NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

DRAFTS

Below are drafts of NIST computer security publications--FIPS, Special Publications and NISTIRs--that have been released for public review and comment.

Jun. 8, 2015

SP 800-85 A-4

DRAFT PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)

NIST announces that Draft Special Publication (SP) 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.
 
These include:
 
    • Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object,
    • Tests for populating these newly added data objects in the PIV Card Application,
    • Tests to verify the on-card biometric comparison mechanism,
    • Tests to verify the correct behavior of secure messaging and the virtual contact interface and,
    • Tests to verify that the PIV Card Application enforces PIN length and format requirements.
 
Federal agencies and private organizations, including test laboratories as well as individuals, are invited to review the draft guidelines and submit comments to NIST by email to pivtesting@nist.gov with "Comments on Draft SP 800-85A-4" in the subject line. Comments should be submitted using the comment template (see link below - Excel spreadsheet). The comment period closes at 5:00pm EDT on July 10, 2015.

Draft SP 800-85A-4
Comment Template for Draft SP 800-85A-4

May 29, 2015

NIST IR 8060

DRAFT Guidelines for the Creation of Interoperable Software Identification (SWID) Tags

This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.
 
Please send comments to NISTIR8060-comments@nist.gov with “Comments Draft NISTIR 8060” in the subject line. Comments will be accepted through June 15, 2015.

Draft NISTIR 8060

May 28, 2015

NIST IR 8062

DRAFT Privacy Risk Management for Federal Information Systems

NIST requests comments on the draft report NISTIR 8062, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.
 
Please send comments to privacyeng@nist.gov. (Please Note: The deadline for submitting comments on NISTIR 8062 has been extended to July 31, 2015).
 
Background:
Expanding opportunities in cloud computing, big data, and cyber-physical systems are bringing dramatic changes to how we use information technology. While these technologies bring advancements to U.S. national and economic security and our quality of life, they also pose risks to individuals’ privacy.
 
Privacy Risk Management for Federal Information Systems (NISTIR 8062) introduces a privacy risk management framework for anticipating and addressing risks to individuals’ privacy. In particular, it focuses on three privacy engineering objectives and a privacy risk model. To develop this document, NIST conducted significant public outreach and research. We are soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.
 
Note to Reviewers:
To facilitate public review, we have compiled a number of topics of interest to which we would like reviewers to respond. Please keep in mind that it is not necessary to respond to all topics listed below, Reviewers should also feel free to suggest other areas of revision or enhancement to the document.
 
   • Privacy Risk Management Framework: Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy? Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel? Are there any gaps in the framework?
   • Privacy Engineering Objectives: Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements? Are there properties or capabilities that systems should have that these objectives do not cover?
   • Privacy Risk Model:
     o Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
     o Can data actions be evaluated as the document proposes? Is the approach of identifying and assessing problematic data actions usable and actionable?
     o Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
     o The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment

Draft NISTIR 8062
Comment Matrix Form for Draft NISTIR 8062

May 1, 2015

NIST IR 8058

DRAFT Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content

NIST announces the public comment release of NIST Internal Report (NIST IR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Over time, certain stylistic conventions regarding the authoring of SCAP 1.2 content have become best practices. They improve the quality of SCAP content in several ways, such as improving the accuracy and consistency of results, avoiding performance problems, reducing user effort, lowering content maintenance burdens, and enabling content reuse. This document has been created to capture the best practices and encourage their use by SCAP content authors and maintainers.
 
Please send comments to NISTIR8058-comments@nist.gov with “Comments Draft NISTIR 8058” in the subject line. Comments will be accepted through June 1, 2015.

Draft NISTIR 8058

Apr. 6, 2015

NIST IR 8053

DRAFT De-Identification of Personally Identifiable Information

NIST requests comments on an initial public draft report on NISTIR 8053, De-identification of personally Identifiable Information. This document describes terminology, process and procedures for the removal of personally identifiable information (PII) from a variety of electronic document types.
 
Background:
This draft results from a NIST-initiated review of techniques that have been developed for the removal of personally identifiable information from digital documents. De-identification techniques are widely used to removal of personal information from data sets to protect the privacy of the individual data subjects. In recent years many concerns have been raised that de-identification techniques are themselves not sufficient to protect personal privacy, because information remains in the data set that makes it possible to re-identify data subjects.
 
We are soliciting public comment for this initial draft to obtain feedback from experts in industry, academia and government that are familiar with de-identification techniques and their limitations.
 
Comments will be reviewed and posted on the CSRC website. We expect to publish a final report based on this round of feedback. The publication will serve as a basis for future work in de-identification and privacy in general.
 
Note to Reviewers:
NIST requests comments especially on the following:
 
    • Is the terminology that is provided consistent with current usage?
    • Since this document is about de-identification techniques, to what extent should it discuss differential privacy?
    • To what extent should this document be broadened to include a discussion of statistical disclosure limitation techniques?
    • Should the glossary be expanded? If so, please suggest words, definitions, and appropriate citations?
 
Please send comments to draft-nistir-deidentify@nist.gov by May 15, 2015.

Draft NISTIR 8053
Comment Template Form for Draft NISTIR 8053

Mar. 26, 2015

SP 800-70 Rev 3

DRAFT National Checklist Program for IT Products - Guidelines for Checklist Users and Developers

Draft Special Publication 800-70 Revision 3, National Checklist Program for IT Products--Guidelines for Checklist Users and Developers, has been released for public comment. It describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requirements for participation in the NCP. SP 800-70 Revision 3 updates the previous version of the document, which was released in 2011, by streamlining the text and removing outdated content, as well as updating the requirements for United States Government Configuration Baselines (USGCB).
 
Comments on draft SP 800-70 Revision 3 should be sent by April 27, 2015 to 800-70comments@nist.gov with "Comments SP 800-70" in the subject line.

Draft SP 800-70 Revision 3

Mar. 4, 2015

NIST IR 7966

DRAFT Security of Automated Access Management Using Secure Shell (SSH)

NIST announces the second public comment release of Draft NIST Interagency Report (IR) 7966, Security of Interactive and Automated Access Management Using Secure Shell (SSH). The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH access management in an enterprise, focusing on the management of SSH user keys. It describes the primary categories of vulnerabilities in SSH user key management and recommends practices for planning and implementing SSH access management. The scope of this draft is significantly different from the original public comment draft; this draft includes both interactive and automated access management, not just the latter.
 
Please send your comments to NISTIR7966-comments@nist.gov by April 3, 2015.

Draft NISTIR 7966 (356 KB)
Comment Template for Draft NISTIR 7966 (26 KB)

Jan. 23, 2015

NIST IR 7977

DRAFT NIST Cryptographic Standards and Guidelines Development Process (Second Draft)

NIST requests comments on a revised (second) draft on NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This revised document describes the principles, processes and procedures behind our cryptographic standards development efforts. Please send comments to crypto-review@nist.gov by March 27, 2015. Please see this announcement for additional information for reviewers.

(Second) Draft NISTIR 7977 (Jan. 2015) (208 KB)
NIST Solicits Comments on its Cryptographic Standards Development Process
NIST Public Affairs Office Press Release

Dec. 18, 2014

SP 800-152

DRAFT A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS) (Third Draft)

NIST requests comments on Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. This Profile is based on NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems, and has been prepared to assist Cryptographic Key Management System (CKMS) designers and implementers in selecting the features to be provided in their “products,” and to assist Federal organizations and their contractors when procuring, installing, configuring, operating, and using a Federal Cryptographic Key Management System (FCKMS). Please send comments by February 18, 2015 to FederalCKMSProfile@nist.gov, with "Comments on SP 800-152" in the subject line. A template has been provided. Note that these comments will be posted for public review.
 
Note that this revision includes references to some of the security controls in SP 800-53. Comments on the accuracy of these references would be appreciated.

Draft SP 800-152 (Third Draft) (1.2 MB)
Comment Template for Draft SP 800-152
Comments Received Dec. 2014 Draft (comments posted 3/25/2015)

Dec. 16, 2014

NIST IR 7621 Rev.1

DRAFT Small Business Information Security: The Fundamentals

NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language. Comments will be accepted through February 9, 2015. Please send comments / questions to: smallbizsecurity@nist.gov .

Draft NISTIR 7621 Revision 1 (264 KB)

Oct. 28, 2014

SP 800-150

DRAFT Guide to Cyber Threat Information Sharing

NIST announces the public comment release of Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.
 
Please send your comments to sp800-150comments@nist.gov by November 28, 2014 using the following template (See 2nd link below).

Draft SP 800-150 (1.3 MB)
Comment Template Form for Draft SP 800-150

Oct. 20, 2014

SP 800-125 A

DRAFT Security Recommendations for Hypervisor Deployment

NIST announces the public comment release of NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment. Server Virtualization (enabled by Hypervisor) is finding widespread adoption in enterprise data centers both for hosting in-house applications as well as for providing computing resources for cloud services. The hypervisor provides abstraction of all physical resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (each consisting of an O/S (called Guest O/S), Middleware and a set of Application programs) to be run on a single physical host (referred to virtualized host or hypervisor host).
 
Since the NIST publication of SP 800-125 (Guide to Security for Full Virtualization Technologies) in January 2011, both the feature set of hypervisors as well as the tools for configuration and administration of virtualized infrastructure spawned by the hypervisor has seen considerable increase. This has generated the need to develop security recommendations for secure deployment of hypervisor platforms. This special publication defines a focused set of twenty-two security recommendations (in terms of architectural choices and configuration settings), intended to ensure secure execution of tasks performed by the hypervisor components under the umbrella of five baseline functions.
 
The public comment period closes on Monday, November 10, 2014. Please send comments to mouli@nist.gov

Draft SP 800-125 A (360 KB)

Aug. 22, 2014

SP 800-167

DRAFT Guide to Application Whitelisting

NIST announces the public comment release of Draft Special Publication (SP) 800-167, Guide to Application Whitelisting. The purpose of this publication is to assist organizations in understanding the basics of application whitelisting (also known as application control) by examining the basics of application whitelisting and explaining the planning and implementation for application whitelisting technologies throughout the security deployment lifecycle.
 
Please send your comments to 800-167comments@nist.gov by September 26, 2014 using the following template (See 2nd link below).

Draft SP 800-167 (254 KB)
Comment Template for Draft SP 800-167 (26 KB)

Aug. 6, 2014

SP 800-85 B-4

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-4" in the subject line.
 
Comments should be submitted using the comment template (Excel spreadsheet) - see second link below. The comment period closes at 5:00 EST (US and Canada) on September 5, 2014. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
 
Please note that NIST has made a one-time change in the revision number of SP 800-85B (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-73-4.

Draft SP 800-85B-4 (1.6 MB)
Template for Submitting Public Comments (38 KB)

Jun. 23, 2014

NIST IR 8006

DRAFT NIST Cloud Computing Forensic Science Challenges

This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group, and aggregates, categorizes and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.
 
PLEASE NOTE: NIST Computer Security Division has extended the public review period of the recently posted Draft NISTIR 8006, NIST Cloud Forensic Science Challenges. Comments on the document will be accepted until August 25, 2014
 
The public comment period closed on August 25, 2014.

Draft NISTIR 8006 (885 KB)
Comment Template for Draft NISTIR 8006 (26 KB)

Jun 2, 2014

SP 800-79 2

DRAFT Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)

NIST announces that Draft Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), is now available for public comment. This document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:
 
  • Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
  • Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
  • Addition of issuer controls for the PIV Card’s visual topography,
  • Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
  • Updated references to the more recent credentialing guidance issued by OPM,
  • Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
  • Modified process to include an independent review prior to authorization of issuer.
 
The public comment period closed on June 30, 2014.

Draft SP 800-79-2 (978 KB)
Comment Template for Draft SP 800-79-2

May 29, 2014

NIST IR 7924

DRAFT Reference Certificate Policy (Second Draft)

NIST announces the public comment release of second draft of Interagency Report 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
 
NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.
 
The public comment period closed on August 1, 2014.

Second Draft NISTIR 7924 (636 KB)
Template for Submitting Public Comments (87 KB)

May 28, 2014

FIPS 202

DRAFT SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions

NIST published a Federal Register Notice, FRN 2014-12336, on May 28, 2014 to announce the publication of Draft FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, and Draft Revision of the Applicability Clause of FIPS 180-4, Secure Hash Standard, and request for comments. A 90-day public comment period is provided.
 
The public comment period closed on August 26, 2014.

Draft FIPS 202 (523 KB)
Federal Register Notice for FIPS 202
Draft Revision of the Applicability Clause of FIPS 180-4, Secure Hash Standard

May 12, 2014

SP 800-160

DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems

NIST requests comments on the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. A formal announcement of the publication is planned on May 13, 2014 at the College of Science and Engineering, Technology Leadership Institute, University of Minnesota.
 
The public comment period closed on July 11, 2014.

Draft SP 800-160

Mar. 14, 2014

SP 800-16 Rev. 1 (3rd draft)

DRAFT A Role-Based Model for Federal Information Technology / Cyber Security Training (3rd public draft)

NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
 
Please submit comments to sp80016-comments@nist.gov with “Comments on SP 800-16 Rev 1 (3rd draft)” in the subject line.
 
The public comment period closed on April 30, 2014.

Draft SP 800-16 Rev. 1 (3rd draft) (2.0 MB)

Mar. 7, 2014

NIST IR 7981

DRAFT Mobile, PIV, and Authentication

NIST announces public comment release of NIST IR 7981, Mobile, PIV, and Authentication. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
 
There is a comment template provided for submitting comments for this draft NISTIR - see link below. Comments on this publication may be submitted to piv_comments@nist.gov.
 
The public comment period closed on April 21, 2014.

Draft NISTIR 7981 (202 KB)
Comment Template for Draft NISTIR 7981 (32 KB)

Sep. 9, 2013

SP 800-90 B-C

DRAFT Draft SP 800-90 Series: Random Bit Generators
800-90 B: Recommendation for the Entropy Sources Used for Random Bit Generation
800-90 C: Recommendation for Random Bit Generator (RBG) Constructions

In light of recent reports, NIST is reopening the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C.
NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible.
The public comment period closed on November 6, 2013.
 
In addition, the Computer Security Division has released a supplemental ITL Security Bulletin titled "NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Supplemental ITL Bulletin for September 2013)" to support the draft revision effort.

Draft SP 800-90 B (800 KB)
Draft SP 800-90 C (1.1 MB)
Comments Received Draft SP 800-90 A Rev. 1, B and C (469 KB)

July 8, 2013

SP 800-38 G

DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption

NIST is pleased to announce that Draft NIST Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, is available for public comment. Format-preserving encryption (FPE) has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases.
 
Three methods are specified in this publication: FF1, FF2, and FF3. Each is a format-preserving, Feistel-based mode of operation of the AES block cipher. FF1 was submitted to NIST by Bellare, Rogaway and Spies under the name FFX[Radix]; FF2 was submitted to NIST by Vance under the name VAES3; and FF3 is the main component of the BPS mechanism that was submitted to NIST by Brier, Peyrin, and Stern. The submission documents are available at http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html.
 
The public comment period closed on September 3, 2013.

Draft SP 800-38G (1.3 MB)

Dec. 21, 2012

NIST IR 7904

DRAFT Trusted Geolocation in the Cloud: Proof of Concept Implementation

NIST announces the public comment release of Draft Interagency Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation.
 
The public comment period closed on January 31, 2013.

Draft NISTIR 7904 (1.9 MB)

Oct. 31, 2012

SP 800-164

DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices

NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.
 
The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.
 
The public comment period closed on December 14, 2012.

Draft SP 800-164 (340 KB)

July 25, 2012

SP 800-94 Rev. 1

DRAFT Guide to Intrusion Detection and Prevention Systems (IDPS)

NIST announces the public comment release of Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.
 
The public comment period closed on August 31, 2012.

Draft SP 800-94 Rev. 1 (1.7 MB)

May 7, 2012

NIST IR 7848

DRAFT Specification for the Asset Summary Reporting Format 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
 
The public comment period closed on June 6, 2012.

Draft NISTIR 7848 (815 KB)

Jan. 20, 2012

NIST IR 7800

DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.
 
The public comment period closed on February 17, 2012.

Draft NISTIR 7800 (515 KB)

Jan. 6, 2012

SP 800-117 Rev. 1

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2

NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.
 
The public comment period closed on February 17, 2012.

Draft SP 800-117 Rev. 1 (153 KB)

Jan. 6, 2012

NIST IR 7799

DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.
 
The public comment period closed on February 17, 2012.

Draft NISTIR 7799 (1.2 MB)

Jan. 6, 2012

NIST IR 7756

DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture

NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
 
The public comment period closed on February 17, 2012.

Draft NISTIR 7756 (2nd public draft) (942 KB)

Dec. 8, 2011

SP 800-155

DRAFT BIOS Integrity Measurement Guidelines

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
 
The public comment period closed on January 20, 2012.

Draft SP 800-155 (816 KB)

Dec. 6, 2011

NIST IR 7831

DRAFT Common Remediation Enumeration (CRE) Version 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
 
The public comment period closed on January 20, 2012.

Draft NISTIR 7831 (978 KB)

Feb. 10, 2011

NIST IR 7670

DRAFT Proposed Open Specifications for an Enterprise Remediation Automation Framework

NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
 
The public comment period closed on March 11, 2011.

Draft NISTIR 7670 (333 KB)

Mar. 10, 2010

NIST IR 7669

DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements

Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
 
The public comment period closed on April 9, 2010.

NISTIR 7669 (277 KB)

Dec. 11, 2009

FIPS 140-3

DRAFT Security Requirements for Cryptographic Modules (Revised Draft)

The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
The public comment period closed on March 11, 2010.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these commentsare available.

Draft FIPS 140-3 (revised draft) (706 KB)
Comment template for Draft FIPS 140-3 (revised draft) (38 KB)

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
The public comment period closed on August 14, 2009.

Draft SP 800-65 Rev. 1 (679 KB)

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
The public comment period closed on May 29, 2009.

Draft SP 800-118 (181 KB)

Oct. 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information.
 
The public comment period closed on November 15, 2006.

Draft SP 800-103 (699 kB)
Back to Top