NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

draft Publications

Below are drafts of NIST computer security publications--FIPS, Special Publications and NISTIRs--that have been released for public review and comment.

List of current CSD Publications (Final & Draft) (right-click to save file)

Apr 4, 2014

FIPS 202

DRAFT SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

The Proposed SHA-3 Standard, DRAFT FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, is now available. A 90-day public comment period will be provided AFTER Federal Register announces the publication of this Draft Standard. The Federal Register Notice, to be published in the near future, will also provide instructions for how to submit public comments. More details or specific submission deadline will be provided when such information becomes available.
 
For details on the SHA-3 standardization effort, please refer to this page: http://csrc.nist.gov/groups/ST/hash/sha-3/sha-3_standardization.html.

Draft FIPS 202 (523 KB)

Mar. 14, 2014

SP 800-16 Rev. 1 (3rd draft)

DRAFT A Role-Based Model for Federal Information Technology / Cyber Security Training (3rd public draft)

NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
 
Please submit comments to sp80016-comments@nist.gov with “Comments on SP 800-16 Rev 1 (3rd draft)” in the subject line.
 
The public comment period closes on April 30,2014.

Draft SP 800-16 Rev. 1 (3rd draft) (2.0 MB)

Mar. 13, 2014

SP 800-56 B Rev. 1

DRAFT Recommendation for Pair-Wise Key-Establishment Schemes Using Integer Factorization Cryptography

NIST announces the release of the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. SP 800-56B specifies key-establishment schemes based on the Rivest Shamir Adleman (RSA) algorithm. The revision is made on the August 2009 version. The main changes are listed in Appendix D.
 
Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision 1)" in the subject line. The comment period closes on May 15, 2014.

Draft SP 800-56B Revision 1 (975 KB)

Mar 7, 2014

SP 800-157

DRAFT Guidelines for Derived Personal Identity Verification (PIV) Credentials

NIST announces that Draft Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, is now available for public comments. Draft SP 800-157 defines a technical specification for implementing and deploying Derived PIV Credentials to mobile devices, such as smart phones and tablets. The goal of the Derived PIV Credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.
 
The public comment period closes on April 21, 2014.
 
There is a comment template provided for submitting comments for this draft SP - see link below. Comments on this publication may be submitted to piv_comments@nist.gov.

Draft SP 800-157 (419 KB)
Comment Template for Draft SP 800-157 (38 KB)

Mar. 7, 2014

NIST IR 7981

DRAFT Mobile, PIV, and Authentication

NIST announces public comment release of NIST IR 7981, Mobile, PIV, and Authentication. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
 
The public comment period closes on April 21, 2014.
 
There is a comment template provided for submitting comments for this draft NISTIR - see link below. Comments on this publication may be submitted to piv_comments@nist.gov.

Draft NISTIR 7981 (202 KB)
Comment Template for Draft NISTIR 7981 (32 KB)

Feb. 18, 2014

NIST IR 7977

DRAFT NIST Cryptographic Standards and Guidelines Development Process

Summary:
NIST requests comments on Draft NIST Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process. This document describes the principles, processes and procedures behind our cryptographic standards development efforts. Please send comments to crypto-review@nist.gov by April 18, 2014.
 
Background:
In November 2013, NIST initiated a review of its cryptographic standards development process in response to public concerns about the security of NIST cryptographic standards and guidelines.
 
To enable this review, we have compiled information about the principles, processes and procedures that drive our cryptographic standards development efforts to help the public understand how we develop our standards. This information is being published in draft NIST IR 7977, NIST Cryptographic Standards and Guidelines Development Process. We are soliciting public comments on this draft NIST IR to obtain feedback on the mechanisms we use to engage experts in industry, academia and government to develop these standards.
 
We will review all public comments, post them on the CSRC website, and publish a revised NIST IR based on the feedback we receive. This revised publication will serve as basis for our future standards development efforts.
 
The revised NIST IR 7977 will also serve as the basis for a review of our existing body of cryptographic work. We will examine the procedures used to develop each of our cryptographic standards or guidelines to ensure they were developed in accordance with the principles outlined in NIST IR 7977. If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible, taking into consideration the process used to develop the guidance and a technical review of the affected cryptographic algorithms or schemes.
 
Note to Reviewers:
As part of your review of NIST IR 7977, we request comments on the following topics:
 
    • Are there other principles that we should use to drive our standards development efforts?
    • What are the most effective processes identified in the draft for engaging the cryptographic community for providing the necessary inclusivity and transparency to develop strong, trustworthy standards? Are there other processes we should consider?
    • Do these processes include appropriate mechanisms to ensure proposed standards are thoroughly reviewed and interested parties’ views are heard? Are there other mechanisms that should be included in our process?
    • What are other communication channels that NIST should consider to effectively communicate with its stakeholders?

Draft NISTIR 7977 (208 KB)

Jan. 27, 2014

SP 800-168

DRAFT Approximate Matching: Definition and Terminology

NIST requests comments on the Draft of Special Publication (SP) 800-168, Approximate Matching: Definition and Terminology. SP 800-168 contains a definition for approximate matching including requirements and considerations for testing. Approximate matching is an emerging technology for identify similarities between two digital artifact. It is used to find objects that resemble each other to support security monitoring, digital forensics and other applications. Please send comments to match@nist.gov by March 21, 2014, with “Comments on SP 800-168” on the subject line.

Draft SP 800-168

Jan 7, 2014

SP 800-152

DRAFT A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)

NIST requests comments on the Draft of Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. SP 800-152 contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a CKMS by U. S. Federal organizations. The Profile is based on SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS).
 
The public comment period closed on March 5, 2014.

Draft SP 800-152 (1.1 MB)
Comments Received on Draft SP 800-152

Dec 13, 2013

NIST IR 7863

DRAFT Cardholder Authentication for the PIV Digital Signature Key

NIST is pleased to announce Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment. NISTIR 7863 provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card.
 
The public comment period closed on January 17, 2014.

Draft NISTIR 7863 (147 KB)
Comment Template for Submitting Comments (25 KB)

Oct. 25, 2013

NIST IR 7628 Rev. 1

DRAFT Guidelines for Smart Grid Cybersecurity:
Vol. 1 - Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements
Vol. 2 - Privacy and the Smart Grid
Vol. 3 - Supportive Analyses and References

The National Institute of Standards and Technology (NIST) seeks comments on draft NISTIR 7628 Revision 1, Guidelines for Smart Grid Cyber Security. The comment period will be open from October 25 through December 23, 2013. Draft NISTIR 7628 Rev. 1 was completed by the NIST-led Smart Grid Cybersecurity Committee (formerly the Cyber Security Working Group) of the Smart Grid Interoperability Panel. The document has been updated to address changes in technologies and implementations since the release of NISTIR 7628 in September 2010. In addition, the document development strategy, cryptography and key management, privacy, vulnerability classes, research and development topics, standards review, and key power system use cases have been updated and expanded to reflect changes in the Smart Grid environment since 2010. The final version is expected to be posted in the spring of 2014.
 
Below are 6 links - the first 3 are for the NISTIR 7628 Rev. 1 which are broken down into 3 separate files (Volume 1, Volume 2, and Volume 3 in that order). Then the last 3 links provided are
 
The public comment period closed on December 24, 2013.
 
Alternatively you may mail comment forms to:
National Institute of Standards and Technology
Attn: Computer Security Division
Information Technology Laboratory
100 Bureau Drive, Mail Stop 8930
Gaithersburg, MD 20899-8930

Draft NISTIR 7628 Rev. 1, Vol. 1
Draft NISTIR 7628 Rev. 1, Vol. 2
Draft NISTIR 7628 Rev. 1, Vol. 3
Vol. 1 Comment Template
Vol. 2 Comment Template
Vol. 3 Comment Template

Sep. 24, 2013

SP 800-52 Rev. 1

DRAFT Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations

NIST announces the release of draft Special Publication (SP) 500-52 (Revision 1), Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations for public comment. TLS provides mechanisms to protect sensitive data during electronic dissemination across networks. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. The revised guidelines include the required support of TLS version 1.1, recommended support of TLS version 1.2, guidance on certificate profiles and validation methods, TLS extension recommendations, and support for a greater variety of FIPS-based cipher suites.
 
The public comment period closed on December 13, 2013.

Draft SP 800-52 Revision 1 (732 KB)
Template for Submitting Comments (25 KB)

Sep. 9, 2013

SP 800-90 Arev1-B-C

DRAFT Draft SP 800-90 Series: Random Bit Generators
800-90 A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
800-90 B: Recommendation for the Entropy Sources Used for Random Bit Generation
800-90 C: Recommendation for Random Bit Generator (RBG) Constructions

In light of recent reports, NIST is reopening the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C.
NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible.
The public comment period closed on November 6, 2013.
 
In addition, the Computer Security Division has released a supplemental ITL Security Bulletin titled "NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Supplemental ITL Bulletin for September 2013)" to support the draft revision effort.

Draft SP 800-90 A Rev. 1 (721 KB)
Draft SP 800-90 B (800 KB)
Draft SP 800-90 C (1.1 MB)
Comments Received Draft SP 800-90 A Rev. 1, B and C (469 KB)

Sep. 4, 2013

SP 800-101 Rev. 1

DRAFT Guidelines on Mobile Device Forensics

NIST announces the public comment release of draft Special Publication (SP) 800-101 (Revision 1), Guidelines on Mobile Device Forensics. Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth look into mobile devices and explaining technologies involved and their relationship to forensic procedures. This document covers mobile devices with features beyond simple voice communication and text messaging capabilities. This guide also discusses procedures for the validation, preservation, acquisition, examination, analysis, and reporting of digital information.
 
The public comment period closed on October 4, 2013.

Draft SP 800-101 Rev. 1

Sep. 4, 2013

NIST IR 7946

DRAFT CVSS Implementation Guidance

NIST announces the release of Draft NIST Interagency Report (NISTIR) 7946, CVSS Implementation Guidance, for public review and comment. This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to score over 50,000 vulnerabilities analyzed by the National Vulnerability Database (NVD). An overview of the CVSS base metrics is first presented followed by guidance for difficult and/or unique scoring situations. To assist vulnerability analysts, common keywords and phrases are identified and accompanied by suggested scores for particular types of software vulnerabilities. The report includes a collection of scored IT vulnerabilities from the NVD, alongside a justification for the provided score. Finally, this report contains a description of the NVD’s vulnerability scoring process.
 
The public comment period closed on October 4, 2013.
 
Comments on this publication may be submitted to: nistir7946-comments@nist.gov

Draft NISTIR 7946 (652 KB)
Template for Submitting Comments (29 KB)

Aug. 16, 2013

SP 800-161

DRAFT Supply Chain Risk Management Practices for Federal Information Systems and Organizations

This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
 
The public comment period closed on November 1, 2013.

Draft SP 800-161
Template for Submitting Public Comments

July 8, 2013

SP 800-38 G

DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption

NIST is pleased to announce that Draft NIST Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, is available for public comment. Format-preserving encryption (FPE) has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases.
 
Three methods are specified in this publication: FF1, FF2, and FF3. Each is a format-preserving, Feistel-based mode of operation of the AES block cipher. FF1 was submitted to NIST by Bellare, Rogaway and Spies under the name FFX[Radix]; FF2 was submitted to NIST by Vance under the name VAES3; and FF3 is the main component of the BPS mechanism that was submitted to NIST by Brier, Peyrin, and Stern. The submission documents are available at http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html.
 
The public comment period closed on September 3, 2013.

Draft SP 800-38G (1.3 MB)

May 13, 2013

SP 800-78-4

DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification

NIST announces the release of public comment for Draft Special Publication SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to align with the Candidate Final FIPS 201-2 and Draft SP 800-73-4 and 2) to add requirements for Cryptographic Algorithm Validation Program (CAVP) validation testing. In particular, the following changes are introduced in Draft SP 800-78-4:
 
    • Algorithm and key size requirements for the optional PIV Secure Messaging key have been added.
    • RSA public keys may only have a public exponent of 65,537. (Client applications are still encouraged to be able to process RSA public keys that have any public exponent that is an odd positive integer greater than or equal to 65,537 and less than 2256.)
    • A new Section was added to provide requirements for CAVP validation testing.
 
Except for minor editorial changes, all changes can be reviewed with the track-change version of Draft SP 800-78-4 (see 2nd link below to view file with track changes).
 
The public comment period closed on June 14, 2013.

Draft SP 800-78-4 (307 KB)
Tracking changes from SP 800-78-3 (272 KB)
Template for Submitting Public Comments (25 KB)

May 13, 2013

SP 800-73-4

DRAFT Interfaces for Personal Identity Verification (3 Parts)
Part 1- PIV Card Application Namespace, Data Model and Representation
Part 2- PIV Card Application Card Command Interface
Part 3- PIV Client Application Programming Interface

NIST announces that Draft Special Publication (SP) 800-73-4, Interfaces for Personal Identity Verification, has been released for public comment. The Draft SP 800-73-4 is updated to align with Candidate Final FIPS 201-2. Major changes in Draft SP 800-73-4 include:
 
    • Removal of Part 4, The PIV Transitional Data Model and Interfaces;
    • The addition of specifications for secure messaging and the virtual contact interface, both of which are optional to implement;
    • The specification of an optional Cardholder Universally Unique Identifier (UUID) as a unique identifier for a cardholder;
    • The specification of an optional on-card biometric comparison mechanism, which may be used as a means of performing card activation and as a PIV authentication mechanism; and
    • The addition of a requirement for the PIV Card Application to enforce a minimum PIN length of six digits.
 
Except for minor editorial changes, all changes can be reviewed with the track-change version (See Track Change file for Part 1-3 below) of Draft SP 800-73-4.
 
The public comment period closed on June 14, 2013.

Part 1: PIV Card Application Namespace, Data Model and Representation (933 KB)
Part 2: PIV Card Application Card Command Interface (592 KB)
Part 3: PIV Client Application Programming Interface (220 KB)
Part 1 (tracking changes from SP 800-73-3) (907 KB)
Part 2 (tracking changes from SP 800-73-3) (609 KB)
Part 3 (tracking changes from SP 800-73-3) (188 KB)
Template for Submitting Public Comments (24 KB)

Apr 2013

NIST IR 7924

DRAFT Reference Certificate Policy

NIST announces the public comment release of Draft Interagency Report (IR) 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
 
This new draft document, based on the Federal Public Key Infrastructure Common Policy, was developed with a particular emphasis on identifying stronger computer, lifecycle and network security controls.
 
The public comment period closed on June 7, 2013.

Draft NISTIR 7924 (636 KB)
Template for Submitting Public Comments (87 KB)

Dec. 21, 2012

NIST IR 7904

DRAFT Trusted Geolocation in the Cloud: Proof of Concept Implementation

NIST announces the public comment release of Draft Interagency Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation.
 
The public comment period closed on January 31, 2013.

Draft NISTIR 7904 (1.9 MB)

Oct. 31, 2012

SP 800-164

DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices

NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.
 
The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.
 
The public comment period closed on December 14, 2012.

Draft SP 800-164 (340 KB)

Sep. 6, 2012

SP 800-88 Rev. 1

DRAFT Guidelines for Media Sanitization

NIST announces the release of Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for public review and comment. SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types and risk based approaches organizations can apply to establish and maintain a media sanitization program.
 
The public comment period closed on November 30, 2012.

Draft SP 800-88 Rev. 1 (428 KB)

July 30, 2012

SP 800-147 B

DRAFT BIOS Protection Guidelines for Servers

NIST announces the public comment release of the draft NIST SP 800-147B, BIOS Protection Guidelines for Servers. This guide is intended to mitigate threats to the integrity of fundamental system firmware, commonly known as the Basic Input/Output System (BIOS), in server-class systems. This guide identifies security requirements and guidelines for a secure BIOS update process, using digital signatures to authenticate updates. The intended audience for this document includes BIOS and platform vendors of server-class systems, and information system security professionals who are responsible for procuring, deploying, and managing servers.
 
This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in enterprise environments. In the future, NIST intends to develop a new publication providing an overview of BIOS protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as SP800-147A at that time.
 
The public comment period closed on September 14, 2012.

Draft SP 800-147B (244 KB)

July 25, 2012

SP 800-94 Rev. 1

DRAFT Guide to Intrusion Detection and Prevention Systems (IDPS)

NIST announces the public comment release of Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.
 
The public comment period closed on August 31, 2012.

Draft SP 800-94 Rev. 1 (1.7 MB)

Jul. 10, 2012

NIST IR 7823

DRAFT Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard.
 
The public comment period closed on August 9, 2012.

Draft NISTIR 7823 (4 MB)
Template for Submitting Public Comments (22K)

May 7, 2012

NIST IR 7848

DRAFT Specification for the Asset Summary Reporting Format 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
 
The public comment period closed on June 6, 2012.

Draft NISTIR 7848 (815 KB)

Jan. 20, 2012

NIST IR 7800

DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.
 
The public comment period closed on February 17, 2012.

Draft NISTIR 7800 (515 KB)

Jan. 6, 2012

SP 800-117 Rev. 1

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2

NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.
 
The public comment period closed on February 17, 2012.

Draft SP 800-117 Rev. 1 (153 KB)

Jan. 6, 2012

NIST IR 7799

DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.
 
The public comment period closed on February 17, 2012.

Draft NISTIR 7799 (1.2 MB)

Jan. 6, 2012

NIST IR 7756

DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture

NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
 
The public comment period closed on February 17, 2012.

Draft NISTIR 7756 (2nd public draft) (942 KB)

Dec. 8, 2011

SP 800-155

DRAFT BIOS Integrity Measurement Guidelines

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
 
The public comment period closed on January 20, 2012.

Draft SP 800-155 (816 KB)

Dec. 6, 2011

NIST IR 7831

DRAFT Common Remediation Enumeration (CRE) Version 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
 
The public comment period closed on January 20, 2012.

Draft NISTIR 7831 (978 KB)

Feb. 10, 2011

NIST IR 7670

DRAFT Proposed Open Specifications for an Enterprise Remediation Automation Framework

NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
 
The public comment period closed on March 11, 2011.

Draft NISTIR 7670 (333 KB)

Mar. 10, 2010

NIST IR 7669

DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements

Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
 
The public comment period closed on April 9, 2010.

NISTIR 7669 (277 KB)

Dec. 11, 2009

FIPS 140-3

DRAFT Security Requirements for Cryptographic Modules (Revised Draft)

The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
The public comment period closed on March 11, 2010.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these commentsare available.

Draft FIPS 140-3 (revised draft) (706 KB)
Comment template for Draft FIPS 140-3 (revised draft) (38 KB)

Sept. 11, 2009

SP 800-85 B-1

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1.
 
The public comment period closed on September 25, 2009.

Draft SP 800-85B-1 (1.3 MB)
Summary of Changes from SP 800-85B (14 KB)
Template for Submitting Public Comments (18 KB)

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
The public comment period closed on August 14, 2009.

Draft SP 800-65 Rev. 1 (679 KB)

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
The public comment period closed on May 29, 2009.

Draft SP 800-118 (181 KB)

Sep. 29, 2007

NIST IR 7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
 
The public comment period closed on November 30, 2007.

Draft NISTIR 7328 (327 KB)

Oct. 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information.
 
The public comment period closed on November 15, 2006.

Draft SP 800-103 (699 kB)
Back to Top