Publications

Aug 30, 2010

SP 800-135

DRAFT Recommendation for Existing Application-Specific Key Derivation Functions

Draft SP 800-135, Recommendation for Application-Specific Key Derivation Functions, specifies security requirements for existing application-specific key derivation functions in: American National Standard (ANS) X9.42-2001-Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, American National Standard (ANS) X9.63-2001-Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, Internet Key Exchange, Secure Shell, Transport Layer Security, The Secure Real-time Transport Protocol, User-based Security Model for version 3 of the Simple Network Management Protocol , and Trusted Platform Module.
 
The closing date to submit comments is September 30, 2010. Please forward comments by email to Quynh Dang.

Aug. 24, 2010

NIST IR-7697

DRAFT Common Platform Enumeration: Dictionary Specification Version 2.3

NIST announces the public comment release of three Draft NIST Interagency Reports (IR) on Common Platform Enumeration (CPE). CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. The three new reports propose specifications as part of CPE version 2.3. Draft NIST IR 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings. Draft NIST IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms. Finally, Draft NIST IR 7697 contains the CPE dictionary specification, which defines the concept of a dictionary of identifiers and prescribes high-level rules for dictionary curators.
 
NIST requests comments on draft IRs 7695, 7696, and 7697 by September 15th, 2010. Please submit all comments to cpe-comments@nist.gov.

Aug. 24, 2010

NIST IR-7696

DRAFT Common Platform Enumeration : Name Matching Specification Version 2.3

NIST announces the public comment release of three Draft NIST Interagency Reports (IR) on Common Platform Enumeration (CPE). CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. The three new reports propose specifications as part of CPE version 2.3. Draft NIST IR 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings. Draft NIST IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms. Finally, Draft NIST IR 7697 contains the CPE dictionary specification, which defines the concept of a dictionary of identifiers and prescribes high-level rules for dictionary curators.
 
NIST requests comments on draft IRs 7695, 7696, and 7697 by September 15th, 2010. Please submit all comments to cpe-comments@nist.gov.

Aug. 24, 2010

NIST IR-7695

DRAFT Common Platform Enumeration: Naming Specification Version 2.3

NIST announces the public comment release of three Draft NIST Interagency Reports (IR) on Common Platform Enumeration (CPE). CPE, which is one of the fundamental components of the Security Content Automation Protocol (SCAP), provides a standardized way to identify and describe software and hardware devices present in an enterprise's computing asset inventory. The three new reports propose specifications as part of CPE version 2.3. Draft NIST IR 7695 defines the CPE naming specification, including the logical structure of well-formed CPE names and the procedures for binding and unbinding these names with machine-readable encodings. Draft NIST IR 7696 provides the CPE matching specification, which defines procedures for comparing CPE names to determine whether they refer to some or all of the same products or platforms. Finally, Draft NIST IR 7697 contains the CPE dictionary specification, which defines the concept of a dictionary of identifiers and prescribes high-level rules for dictionary curators.
 
NIST requests comments on draft IRs 7695, 7696, and 7697 by September 15th, 2010. Please submit all comments to cpe-comments@nist.gov.

July 29, 2010

NIST IR-7275 Rev. 4

DRAFT Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2

NIST announces the release of DRAFT NIST Interagency Report (NISTIR) 7275 Revision 4, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2. The eXtensible Configuration Checklist Description Format (XCCDF) Version 1.2 is the latest revision of an eXtensible Markup Language (XML) based model that enables the expression of security configuration rules. The XCCDF specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of security guidance or checklist compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists and other configuration guidance, and thereby foster more widespread application of good security practices.
 
The closing dates to submit comments is August 30, 2010. Please forward comments by email to Dave Waltermire (xccdfcomments@nist.gov).

July 7, 2010

SP 800-125

DRAFT Guide to Security for Full Virtualization Technologies

NIST announces the public comment release of draft SP 800-125, Guide to Security for Full Virtualization Technologies. Full virtualization technologies run one or more operating systems and their applications on top of virtual hardware. Full virtualization is used for operational efficiency, such as in cloud computing, and for allowing users to run applications for multiple operating systems on a single computer. The purpose of draft SP 800-125 is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization, and to provide recommendations for addressing these concerns.
 
NIST requests comments on draft SP 800-125 by August 13, 2010. Please submit comments to 800-125comments@nist.gov with "Comments SP 800-125" in the subject line.

July 6, 2010

SP 800-38 A - Addendum

DRAFT Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode

NIST announces a period of public comment on the Draft Addendum to NIST SP 800-38A Recommendation for Block Cipher Modes of Operation: Three Variants of Ciphertext Stealing for CBC Mode. The draft addendum specifies three variants of Cipher Block Chaining (CBC) mode that accept any plaintext input whose bit length is greater than or equal to the block size, whether or not the length is a multiple of the block size. These variants are essentially padding methods for CBC mode that do not expand the length of the plaintext. When padding bits are needed in these variants, they are “stolen” from the penultimate ciphertext block. The variants differ only in the ordering of some of the ciphertext bits.
 
Comments may be submitted to EncryptionModes@nist.gov by August 6, 2010.

Jun. 25, 2010

NIST IR-7622

DRAFT Piloting Supply Chain Risk Management Practices for Federal Information Systems

Draft NISTIR 7622, Piloting Supply Chain Risk Management Practices for Federal Information Systems is intended to provide a wide array of practices that when implemented will help mitigate supply chain risk. It is our intent that organizations begin to pilot the activities and the practices contained in this document and provide feedback on the practicality, feasibility, cost, challenges, and successes. This is the first step in a much larger initiative of developing a comprehensive approach to managing supply chain risks. Comments on the document should be sent to: scrm-nist@nist.gov by August 15, 2010. Comments and lessons learned on piloting the practices should be sent to the same e-mail address by December 30, 2010.

Jun. 24, 2010

SP 800-132

DRAFT Recommendation for Password-Based Key Derivation - Part 1: Storage Applications

NIST announces the release of draft Special Publication 800-132, Recommendation for Password-Based Key Derivation - Part 1: Storage Applications. This Recommendation specifies techniques for the derivation of master keys from passwords to protect electronic data in a storage environment. Please submit comments to draft-sp800-132-comments@nist.gov with "Comments on Draft SP800-132" in the subject line. The comment period closes on July 28, 2010.

Jun. 16, 2010

SP 800-131

DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes

Second Public Draft Special Publication 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, is available for public comment. NIST Special Publication (SP) 800-57, Part 1 included a general approach for transitioning from one algorithm or key length to another. This Recommendation (SP 800-131) provides more specific guidance for transitions to stronger cryptographic keys and more robust algorithms. Public comments should be sent to CryptoTransitions@nist.gov by July 16, 2010.

Jun. 16, 2010

SP 800-130

DRAFT A Framework for Designing Cryptographic Key Management Systems

A draft of NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems, is available for an initial public comment period. This document contains descriptions of Cryptographic Key Management System (CKMS) components that should be considered by a CKMS designer and specifies requirements for the documentation of those CKMS components in the design. Comments are due by August 17, 2010, and should be sent to CKMSDesignFramework@nist.gov with “Comments on CKMS Design Framework” in the subject line. Note that this document will be discussed at a Key Management Workshop scheduled for September 20-21, 2010 at NIST. See http://csrc.nist.gov/groups/ST/key_mgmt/ for more information on the workshop.

May 28, 2010

NIST IR-7298 Rev. 1

DRAFT Glossary of Key Information Security Terms

This glossary of common security terms has been extracted from NIST Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, NIST Interagency Reports (NISTIRs), and from the Committee for National Security Systems Instruction 4009 (CNSSI-4009). The terms included are not all inclusive of terms found in the NIST publications, but do include most of the terms in those publications. The glossary does contain all of the terms and definitions from CNSSI-4009. The purpose of this glossary is to provide a central resource of definitions most commonly used in NIST information security publications and in CNSS information assurance publications.
 
Comments should be sent to secglossary@nist.gov by COB June 30, 2010.

May 27, 2010

SP 800-126 Rev. 1

DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1

NIST announces the second public comment release of Special Publication (SP) 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.6.
 
NIST requests comments on the second public draft SP 800-126 Revision 1 by June 28, 2010. Please submit comments to 800-126comments@nist.gov with “Comments SP 800-126” in the subject line.

Apr. 20, 2010

NIST IR-7511 Rev. 2

DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements

Draft NIST Interagency Report (IR) 7511 Revision 2, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 2 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
This update to Draft NIST Interagency Report (IR) 7511 Revision 2, includes changes to the Internet Connectivity requirements and clarifying language to several other requirements and test procedures.
 
If you have questions regarding this document, please send email to: IR7511comments@nist.gov . The deadline to submit comments is May 20, 2010.

Mar. 18, 2010

SP 800-128

DRAFT Guide for Security Configuration Management of Information Systems

NIST announces the publication of Initial Public Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems. The publication provides guidelines for managing the configuration of information system architectures and associated components for secure processing, storing, and transmitting of information. Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems.
 
NIST SP 800-128 identifies the major phases of security configuration management and describes the process of applying security configuration management practices for information systems including: (i) planning security configuration management activities for the organization; (ii) planning security configuration management activities for the information system; (iii) configuring the information system to a secure state; (iv) maintaining the configuration of the information system in a secure state; and (iv) monitoring the configuration of the information system to ensure that the configuration is not inadvertently altered from its approved state.
 
The security configuration management concepts and principles described in this publication provide supporting information for NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations that include the Configuration Management family of security controls and other security controls that draw upon configuration management activities in implementing those controls. This publication also provides important supporting information for the Monitor Step (Step 6) of the Risk Management Framework that is discussed in NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.
 
NIST requests comments on the Initial Public Draft of Special Publication 800-128, by June 14, 2010. Please submit comments to sec-cert@nist.gov.

Mar. 10, 2010

NIST IR-7669

DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements

Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
 
If you have questions or want to send comments regarding this document, please send email to: IR7669comments@nist.gov. There is a 30-day period for comments and the deadline to submit comments is Friday, April 9, 2010.

Feb. 22, 2010

SP 800-119

DRAFT Guidelines for the Secure Deployment of IPv6

NIST announces the public comment release of Special Publication (SP) 800-119, Guidelines for the Secure Deployment of IPv6. IPv6 (Internet Protocol version 6) is the next generation Internet Protocol, accommodating vastly increased address space. This document describes and analyzes IPv6's new and expanded protocols, services, and capabilities, including addressing, DNS, routing, mobility, quality of service, multihoming, and IPsec. For each component, there is a detailed analysis of the differences between IPv4 and IPv6, the security ramifications and any unknown aspects. It characterizes new security threats posed by the transition to IPv6 and provides guidelines on IPv6 deployment, including transition, integration, configuration, and testing. It also addresses more recent significant changes in the approach to IPv6 transition.
 
NIST requests comments on Draft SP 800-119 by April 23, 2010. Please submit comments to draft-sp800-119-comments@nist.gov with "Comments SP 800-119" in the subject line.

Dec. 11, 2009

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules (Revised Draft)

The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010. Please use the template provided. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with "Comments on the Revised Draft FIPS 140-3" in the subject line.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these comments is also available on CSRC.

Sept. 22, 2009

SP 800-127

DRAFT Guide to Security for Worldwide Interoperability for Microwave Access (WiMAX) Technologies

NIST announces the public comment release of draft SP 800-127, Guide to Security for WiMAX Technologies. Worldwide Interoperability for Microwave Access (WiMAX) is a wireless metropolitan area network communications technology based on the IEEE 802.16 standard. WiMAX technologies were originally developed to provide last-mile broadband wireless access, but are now more focused on cellular-like mobile architectures. Draft SP 800-127 explains the basics of WiMAX, provides information on the security capabilities of WiMAX, and gives recommendations on securing WiMAX technologies effectively. It also explains the security differences among the major versions of the IEEE 802.16 standard. NIST requests comments on draft SP 800-127 by October 30, 2009. Please submit comments to 800-127comments@nist.gov with "Comments SP 800-127" in the subject line.

Sept. 11, 2009

SP 800-85 B-1

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 25, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

June 16, 2009

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

The second public draft of IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.

NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

Mar. 20, 2009

SP 800-16 Rev. 1

DRAFT Information Security Training Requirements: A Role- and Performance-Based Model

The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

Feb. 27, 2009

NIST IR-7517

DRAFT The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.

Jan. 13, 2009

NIST IR-7497

DRAFT Security Architecture Design Process for Health Information Exchanges (HIEs)

NISTIR 7497, Draft Security Architecture Design Process for Health Information Exchanges (HIEs), is intended to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that applies them specifically to the HIE domain. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.
 
Please submit your comments to draft-nistir7497-comments@nist.gov. The comment period for draft NIST IR 7497 closes on Friday March 13, 2009.

Dec. 12, 2008

SP 800-63 Rev. 1

DRAFT Electronic Authentication Guideline

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for a second public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. The bulk of the changes since the previously posted draft of SP 800-63-1 concern assertion technologies and Kerberos. Comments will be accepted until January 30, 2009. Comments should be forwarded via email to eauth-comments@nist.gov.

Sep 29, 2008

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The final public draft of SP 800-82 is available for public comment. It provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the second public draft, which was released in 2007. NIST requests comments on NIST SP 800-82 by November 30, 2008. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.