Publications

Nov. 17, 2009

SP 800-37 Rev. 1

DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

NIST announces the publication of the Final Public Draft of Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This publication represents the second in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its support contractors. The initial publication produced by the task force, NIST Special Publication 800-53, Revision 3, was historic in nature—in that it created a unified security control catalog reflecting the information security requirements of both the national security community and the nonnational security community. NIST Special Publication 800-37, Revision 1, completes the transformation of the traditional process employed by the federal government to certify and accredit federal information systems to a near real-time assessment and authorization. The revised process provides greater emphasis on: (i) building information security capabilities into information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) understanding and accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of information systems.
 
The most significant change in the Final Public Draft of Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The revised RMF-based process has the following characteristics:

• Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
• Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
• Integrates information security more closely into the enterprise architecture and system development life cycle;
• Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
• Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
• Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function).

 
The risk management process described in this publication focuses on the strategic, enterprise-centric, near realtime-based approaches to security assessment and system authorization and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions.
 
NIST requests comments on the Final Public Draft of Special Publication 800-37, Revision 1, by December 31, 2009. Please submit comments to sec-cert@nist.gov. Final publication is expected in February 2010.
SP800-37-rev1-FPD.pdf (707 KB)

Oct. 27, 2009

SP 800-34 Rev. 1

DRAFT Contingency Planning Guide for Federal Information Systems

NIST announces that Draft SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, has been released for public comment. SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.
 
Draft SP 800-34 Revision 1 is an update to the original SP 800-34, which was published in 2002.
 
NIST requests comments on draft SP 800-34 Revision 1 by January 6, 2010. Please submit comments to draft800-34-comments@nist.gov with "Comments SP 800-34" in the subject line.

Oct. 6, 2009

SP 800-78 -2

DRAFT Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)

NIST is pleased to announce the release of Draft Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in draft SP 800-78-1:

• The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in Draft SP800-78-2 as a key agreement scheme for the PIV card.
• The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, draft SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
• For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in draft SP 800-78-1.

Sept. 25, 2009

NIST IR-7628

DRAFT Smart Grid Cyber Security Strategy and Requirements

NIST announces that draft NIST IR 7628, Smart Grid Cyber Security Strategy and Requirements, is now available for public comment. The first draft of the document contains the overall security strategy for the Smart Grid and the products developed from this strategy, for example, development of vulnerability classes, identification of well-understood security problems that need to be addressed, selection and development of security-relevant use cases, identification and analysis of interfaces identified in the six functional priority areas and selection of a suite of security documents that will be used as the base for the selection and tailoring of security requirements. This is the first draft of the NISTIR; the next draft is scheduled to be posted for comment in December 2009.
 
NIST requests comments on Draft NIST IR 7628 by November 25, 2009. Please submit comments to csctgdraftcomments@nist.gov

Sept. 22, 2009

SP 800-127

DRAFT Guide to Security for Worldwide Interoperability for Microwave Access (WiMAX) Technologies

NIST announces the public comment release of draft SP 800-127, Guide to Security for WiMAX Technologies. Worldwide Interoperability for Microwave Access (WiMAX) is a wireless metropolitan area network communications technology based on the IEEE 802.16 standard. WiMAX technologies were originally developed to provide last-mile broadband wireless access, but are now more focused on cellular-like mobile architectures. Draft SP 800-127 explains the basics of WiMAX, provides information on the security capabilities of WiMAX, and gives recommendations on securing WiMAX technologies effectively. It also explains the security differences among the major versions of the IEEE 802.16 standard. NIST requests comments on draft SP 800-127 by October 30, 2009. Please submit comments to 800-127comments@nist.gov with "Comments SP 800-127" in the subject line.

Sept. 11, 2009

SP 800-85 B-1

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 25, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

Aug. 26, 2009

SP 800-81 Rev. 1

DRAFT Secure Domain Name System (DNS) Deployment Guide

NIST has drafted another revision of the document “Secure Domain Name System (DNS) Deployment Guide" (SP 800-81) . This revision addresses all the comments and feedback received for the first revision through public comments in March 2009, in addition to adding 3 more subsections described below. After addressing the public comments received in this round, it will be published as NIST SP 800-81r1. Federal agencies and private organizations as well as individuals are invited to review this draft and submit comments to NIST by sending them to SecureDNS@nist.gov before September 30, 2009. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. A brief description of the 3 new subsections is given below:
 
What is New in this revision leading to SP 800-81r1:
   (1) Guidelines on Procedures for migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5).
   (2) Guidelines for Procedures for migrating to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6).
   (3) Deployment Guidelines for Split-Zone under different scenarios (Section 11.7).

Aug. 19, 2009

NIST IR-7609

DRAFT Cryptographic Key Management Workshop Summary

NIST announces that the Draft NIST Interagency Report 7609, Cryptographic Key Management Workshop Summary (June 8-9, 2009), is available for public comment. The Cryptographic Key Management (CKM) workshop was initiated by the NIST Computer Security Division to identify and develop technologies that would allow organizations to leap ahead of normal development lifecycles to vastly improve the security of future sensitive and valuable computer applications. The workshop was the first step in developing a CKM framework. This summary provides the highlights of the presentations, organized by both topic and by presenter. Please provide comments by September 18, 2009 to ebarker@nist.gov, with “Comments on the Key Management Workshop Report” in the subject line.

Aug. 17, 2009

SP 800-38 E

DRAFT Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices

NIST announces that the Draft NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices, is available for public comment. This document approves the XTS-AES mode of the AES algorithm by reference to IEEE Std 1619-2007, subject to one additional requirement, as an option for protecting the confidentiality of data on block-oriented storage devices. This mode does not provide authentication, in order to avoid expansion of the data; however, it does provide some protection against malicious manipulation of the encrypted data.
 
The XTS-AES mode was submitted to NIST by the IEEE P1619 Task Group. On June 5, 2008, NIST initiated a 90-day period of public comment on the proposal to approve XTS-AES by reference to IEEE Std 1619-2007; during the comment period, IEEE made available free-of-charge the specification of the mode in that standard, and other relevant excerpts. NIST decided to proceed with the proposal after considering the public comments that NIST received, and follow-up comments from the IEEE P1619 Task Group, both available at the modes public comment page.
 
Comments on the text of the Draft NIST SP 800-38E may be submitted to EncryptionModes@nist.gov until September 17, 2009.

Aug. 13, 2009

SP 800-73 -3

DRAFT Interfaces for Personal Identity Verification (4 Parts)
Pt. 1- End Point PIV Card Application Namespace, Data Model and Representation
Pt. 2- PIV Card Application Interface
Pt. 3- PIV Client Application Programming Interface
Pt. 4- The PIV Transitional Data Model and Interfaces

NIST announces that Draft Special Publication (SP) 800-73-3, Interfaces for Personal Identity Verification, has been released for public comment. Draft SP 800-73-3 introduces new, optional features including:
 
(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
 
(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-1; and
 
(3) provisions for Non-Federal Issuer (NFI) credentials. Draft SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.
 
Except for minor editorial changes, all changes can be reviewed with the track-change version of Draft SP 800-73-3.
 
NIST requests comments on draft SP 800-73-3 by 5:00pm EDT on September 13, 2009. Please submit your comments, using the comment template form to PIV_comments@nist.gov with "Comments on Public Draft SP 800-73-3" in the subject line.

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

June 16, 2009

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

The second public draft of IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.

NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

May 5, 2009

SP 800-117

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP)

NIST announces that Draft Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains how IT product and service vendors can adopt SCAP's capabilities within their offerings.
 
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

Apr. 21, 2009

NIST IR-7511 Rev. 1

DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements

Draft NIST Interagency Report (IR) 7511 Revision 1, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 1 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
If you have questions regarding this document, please send email to: IR7511comments@nist.gov.
 
Webmaster's Note: The first link "draft-nistir-7511_rev1.pdf" below is for NIST IR 7511 Revision 1 (posted April 21, 2009) and the second link "Draft-NISTIR-7511.pdf" is the original NIST IR 7511 (updated April 14, 2009).

Mar. 20, 2009

SP 800-16 Rev. 1

DRAFT Information Security Training Requirements: A Role- and Performance-Based Model

The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

Feb. 27, 2009

NIST IR-7517

DRAFT The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.

Jan. 13, 2009

SP 800-122

DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

NIST announces that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), is now available for public comment. SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.
 
NIST requests comments on draft SP 800-122 by March 13, 2009. Please submit comments to 800-122comments@nist.gov with "Comments SP 800-122" in the subject line.

Jan. 13, 2009

NIST IR-7497

DRAFT Security Architecture Design Process for Health Information Exchanges (HIEs)

NISTIR 7497, Draft Security Architecture Design Process for Health Information Exchanges (HIEs), is intended to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that applies them specifically to the HIE domain. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.
 
Please submit your comments to draft-nistir7497-comments@nist.gov. The comment period for draft NIST IR 7497 closes on Friday March 13, 2009.

Dec. 12, 2008

SP 800-63 Rev. 1

DRAFT Electronic Authentication Guideline

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for a second public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. The bulk of the changes since the previously posted draft of SP 800-63-1 concern assertion technologies and Kerberos. Comments will be accepted until January 30, 2009. Comments should be forwarded via email to eauth-comments@nist.gov.

Oct 24, 2008

SP 800-57 Part 3

DRAFT Recommendation for Key Management, Part 3 Application-Specific Key Management Guidance

NIST announces the release of a draft of Part 3 of Special Publication 800-57, Recommendation for Key Management: Application-Specific Key Management Guidance. This Recommendation provides guidance when using the cryptographic features of current systems. It is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in the normal use of the application. Recommendations are given for a select set of applications, namely: PKI, IPsec, TLS, S/MIME, Kerberos, OTAR, DNSSEC and Encrypted File Systems. Other topics will be added at a later time, and commenters are invited to suggest such topics. Please submit comments to part3-sp800-57-comments@nist.gov with "Comments on Draft 800-57, Part 3" in the subject line. The comment period closes on January 16th, 2009.
 
To view the original SP 800-57 Part 1 and 2 document, please go to the Special Publications page.

Sep 29, 2008

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The final public draft of SP 800-82 is available for public comment. It provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the second public draft, which was released in 2007. NIST requests comments on NIST SP 800-82 by November 30, 2008. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

Jul 13, 2007

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules

Draft FIPS 140-3 is the proposed revision of FIPS 140-2. The draft specifies five security levels instead of the four found in FIPS 140-2; has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing. Please submit electronic comments to: FIPS140-3@nist.gov, with "Comments on Draft 140-3" in the subject line. ADDRESSES: Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive--Stop 8930. DATES: Comments must be received on or before October 11, 2007.

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.