Publications

Jan. 31, 2012

SP 800-61 Rev. 2

DRAFT Computer Security Incident Handling Guide

NIST announces the public comment release of draft Special Publication (SP) 800-61 Revision 2, Computer Security Incident Handling Guide. It seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently. The publication includes guidelines on establishing an effective incident response program, as well as detecting, analyzing, prioritizing, and handling incidents. SP 800-61 Revision 2 updates the previous revision, which was released in 2008. A detailed change-log is provided in Appendix H.
 
NIST requests comments on draft SP 800-61 Revision 2 by March 16th, 2012. Please submit comments to 800-61rev2-comments@nist.gov with "Comments SP 800-61" in the subject line.

draft-sp800-61rev2.pdf (1.2 MB)

Jan. 20, 2012

NIST IR-7800

DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.
 
NIST requests comments on draft NISTIR 7800 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

Draft-NISTIR-7800.pdf (515 KB)

Jan. 6, 2012

SP 800-117 Rev. 1

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2

NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.
 
NIST requests comments on draft SP 800-117 Revision 1 by February 17th, 2012. Please send all comments to 800-117comments@nist.gov.

Draft-SP800-117-r1.pdf (153 KB)

Jan. 6, 2012

NIST IR-7817

DRAFT A Credential Reliability and Revocation Model for Federated Identities

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7817, A Credential Reliability and Revocation Model for Federated Identities. NISTIR 7817 investigates credential and attributes revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, this document also suggests a model for credential reliability and revocation services that serves to eliminate some of the missing requirements. NIST requests public comments on draft NISTIR 7817 by February 17, 2012. Comments should be sent to URRS@nist.gov

Draft-NISTIR-7817.pdf (142 KB)

Jan. 6, 2012

NIST IR-7799

DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.
 
NIST requests comments on draft NISTIR 7799 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

Draft-NISTIR-7799.pdf (1.2 MB)

Jan. 6, 2012

NIST IR-7756

DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture

NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
 
NIST requests comments on draft NISTIR 7756 by February 17th, 2012. Please send all comments to fe-comments@nist.gov.

Draft-NISTIR-7756_second-public-draft.pdf (942 KB)

Dec. 8, 2011

SP 800-155

DRAFT BIOS Integrity Measurement Guidelines

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
 
NIST requests comments on draft SP 800-155 by January 20, 2012. Please submit comments to 800-155comments@nist.gov, with "Comments SP 800-155" in the subject line.

draft-SP800-155_Dec2011.pdf (816 KB)

Dec. 6, 2011

NIST IR-7831

DRAFT Common Remediation Enumeration (CRE) Version 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
 
NIST requests public comments on draft NISTIR 7831 by January 20, 2012. Comments should be sent to remediation-comments@nist.gov

Draft-NISTIR-7831.pdf (978 KB)

Nov. 17, 2011

NIST IR-7511 Rev. 3

DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements

Updated to include US Government Configuration Baseline (USGCB) test requirements for Windows 7 and IE8. (2/10/2011)
 
Draft NIST Interagency Report (IR) 7511 Revision 3, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 3 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
This update to Draft NIST Interagency Report (IR) 7511 Revision 3, includes changes to the Internet Connectivity requirements and clarifying language to several other requirements and test procedures.
 
If you have questions regarding this document, please send email to: IR7511comments@nist.gov . The deadline to submit comments is December 16, 2011.

Draft-nistir-7511_R3.pdf
Draft-NISTIR-7511r2_update2.pdf
draft-nistir-7511_rev1.pdf

Sept. 27, 2011

SP 800-121 Rev. 1

DRAFT Guide to Bluetooth Security

NIST announces the public comment release of draft Special Publication (SP) 800-121 Revision 1, Guide to Bluetooth Security. It describes the security capabilities of technologies based on Bluetooth, which is an open standard for short-range radio frequency communication. The document gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Significant changes from the original SP 800-121 include adding the latest vulnerability mitigation information for Secure Simple Pairing, and introducing and discussing Bluetooth v3.0 + High Speed and Bluetooth v4.0 Low Energy security mechanisms and recommendations.
 
NIST requests comments on draft SP 800-121 Revision 1 by October 28, 2011. Please send comments to 800-121comments@nist.gov, with "Comments on SP 800-121" in the subject line.

Draft-SP800-121_Rev1.pdf (1.8 KB)

Sept. 26, 2011

SP 800-153

DRAFT Guidelines for Securing Wireless Local Area Networks (WLANs)

NIST announces that draft Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs), is available for public comment. The purpose of this publication is to provide organizations with recommendations for improving the security configuration and monitoring of their IEEE 802.11 wireless local area networks (WLANs) and their devices connecting to those networks. Recommendations in draft SP 800-153 cover topics such as standardized WLAN security configurations, dual connected WLAN client devices, and security assessments and continuous monitoring. This publication supplements, and does not replace, other NIST publications on WLAN security.
 
NIST requests comments on draft SP 800-153 by October 28, 2011. Please submit comments to800-153comments@nist.gov, with "Comments SP 800-153" in the subject line.

Draft-SP800-153.pdf (656 KB)

Sept. 19, 2011

SP 800-30 Rev. 1

DRAFT Guide for Conducting Risk Assessments

The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments. Special Publication 800-30, Revision 1, is the fifth in the series of risk management and information security guidelines being developed by the Joint Task Force, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. The partnership, under the leadership of the Secretary of Defense, the Director of National Intelligence, and the Secretary of Commerce, continues to collaborate on the development of a unified information security framework for the federal government to address the challenges of protecting federal information and information systems as well as the Nation’s critical information infrastructure.
 
In today’s world of complex and sophisticated threats, risk assessments are an essential tool for organizations to employ as part of a comprehensive risk management program. Risk assessments can help organizations:

• Determine the most appropriate risk responses to ongoing cyber attacks or threats from man-made or natural disasters;
• Guide investment strategies and decisions for the most effective cyber defenses to help protect organizational operations (including missions, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; and
• Maintain ongoing situational awareness with regard to the security state of organizational information systems and the environments in which the systems operate.

This publication changes the focus of Special Publication 800-30, originally published as a risk management guideline. NIST Special Publication 800-39 has now replaced Special Publication 800-30 as the authoritative source of comprehensive risk management guidance. The update to Special Publication 800-30 focuses exclusively on risk assessments, one of the four steps in the risk management process. The risk assessment guidance in Special Publication 800-30 has been significantly expanded to include more in-depth information on a wide variety of risk factors essential to determining information security risk (e.g., threat sources and events, vulnerabilities and predisposing conditions, impact, and likelihood of threat occurrence). A three-step process is described including key activities to prepare for risk assessments, activities to successfully conduct risk assessments, and approaches to maintain the currency of assessment results.
 
In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level. To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.
 
The public comment period for NIST Special Publication 800-30, Revision 1, is September 19 through November 4, 2011. Please send comments to sec-cert@nist.gov

SP800-30-Rev1-ipd.pdf (823 KB)

Sept. 14, 2011

SP 800-107 Revised

DRAFT Recommendation for Applications Using Approved Hash Algorithms

NIST requests comments on Draft (Revised) Special Publication 800-107. This Special Publication provides security guidelines for achieving the desired security strengths of several cryptographic applications that employ the approved cryptographic hash functions specified in FIPS 180-4. The current version of this document was published in February 2009. This revision includes the security properties for SHA-512/224 and SHA-512/256, provides additional security information about HMAC and revises the discussions on hash-based Key Derivation Functions. Please provide comments by October 31st, 2011 to Revised_SP-800-107_Comments@nist.gov, with “Comments on Revised_SP-800-107” in the subject line.

Draft_Revised_SP800-107.pdf (1.2 MB)

Aug. 11, 2011

SP 800-38 F

DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping

NIST is pleased to announce that the Draft NIST Special Publication 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping, is available for public comment. This publication describes cryptographic methods that are approved for "key wrapping," i.e., the protection of the confidentiality and integrity of cryptographic keys. In addition to describing existing methods, this publication specifies two deterministic authenticated encryption modes of operation of the Advanced Encryption Standard (AES) algorithm: the AES Key Wrap (KW) mode and the AES Key Wrap With Padding (KWP) mode. The analogous mode with the Triple Data Encryption Algorithm (TDEA) as the underlying block cipher, called TKW, is also specified to support legacy applications.
 
Public comments on Draft NIST SP 800-38F may be submitted to EncryptionModes@nist.gov until October 1, 2011.

Draft-SP800-38F_Aug2011.pdf (270 KB)

Aug. 1, 2011

SP 800-133

DRAFT Recommendation for Cryptographic Key Generation

NIST requests comments on Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a cryptographic key. This Recommendation discusses the generation of the keys to be managed and used by NIST’s approved cryptographic algorithms. Please provide comments by September 30th, 2011 to SP-800-133_Comments@nist.gov, with “Comments on SP 800-133 Key Generation” in the subject line.

Draft-SP-800-133_Key-Generation.pdf (530 KB)

July 19, 2011

SP 800-53 Appendix J

DRAFT Privacy Control Catalog

The National Institute of Standards and Technology (NIST) announces the initial public draft of Special Publication 800-53, Appendix J, Privacy Control Catalog. With the increasing dependency on information systems, dramatic advances in information technologies, and significant growth in new applications of those technologies in such areas as cloud computing, smart grid, and mobile computing, information security and privacy are taking on new levels of importance in the public and private sectors. Privacy, with respect to personally identifiable information, is a core value that can be achieved only with appropriate legislation, policies, and associated controls to ensure compliance with requirements. In today’s digital world, effective privacy for individuals depends on a solid foundation of information security safeguards in the information systems that are processing, storing, and transmitting personally identifiable information. Privacy and security controls in federal information systems, programs, and organizations are complementary and mutually reinforcing in trying to achieve the privacy and security objectives of organizations. Appendix J, Privacy Control Catalog, is a new addition to NIST’s family of standards and guidelines that will be incorporated into the 2011 update to Special Publication 800-53, Revision 4, projected for release in December 2011. Due to the importance and special nature of the material in this Appendix, it is being publicly vetted separately from the other changes to the publication which will be released later this year. The objectives of the Privacy Appendix are fourfold:

• Provide a structured set of privacy controls, based on international standards and best practices, that help organizations enforce requirements deriving from federal privacy legislation, policies, regulations, directives, standards, and guidance;
• Establish a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements which may overlap in concept and in implementation within federal information systems, programs, and organizations;
• Demonstrate the applicability of the NIST Risk Management Framework in the selection, implementation, assessment, and monitoring of privacy controls deployed in federal information systems, programs, and organizations; and
• Promote closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance.

The public comment period for NIST Special Publication 800-53, Appendix J, is July 19 through September 2, 2011.
Please send comments to sec-cert@nist.gov.

IPDraft_800-53-privacy-appendix-J.pdf (254 KB)

May 12, 2011

SP 800-146

DRAFT Cloud Computing Synopsis and Recommendations

The cloud computing research team at the National Institute of Standards and Technology (NIST) is requesting public comments on a draft of its most complete guide to cloud computing to date.
 
Draft Special Publication 800-146, NIST Cloud Computing Synopsis and Recommendations explains cloud computing technology in plain terms and provides practical information for information technology decision makers interested in moving into the cloud. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources-for example networks, servers, storage, applications and services-that can be rapidly provisioned and released with minimal management effort or service provider interaction.
 
Comments for this draft should be sent to 800-146comments@nist.gov by June 13, 2011.
 
To view the press release from NIST's Public Business and Affairs office regarding this draft, please go to this NIST page:
http://www.nist.gov/itl/csd/20110512_cloud_guide.cfm .

Draft-NIST-SP800-146.pdf (1.9 MB)

May 6, 2011

SP 800-57 Part 1

DRAFT Recommendation for Key Management: Part 1: General

NIST requests comments on a draft revision of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management: Part 1: General. This revision is intended to align the document with SP 800-131A, as well as to provide a general update of the document, including references to NIST publications that have been completed since the last revision of SP 800-57. A general list of the changes is provided at the end of Appendix D, and except for some editorial changes, the changes within the documented are marked. Please send comments to KeyManagement@nist.gov by July 1, 2011, with “SP 800-57, Part 1 comments” in the subject line.

Draft_SP800-57-Part1-Rev3_May2011.pdf (3.7 MB)
comments-received_draft-SP800-57-1.pdf

Apr. 18, 2011

SP 800-76 -2

DRAFT Biometric Data Specification for Personal Identity Verification

NIST is pleased to announce the availability of the public comment draft of NIST Special Publication 800-76-2, Biometric Data Specification for Personal Identity Verification. The draft amends the 2007 specification SP 800-76-1 to include iris recognition and on-card fingerprint comparison, and to extend and refine the biometric sensor and performance specifications. Note that FIPS 201-2, the binding parent PIV specification, is simultaneously open for public comment (see http://csrc.nist.gov/publications/PubsDrafts.html#FIPS-201--2).
 
Written comments on SP 800-76-2 may be sent to: Patrick Grother, Information Access Division, Information Technology Laboratory, ATTN: Comments on Revision Draft SP 800-76-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7740, Gaithersburg, MD 20899-7740.
 
Electronic comments on SP 800-76-2 should be drafted using this template and sent to: piv_comments@nist.gov. Comments must be received by June 6, 2011.

Draft_SP800-76-2.pdf (1.6 MB)
comments-template-for_draft-sp800-76-2.doc (38 KB)

Mar. 8, 2011

FIPS-201 -2

DRAFT Personal Identity Verification (PIV) of Federal Employees and Contractors

NIST is Pleased to Announce the Public Comment Draft FIPS 201-2 and Associated Public Workshop
 
The NIST Computer Security Division is pleased to announce Draft Federal Information Processing Standard (FIPS) 201-2, Personal Identity Verification of Federal Employees and Contractors. Draft FIPS 201-2 amends FIPS 201-1 and includes adaptation to changes in the environment since the publication of FIPS 201-1, and specific changes requested by Federal agencies and implementers. Before recommending FIPS 201-2 to the Secretary of Commerce for review and approval, NIST invites comments from the public concerning the proposed changes. During the public comment period, NIST will also hold a public workshop at NIST in Gaithersburg, MD to present the Draft FIPS 201-2.
 
Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, ATTN: Comments on Revision Draft FIPS 201-2, National Institute of Standards and Technology, 100 Bureau Drive, Mail Stop 7730, Gaithersburg, MD 20899-7730.
 
Electronic comments may be sent to: piv_comments@nist.gov. Comments must be received by June 6, 2011. (the 4th link below this announcement provides a comment template in Microsoft Excel format). There are 2 PDF files of the Draft FIPS 201-2 - 2nd link below is the draft document and the 3rd link provides the track changes made from FIPS 201-1 to draft FIPS 201-2.
 
Both FIPS 201-1 and Draft FIPS 201-2 are available electronically from the NIST web site at: http://csrc.nist.gov/publications/PubsFIPS.html. A summary of changes reflected in Draft FIPS 201-2 is available in the Federal Register Notice (FRN). The FRN can be found by clicking the first link below this announcement.
 
The public workshop on Draft FIPS 201-2 will be held Monday and Tuesday, April 18 and 19, 2011 at NIST in Gaithersburg, Maryland, which may also be attended remotely via webcast. The purpose of the workshop is to exchange information on Draft FIPS 201-2, and to answer questions and provide clarifications regarding the Draft. The agenda, webcast and related information for the public workshop will be available before the workshop on the NIST Computer Security Resource Center Web site at http://csrc.nist.gov. Anyone wishing to attend the workshop in person, must pre-register at http://www.nist.gov/allevents.cfm by close of business Monday, April 11, 2011, in order to enter the NIST facility and attend the workshop.

Federal-Register-Notice_announcing-draft-FIPS-201-2.pdf (54 KB)
Draft_NIST-FIPS-201-2.pdf (2.3 MB)
Track-Changes_Draft_NIST-FIPS-201-2.pdf (2.3 MB)
Comment-Template_Draft-NIST-FIPS201-2.xls (24 KB)

Feb. 11, 2011

FIPS-180 -4

DRAFT Secure Hash Standard (SHS)

NIST announces the release of draft Federal Information Processing Standard (FIPS) 180-4, Secure Hash Standard (SHS). Draft FIPS 180-4 is a proposed revision of FIPS 180-3. Draft FIPS 180-4 adds a general procedure for creating an initialization hash value and two additional secure hash algorithms: SHA-512/224 and SHA-512/256, and removes a requirement that padding must be done before hash computation begins. SHA-512/224 and SHA-512/256 may be more efficient alternatives to SHA-224 and SHA-256, respectively, on platforms that are optimized for 64-bit operations. Removing the restriction on the padding operation in the secure hash algorithms will potentially create more flexibility and efficiency in implementing the secure hash algorithms in many computer network applications. The Federal Register Notice (FRN) of this publication is located here. Examples of the implementation of the secure hash algorithms SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256, can be found at http://www.nist.gov/CryptoToolkitExamples.
 
Comments should be sent to Proposed180-4@nist.gov with the phrase “Comments on Draft FIPS 180-4” in the subject line. Comments must be received on or before May 12, 2011.

Draft-FIPS180-4_Feb2011.pdf (259 KB)
FRN_Draft-FIPS180-4.pdf (53 KB)

Feb. 10, 2011

SP 800-131 C

DRAFT Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3

NIST requests comments on Draft Special Publication (SP) 800-131C, Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3. SP 800-131C addresses both the cryptographic algorithm validations and the cryptographic module validations that are conducted by NIST’s Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP), respectively. Please send comments to CryptoTransitions@nist.gov by March 31, 2011, with “SP 800-131C comments” in the subject line.
 
Please Note -- Draft Special Publication 800-131B, Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths is also available for public comment (see draft document below for more details).

draft-SP800-131C_February2011.pdf (158 KB)
Comments-Received_draft-SP-800-131C.pdf (46 KB)

Feb. 10, 2011

SP 800-131 B

DRAFT Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths

NIST requests comments on Draft Special Publication (SP) 800-131B, Transitions: Validation of Transitioning Cryptographic Algorithm and Key Lengths. SP 800-131B provides details about the validation of the cryptographic algorithms and cryptographic modules in transition, as specified in SP 800-131A. Please send comments to CryptoTransitions@nist.gov by March 31, 2011, with “SP 800-131B comments” in the subject line.
 
Please Note -- Draft Special Publicaton 800-131C, Transitions: Validating the Transition from FIPS 186-2 to FIPS 186-3 is also available for public comment (see draft document above for more details).

draft-SP800-131B_February2011.pdf (97 KB)
Comments-Received_draft-SP800-131B.pdf (88 KB)

Feb. 10, 2011

NIST IR-7670

DRAFT Proposed Open Specifications for an Enterprise Remediation Automation Framework

NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
 
NIST requests comments on draft NISTIR 7670 by March 11th, 2011. Please submit all comments to remediation-comments@nist.gov.

Draft-NISTIR-7670_Feb2011.pdf (333 KB)

Jun. 25, 2010

NIST IR-7622

DRAFT Piloting Supply Chain Risk Management Practices for Federal Information Systems

Draft NISTIR 7622, Piloting Supply Chain Risk Management Practices for Federal Information Systems is intended to provide a wide array of practices that when implemented will help mitigate supply chain risk. It is our intent that organizations begin to pilot the activities and the practices contained in this document and provide feedback on the practicality, feasibility, cost, challenges, and successes. This is the first step in a much larger initiative of developing a comprehensive approach to managing supply chain risks. Comments on the document should be sent to: scrm-nist@nist.gov by August 15, 2010. Comments and lessons learned on piloting the practices should be sent to the same e-mail address by December 30, 2010.

draft-nistir-7622.pdf (777 KB)

Jun. 16, 2010

SP 800-130

DRAFT A Framework for Designing Cryptographic Key Management Systems

A draft of NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems, is available for an initial public comment period. This document contains descriptions of Cryptographic Key Management System (CKMS) components that should be considered by a CKMS designer and specifies requirements for the documentation of those CKMS components in the design. Comments are due by August 17, 2010, and should be sent to CKMSDesignFramework@nist.gov with “Comments on CKMS Design Framework” in the subject line. Note that this document will be discussed at a Key Management Workshop scheduled for September 20-21, 2010 at NIST. See http://csrc.nist.gov/groups/ST/key_mgmt/ for more information on the workshop.

draft-sp800-130_june2010.pdf (558 KB)
comments-received-draft-sp800-130.pdf

Mar. 10, 2010

NIST IR-7669

DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements

Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
 
If you have questions or want to send comments regarding this document, please send email to: IR7669comments@nist.gov. There is a 30-day period for comments and the deadline to submit comments is Friday, April 9, 2010.

draft-nistir-7669.pdf (277 KB)

Dec. 11, 2009

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules (Revised Draft)

The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010. Please use the template provided. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with "Comments on the Revised Draft FIPS 140-3" in the subject line.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these comments is also available on CSRC.

revised-draft-fips140-3_PDF-zip_document-annexA-to-annexG.zip (706 KB)
revised-fips140-3_comments-template.dot (38 KB)

Sept. 11, 2009

SP 800-85 B-1

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 25, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

draft-sp800-85B-1.pdf (1.3 MB)
sp800-85B_Change_Summary.pdf (14 KB)
Comment-Template_sp800-85B-1.xls (18 KB)

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

draft-sp800-65rev1.pdf (679 KB)

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

draft-sp800-118.pdf (181 KB)

Mar. 20, 2009

SP 800-16 Rev. 1

DRAFT Information Security Training Requirements: A Role- and Performance-Based Model

The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

Draft-SP800-16-Rev1.pdf (1,197 KB)

Feb. 27, 2009

NIST IR-7517

DRAFT The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.

Draft-NISTIR-7517.pdf (335 KB)

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

NISTIR_7328-ipdraft.pdf (327 KB)

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.

sp800-103-draft.pdf (699 kB)
draft-sp800-103.zip (558 kB)