIST requests comments on draft SP 800-124 Revision 1 by Friday, August 17. Please send comments to 800-124comments@nist.gov, with the subject "SP 800-124 Comments".


NIST Interagency Report (IR) 7864, The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities, has been released as final.
July 9, 2012
 
NIST Interagency Report (IR) 7864, The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities, has been released as final. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. Software feature misuse vulnerabilities are vulnerabilities in which software features also provide an avenue to compromise the security of a system. NISTIR 7864 also provides examples of how CMSS measures and scores would be determined. CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.


NIST is Pleased to Announce the Revised Draft FIPS 201-2 and Associated Public Workshop
July 9, 2012
 

The NIST Computer Security Division is pleased to release the Revised Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. The Revised Draft FIPS 201-2 reflects the disposition of comments received from the first public comment Draft FIPS 201-2 (the 2011 Draft) published on March 8, 2011. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the Revised Draft. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD, to present the Revised Draft FIPS 201-2.

Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on the Revised Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 8930, Gaithersburg, MD 20899-8930. Electronic comments may be sent to: piv_comments@nist.gov. Please state "Revised Draft FIPS 201-2 Comments" in the subject line of the email. Comments must be received by August 10, 2012 using the comment template listed below.

The Revised Draft and its track change version (indicating modification from the 2011 Draft to the Revised Draft FIPS 201-2) are also provided via a link below. FIPS 201-1 (Standard in effect) is available electronically from the NIST web site at http://csrc.nist.gov/publications/PubFIPS.html.

A summary and analysis of the comments received during the public comment period of the 2011 Draft and NIST's disposition of these comments, as reflected in the Revised Draft FIPS 201-2, are provided in the Federal Register Notice (FRN). The complete set of comments and dispositions are provided in a link provided below.

Simultaneously, NIST is releasing a revised draft of Special Publication 800-76-2 Biometric Specifications for Personal Identity Verification, supporting the Revised Draft FIPS 201-2. Comments are also invited by August 10, 2012 with the dedicated template listed below.

The public workshop on the Revised Draft FIPS 201-2 will be held on Wednesday, July 25, 2012, at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on the Revised Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Revised Draft. The agenda and related information for the public workshop, including information about the webcast, will be available before the workshop on the NIST Computer Security Resource Center Web site at http://csrc.nist.gov. Anyone wishing to attend the workshop in person must pre-register at http://www.nist.gov/itl/csd/ct/fips201-2_workshop_2012.cfm by 5:00pm Eastern Time on Monday, July 18th, 2012, in order to enter the NIST facility and attend the workshop.

Revised_Draft_FIPS-201-2

Revised Draft FIPS 201-2 Track-Change version

Comments_and_Dispositions_on_the_2011_Draft

NOTE: Draft SP 800-76-2 has been approved as final (July 2013)


NIST Released Special Publication 800-121 Revision 1, Guide to Bluetooth Security
June 12, 2012
 
NIST announces the final release of Special Publication (SP) 800-121 Revision 1, Guide to Bluetooth Security. It describes the security capabilities of technologies based on Bluetooth, which is an open standard for short-range radio frequency communication. The document gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Significant changes from the original SP 800-121 include adding the latest vulnerability mitigation information for Secure Simple Pairing, and introducing and discussing Bluetooth v3.0 + High Speed and Bluetooth v4.0 (Low Energy) security mechanisms and recommendations.


National Cybersecurity Center of Excellence (NCCoE) Workshop
June 6, 2012
 
NIST is hosting the National Cybersecurity Center of Excellence (NCCoE) Workshop on June 26, 2012 to introduce the Center to the public. The Center plans to bring together industry, government and business communities to address present-day cybersecurity challenges, integrate emerging technologies, and demonstrate cost-effective solutions.
 
The workshop will present:
   -The proposed business model and approach;
   -How the Center plans on building cybersecurity architectures and materials; and
   -How the public can engage.
 
The Center is looking to the various communities for participation and feedback on the Centers planned efforts. The Center is a collaboration of NIST, the State of Maryland Department of Economic Development and Montgomery County, Maryland.
 
Please go to http://www.nist.gov/itl/csd/nccoe-workshop.cfm for registration and more information.

The URL to the NCCoE website is: http://csrc.nist.gov/nccoe/


NIST Computer Security Division 800-146, Cloud Computing Synopsis and Recommendations
May 29, 2012
 
The final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations is NIST’s general guide to cloud computing. It explains cloud systems in plain language and provides recommendations for information technology decision makers ranging from chief information officers, information systems developers, system and network administrators, information system security officer and systems owners. This document presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing.


DRAFT NISTIR 7848, Specification for the Asset Summary reporting Format 1.0
May 8, 2012
 
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
 
NIST requests public comments on draft NISTIR 7848 by June 6, 2012. Comments should be sent to asr-comments@nist.gov.


Proposed Change to Federal Information Processing Standard 186-3, the Digital Signature Standard
April 10, 2012
 
NIST requests comments on proposed changes to Federal Information Processing Standard 186-3, the Digital Signature Standard. The Federal Register Notice requests that electronic comments be sent by May 25, 2012 to: fips_186-3_change_notice@nist.gov, with 186-3 Change Notice in the subject line. The proposed revisions are available on the CSRC DRAFTS page - links are provided on the Drafts page for the (1) Proposed Change Notice for FIPS 186-3, (2) current approved FIPS 186-3 document released June 2009.

The Federal Register Notice is available from the Federal Register.gov website.


SECOND Public DRAFT of NIST Interagency Report 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems
March 23, 2012
 
NIST announces the second public draft of NIST Interagency Report (NISTIR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems. This publication is intended to provide a wide array of practices that, when implemented, will help mitigate supply chain risk. It seeks to equip federal departments and agencies with a notional set of repeatable and commercially reasonable supply chain assurance methods and practices that offer a means to obtain an understanding of, and visibility throughout, the supply chain.
 
NIST requests comments on draft NISTIR 7622 by May 25, 2012 (NOTE: Due date has been extended from May 11 TO May 25). Please submit comments to scrm-nist@nist.gov with "Comments NISTIR 7622" in the subject line. Comments should be submitted using the comments template (Microsoft Excel file).

The same announcement with links to this draft can also be located on the CSRC Drafts page.


Markup Copies of Appendix D, F, and G for Draft Special Publication 800-53 Revision 4 is now available
March 8, 2012
 
NIST announces the markup version of NIST Special Publication 800-53, Revision 4 (Initial Public Draft), Security and Privacy Controls for Federal Information Systems and Organizations. The markup includes: Appendix D (Security Control Baselines—Summary), Appendix F (Security Control Catalog), and Appendix G (Information Security Programs).


Announcing Approval of Federal Information Processing Standard (FIPS) Publication 180–4, Secure Hash Standard (SHS); a Revision of FIPS 180–3
March 6, 2012
 
The Secretary of Commerce has approved Federal Information Processing Standard (FIPS) Publication 180-4, Secure Hash Standard (SHS). FIPS 180-4 updates FIPS 180-3 by providing a general procedure for creating an initialization value, adding two additional secure hash algorithms to the Standard (SHA-512/224 and SHA-512/256) and removing a restriction that padding must be done before hash computation begins, which was required in FIPS 180-3. The Federal Register Notice of the approval of FIPS 180-4 is available to review.


DRAFT Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (Initial Public Draft)
February 28, 2012
 
NIST announces the Initial Public Draft of Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 4, represents the culmination of a year-long initiative to update the content of the security controls catalog and the guidance for selecting and specifying security controls for federal information systems and organizations. The project was conducted as part of the Joint Task Force Transformation Initiative in cooperation and collaboration with the Department of Defense, the Intelligence Community, the Committee on National Security Systems, and the Department of Homeland Security. The proposed changes included in Revision 4 are directly linked to the current state of the threat space (i.e., capabilities, intentions, and targeting activities of adversaries) and the attack data collected and analyzed over a substantial time period. In particular, the major changes in Revision 4 include:

  • New security controls and control enhancements;
  • Clarification of security control requirements and specification language;
  • New tailoring guidance including the introduction of overlays;
  • Additional supplemental guidance for security controls and enhancements;
  • New privacy controls and implementation guidance;
  • Updated security control baselines;
  • New summary tables for security controls to facilitate ease-of-use; and
  • Revised minimum assurance requirements and designated assurance controls.
Many of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT). In most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as “cloud” or “mobile computing” controls or placed in one section of the catalog. Rather, the controls and enhancements are distributed throughout the control catalog in various families and provide specific security capabilities that are needed to support those new computing technologies and computing approaches. The breadth and depth of the security and privacy controls in the control catalog must be sufficiently robust to protect the wide range of information and information systems supporting the critical missions and business functions of the federal government—from the Department of Homeland Security, to the DoD warfighters, to the Federal Aviation Administration, to the Social Security Administration. As the federal government continues to implement its unified information security framework using the core publications developed under the Joint Task Force, there is also a significant transformation underway in how federal agencies authorize their information systems. Near real-time risk management and the ability to design, develop, and implement effective continuous monitoring programs, depends first and foremost, on the organization’s ability to develop a strong information technology infrastructure—in essence, building stronger, more resilient information systems using system components with sufficient security capability to protect core missions and business functions. The security and privacy controls in this publication, along with the flexibility inherent in the implementation guidance, provide the requisite tools to implement effective, risk-based, cyber security programs—capable of addressing the most sophisticated of threats on the horizon.
 
Public comment period: February 28th through April 6th, 2012.
 
Public comment period: February 28th through April 6th, 2012. This will be the only comment period. Publication of the final document is anticipated in July 2012. Comments can be sent to: sec-cert@nist.gov.
 
To support the public review process, NIST will publish a markup version of Appendices D, F and G. This will help organizations plan for any future update actions they may wish to undertake after Revision 4 is finalized. There will not be any markups provided for the main chapters or the other appendices.


Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs)
February 21, 2012
 
NIST announces the final release of Special Publication (SP) 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs). The purpose of this publication is to provide organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. Recommendations in SP 800-153 cover topics such as standardized WLAN security configurations, dual connected WLAN client devices, and security assessments and continuous monitoring. This publication supplements, and does not replace, other NIST publications on WLAN security.


Report Issued by University of Maryland's Supply Chain Management Center
February 3, 2011
 
NIST is pleased to announce the release of a report by the University of Maryland’s Supply Chain Management Center. The report, which stems from a NIST grant, inventories existing ICT supply chain initiatives and formulates a framework for defining ICT supply chain risk management (SCRM) architectures. The report builds on the work from a previous NIST grant to the University of Maryland, which profiles the ICT SCRM governance strategies and practices of over 200 key Federal government vendors. These reports will help guide NIST’s work in the area of ICT SCRM.


DRAFT Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide
February 1, 2012
 
NIST announces the public comment release of draft Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide. It seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, as well as detecting, analyzing, prioritizing, and handling incidents. SP 800-61 Revision 2 updates the previous revision, which was released in 2008. A detailed change-log is provided in Appendix H.
 
NIST requests comments on draft SP 800-61 Revision 2 by March 16th, 2012. Please submit comments to 800-61rev2-comments@nist.gov with "Comments SP 800-61" in the subject line.


NIST Released Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing
January 22, 2012
 
NIST is pleased to announce the release of Special Publications (SP): SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing. SP 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment.


NIST Released Draft NIST Interagency Report (IR) 7817, A Credential Reliability and Revocation Model for Federated Identities
January 18, 2012
 
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7817, A Credential Reliability and Revocation Model for Federated Identities. NISTIR 7817 investigates credential and attributes revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, this document also suggests a model for credential reliability and revocation services that serves to eliminate some of the missing requirements.
 
NIST requests public comments on draft NISTIR 7817 by February 17, 2012. Comments should be sent to URRS@nist.gov.

back to top page to links for other Archived News (2009-current year).