Publications

Feb. 2, 2010

NIST IR-7628

DRAFT Smart Grid Cyber Security Strategy and Requirements

NIST announces that the second draft of NIST IR 7628, Smart Grid Cyber Security Strategy and Requirements, is now available for public comment. The second draft of the document contains the updated overall security strategy for the Smart Grid and updated logical interface diagrams, privacy, bottom-up analysis, and vulnerability class analysis sections. In addition, new chapters on research and development themes and standards assessment have been included. Finally, an overall functional logical Smart Grid architecture is included.
 
This is the second draft of the NISTIR; comments are being received through April 2, 2010. A comment submission template is posted. Also posted with the draft NISTIR is a disposition of comments document. Over 450 individual comments were received and addressed (as applicable) in the second draft of the NISTIR. The final version is scheduled to be posted Spring 2010.
 
Please submit comments to cswgdraft2comments@nist.gov

Jan. 14, 2010

SP 800-131

DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes

Draft Special Publication 800-131, Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes, is available for public comment. NIST Special Publication (SP) 800-57, Part 1 included a general approach for transitioning from one algorithm or key length to another. This Recommendation (SP 800-131) provides more specific guidance for transitions to stronger cryptographic keys and more robust algorithms. Public comments should be sent to CryptoTransitions@nist.gov by March 15, 2010. The authors of this document, Elaine Barker and Allen Roginsky, will be available for discussions at the RSA Conference in San Francisco on March 1-5.

Dec. 15, 2009

SP 800-126 Rev. 1

DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1

NIST announces the public comment release of Special Publication (SP) 800-126 Revision 1, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1. SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the basics of the SCAP component specifications and their interrelationships, the characteristics of SCAP content, and the SCAP requirements not defined in the individual component specifications. Major changes from SCAP version 1.0 to 1.1 include the addition of Open Checklist Interactive Language (OCIL) and an upgrade to Open Vulnerability and Assessment Language (OVAL) version 5.6.
 
NIST requests comments on draft SP 800-126 Revision 1 by January 23, 2010. Please submit comments to 800-126comments@nist.gov with “Comments SP 800-126” in the subject line.

Dec. 11, 2009

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules (Revised Draft)

The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
 
All comments to the Revised Draft FIPS 140-3 must be received on or before March 11, 2010. Please use the template provided. Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Michaela Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may also be sent to: FIPS140-3@nist.gov, with "Comments on the Revised Draft FIPS 140-3" in the subject line.
 
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these comments is also available on CSRC.

Nov. 25, 2009

NIST IR-7657

DRAFT Privilege Management

NIST announces that draft NIST IR 7657, Privilege Management, is now available for public comment. The first draft of the document is based on the discussions and conclusions of the Privilege Management Workshop held on September 1-3, 2009 at the Gaithersburg, Maryland facilities of the National Institute of Standards and Technology (NIST). The view of privilege management expressed in this document generally aligns with the architectural and service framework for privilege management presented in the Federal Identity, Credential, and Access Management (FICAM) Roadmap and Implementation Guidance document [FICAM-09]. This document includes additional material and editing resulting from in-scope comments made by Workshop participants.
 
The Editor of this draft Interagency Report respectfully requests that you observe the following guidelines in providing comments:

• Any general comments that do not include specific suggested modifications, additions, or deletions will be appreciated, of course, but will not result in changes to the draft.
• For your specific comments, identify a line number or range of line numbers in the draft to which your comment pertains.
• For your specific comments, identify each comment as one of the following types:
  • minor editorial comment: a minor editorial comment may suggest a grammatical change for clarity, substitution of a word better suited to the thought, correction of a typo, and so on. Provide the specific text that should be inserted, modified, or deleted. The editor will accept or reject the suggestion as he sees fit. In the case of figures, a minor editorial comment may suggest small changes for clarity. Rationale for suggestions will be helpful.
  • suggested content modification/correction/addition: comments of this type deal with content. Modifications are for clarity or flow; corrections are for technical accuracy; and additions are for completeness within the established scope of the topic in question. Also, a modification can be a suggested deletion of a sentence considered distracting or out of scope. However, type (B) comments should not be used to provide new material that extends the scope of the particular topic in question. If you feel that such material should be included in the report, please use a type (C) comment. The editor will accept, reject, or modify type (B) comments as he deems fit. Rationale for suggested changes will be very helpful. In cases where the comment is beyond the expertise of the editor, he will consult with the NIST-NSA Privilege Management Team for assistance in processing the comment. Modifications and corrections must be provided as specific text to use to effect the modification or correction; additions must be provided as specific text to use as the addition.
  • major disagreement: a major disagreement can concern what is in the draft as well as what is not in the draft. For this type of comment, please provide the exact text that documents your position; this text will be incorporated into the NIST IR as provided, annotated as disagreement, with attribution.
• You can provide your comments in an email--HTML or plaintext--or as an attachment to an email--plaintext, RTF, Word, or PDF format. Comments sent in any other form will not be processed.
• NIST requests comments on Draft NIST IR 7657 by January 25, 2010. Please submit comments to draftprivmgt@nist.gov. The NIST-NSA Privilege Management team reserves the right to ignore comments received after the deadline.

Nov. 17, 2009

SP 800-37 Rev. 1

DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

NIST announces the publication of the Final Public Draft of Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This publication represents the second in a series of publications being developed under the auspices of the Joint Task Force Transformation Initiative. For the past three years, NIST has been working in partnership with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS) to develop a common information security framework for the federal government and its support contractors. The initial publication produced by the task force, NIST Special Publication 800-53, Revision 3, was historic in nature—in that it created a unified security control catalog reflecting the information security requirements of both the national security community and the nonnational security community. NIST Special Publication 800-37, Revision 1, completes the transformation of the traditional process employed by the federal government to certify and accredit federal information systems to a near real-time assessment and authorization. The revised process provides greater emphasis on: (i) building information security capabilities into information systems through the application of state-of-the-practice management, operational, and technical security controls; (ii) maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes; and (iii) understanding and accepting the risk to organizational operations and assets, individuals, other organizations, and the Nation arising from the use of information systems.
 
The most significant change in the Final Public Draft of Special Publication 800-37, Revision 1, is the full transformation of the Certification and Accreditation (C&A) process into the six-step Risk Management Framework (RMF). The revised RMF-based process has the following characteristics:

• Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
• Encourages the use of automation and automated support tools to provide senior leaders the necessary information to take credible, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;
• Integrates information security more closely into the enterprise architecture and system development life cycle;
• Provides equal emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
• Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls); and
• Links risk management processes at the information system level to risk management processes at the organization-level through a risk executive (function).

 
The risk management process described in this publication focuses on the strategic, enterprise-centric, near realtime-based approaches to security assessment and system authorization and provides the capability to more effectively manage information system-related security risks in highly dynamic environments of complex and sophisticated cyber threats, ever increasing system vulnerabilities, and rapidly changing missions.
 
NIST requests comments on the Final Public Draft of Special Publication 800-37, Revision 1, by December 31, 2009. Please submit comments to sec-cert@nist.gov. Final publication is expected in February 2010.
SP800-37-rev1-FPD.pdf (707 KB)

Oct. 27, 2009

SP 800-34 Rev. 1

DRAFT Contingency Planning Guide for Federal Information Systems

NIST announces that Draft SP 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems, has been released for public comment. SP 800-34 Revision 1 is intended to help organizations by providing instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. The guide defines a seven-step contingency planning process that an organization may apply to develop and maintain a viable contingency planning program for their information systems. The guide also presents three sample formats for developing an information system contingency plan based on low, moderate, or high impact level, as defined by Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.
 
Draft SP 800-34 Revision 1 is an update to the original SP 800-34, which was published in 2002.
 
NIST requests comments on draft SP 800-34 Revision 1 by January 6, 2010. Please submit comments to draft800-34-comments@nist.gov with "Comments SP 800-34" in the subject line.

Oct. 6, 2009

SP 800-78 -2

DRAFT Cryptographic Algorithms and Key Sizes for Personal Identification Verification (PIV)

NIST is pleased to announce the release of Draft Special Publication 800-78-2, Cryptographic Algorithms and Key Sizes for Personal Identity Verification (PIV). The document has been modified 1) to re-align with the Suite B Cryptography specification and with the recently published FIPS 186-3 and 2) to eliminate a redundant encryption mode for symmetric PIV authentication protocols. In particular, the following changes are introduced in draft SP 800-78-1:

• The National Security Agency’s Suite B Cryptography specification removed Elliptic Curve MQV as an NSA-approved key exchange method. To re-align with Suite B, Elliptic Curve MQV is discontinued in Draft SP800-78-2 as a key agreement scheme for the PIV card.
• The final release of FIPS 186-3 Digital Signature Standard, published in June 2009, does not list RSA 4096 as an approved digital signature algorithm and key size for use in the federal government. To comply with FIPS 186-3, draft SP 800-78-2 accordingly removes RSA 4096 as an algorithm and key size for generating signatures for PIV data objects.
• For symmetric authentication purposes (challenge and response), the Cipher Block Chaining (CBC) mode of encryption is redundant to the Electronic Code Bock (ECB) mode of encryption. To remove the redundant implementation, CBC has been discontinued in draft SP 800-78-1.

Sept. 22, 2009

SP 800-127

DRAFT Guide to Security for Worldwide Interoperability for Microwave Access (WiMAX) Technologies

NIST announces the public comment release of draft SP 800-127, Guide to Security for WiMAX Technologies. Worldwide Interoperability for Microwave Access (WiMAX) is a wireless metropolitan area network communications technology based on the IEEE 802.16 standard. WiMAX technologies were originally developed to provide last-mile broadband wireless access, but are now more focused on cellular-like mobile architectures. Draft SP 800-127 explains the basics of WiMAX, provides information on the security capabilities of WiMAX, and gives recommendations on securing WiMAX technologies effectively. It also explains the security differences among the major versions of the IEEE 802.16 standard. NIST requests comments on draft SP 800-127 by October 30, 2009. Please submit comments to 800-127comments@nist.gov with "Comments SP 800-127" in the subject line.

Sept. 11, 2009

SP 800-85 B-1

DRAFT PIV Data Model Conformance Test Guidelines

NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test the optional features added to the PIV Data Model in SP 800-73-2 Parts 1 and to update tests to conform to the cryptographic migration timeline specified in SP 800-78-1. A short summary of the changes is available here. This document, after a review and comment period, will be published as NIST SP 800-85B-1. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to piv_comments@nist.gov with "Comments on Public Draft SP 800-85B-1" in the subject line. Comments should be submitted using the comment template (Excel spreadsheet). The comment period closes at 5:00 EST (US and Canada) on September 25, 2009. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.

Aug. 26, 2009

SP 800-81 Rev. 1

DRAFT Secure Domain Name System (DNS) Deployment Guide

NIST has drafted another revision of the document “Secure Domain Name System (DNS) Deployment Guide" (SP 800-81) . This revision addresses all the comments and feedback received for the first revision through public comments in March 2009, in addition to adding 3 more subsections described below. After addressing the public comments received in this round, it will be published as NIST SP 800-81r1. Federal agencies and private organizations as well as individuals are invited to review this draft and submit comments to NIST by sending them to SecureDNS@nist.gov before September 30, 2009. Comments will be reviewed and posted on the CSRC website. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication. A brief description of the 3 new subsections is given below:
 
What is New in this revision leading to SP 800-81r1:
   (1) Guidelines on Procedures for migrating to a new Cryptographic Algorithm for signing of the Zone (Section 11.5).
   (2) Guidelines for Procedures for migrating to NSEC3 specifications from NSEC for providing authenticated denial of existence (Section 11.6).
   (3) Deployment Guidelines for Split-Zone under different scenarios (Section 11.7).

Aug. 13, 2009

SP 800-73 -3

DRAFT Interfaces for Personal Identity Verification (4 Parts)
Pt. 1- End Point PIV Card Application Namespace, Data Model and Representation
Pt. 2- PIV Card Application Interface
Pt. 3- PIV Client Application Programming Interface
Pt. 4- The PIV Transitional Data Model and Interfaces

NIST announces that Draft Special Publication (SP) 800-73-3, Interfaces for Personal Identity Verification, has been released for public comment. Draft SP 800-73-3 introduces new, optional features including:
 
(1) on-card retention of retired Key Management keys and corresponding X.509 certificates for the purpose of deriving or decrypting data encryption keys;
 
(2) use of the ECDH key establishment scheme with the Key Management Key, as specified in SP 800-78-1; and
 
(3) provisions for Non-Federal Issuer (NFI) credentials. Draft SP 800-73-3 also includes editorial changes aimed at clarifying ambiguities.
 
Except for minor editorial changes, all changes can be reviewed with the track-change version of Draft SP 800-73-3.
 
NIST requests comments on draft SP 800-73-3 by 5:00pm EDT on September 13, 2009. Please submit your comments, using the comment template form to PIV_comments@nist.gov with "Comments on Public Draft SP 800-73-3" in the subject line.

July 14, 2009

SP 800-65 Rev. 1

DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)

NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
 
NIST requests comments on draft SP 800-65 by August 14, 2009. Please submit comments to draft800-65-comments@nist.gov with "Comments SP 800-65Rev1" in the subject line.

June 16, 2009

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities

The second public draft of IR 7502, The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities, is now available for public comment. This report proposes a specification for CCSS, a set of standardized measures for the severity of software security configuration vulnerabilities. NISTIR 7502 also provides examples of how CCSS measures and scores would be determined. Once CCSS is finalized and CCSS measures for products are available, organizations can use CCSS to help them make security decisions based on standardized, quantitative vulnerability data.

NIST requests comments on Draft NISTIR 7502 by July 17, 2009. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

May 5, 2009

SP 800-117

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP)

NIST announces that Draft Special Publication (SP) 800-117, Guide to Adopting and Using the Security Content Automation Protocol (SCAP), has been released for public comment. SCAP comprises specifications for organizing and expressing security-related information in standardized ways, as well as related reference data such as unique identifiers for vulnerabilities. SP 800-117 provides an overview of SCAP, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains how IT product and service vendors can adopt SCAP's capabilities within their offerings.
 
NIST requests comments on draft SP 800-117 by June 12, 2009. Please submit comments to 800-117comments@nist.gov with "Comments SP 800-117" in the subject line.

Apr. 21, 2009

SP 800-118

DRAFT Guide to Enterprise Password Management

NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
 
NIST requests comments on draft SP 800-118 by May 29, 2009. Please submit comments to 800-118comments@nist.gov with "Comments SP 800-118" in the subject line.

Apr. 21, 2009

NIST IR-7511 Rev. 1

DRAFT Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements

Draft NIST Interagency Report (IR) 7511 Revision 1, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 1 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
If you have questions regarding this document, please send email to: IR7511comments@nist.gov.
 
Webmaster's Note: The first link "draft-nistir-7511_rev1.pdf" below is for NIST IR 7511 Revision 1 (posted April 21, 2009) and the second link "Draft-NISTIR-7511.pdf" is the original NIST IR 7511 (updated April 14, 2009).

Mar. 20, 2009

SP 800-16 Rev. 1

DRAFT Information Security Training Requirements: A Role- and Performance-Based Model

The comprehensive training methodology provided in this publication is intended to be used by federal information security professionals and instructional design specialists to design (1) role-based training courses or modules for personnel who have been identified as having significant responsibilities for information security, and (2) a basics and literacy course for all users of information systems.
 
We encourage readers to pay special attention to the Notes to Reviewers section, as we are looking for feedback on the many changes we have made to this document.
 
Comments will be accepted until June 26, 2009. Comments should be forwarded via email to 800-16comments@nist.gov.

Feb. 27, 2009

NIST IR-7517

DRAFT The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities

Draft NIST Interagency Report (IR) 7517, The Common Misuse Scoring System (CMSS), is now available for public comment. This report proposes a specification for CMSS, a set of standardized measures for the severity of software feature misuse vulnerabilities. NISTIR 7517 also provides examples of how CMSS measures and scores would be determined. Once CMSS is finalized, CMSS data can assist organizations in making security decisions based on standardized, quantitative vulnerability data.
 
NIST requests comments on Draft NISTIR 7517 by April 3, 2009. Please submit comments to IR7517comments@nist.gov with "Comments IR 7517" in the subject line.

Jan. 13, 2009

SP 800-122

DRAFT Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

NIST announces that draft Special Publication (SP) 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), is now available for public comment. SP 800-122 is intended to assist Federal organizations in identifying PII and determining what level of protection each instance of PII requires, based on the potential impact of a breach of the PII's confidentiality. The publication also suggests safeguards that may offer appropriate protection for PII and makes recommendations regarding PII data breach handling.
 
NIST requests comments on draft SP 800-122 by March 13, 2009. Please submit comments to 800-122comments@nist.gov with "Comments SP 800-122" in the subject line.

Jan. 13, 2009

NIST IR-7497

DRAFT Security Architecture Design Process for Health Information Exchanges (HIEs)

NISTIR 7497, Draft Security Architecture Design Process for Health Information Exchanges (HIEs), is intended to provide a systematic approach to designing a technical security architecture for the exchange of health information that leverages common government and commercial practices and that applies them specifically to the HIE domain. This publication assists organizations in ensuring that data protection is adequately addressed throughout the system development life cycle, and that these data protection mechanisms are applied when the organization develops technologies that enable the exchange of health information.
 
Please submit your comments to draft-nistir7497-comments@nist.gov. The comment period for draft NIST IR 7497 closes on Friday March 13, 2009.

Dec. 12, 2008

SP 800-63 Rev. 1

DRAFT Electronic Authentication Guideline

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for a second public comment period. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. The bulk of the changes since the previously posted draft of SP 800-63-1 concern assertion technologies and Kerberos. Comments will be accepted until January 30, 2009. Comments should be forwarded via email to eauth-comments@nist.gov.

Sep 29, 2008

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The final public draft of SP 800-82 is available for public comment. It provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the second public draft, which was released in 2007. NIST requests comments on NIST SP 800-82 by November 30, 2008. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.