Nov. 21, 2014
SP 800-90 A Rev.1
DRAFT Recommendation for Random Number Generation Using Deterministic Random Bit Generators
NIST requests your comments on the latest revision of SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, which is dated November 2014. This document specifies Deterministic Random Bit Generators based on approved hash functions (as specified in FIPS 180-4), HMAC (as specified in FIPS 198-1) and block ciphers (as specified in FIPS 197 for AES, and SP 800-67 for TDEA). This revision removes the previously approved Dual_EC_DRBG that was based on the use of elliptic curves and includes a number of other changes that are listed in the final appendix of the document. Please submit comments to firstname.lastname@example.org with "SP 800-90A comments" in the subject line by December 31, 2014.(Nov. 2014 Draft Version) Draft SP 800-90A Rev. 1
Nov. 18, 2014
DRAFT Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
NIST announces the release of Draft Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (Initial Public Draft).
The protection of sensitive unclassified federal information while residing in nonfederal information systems and environments of operation is of paramount importance to federal agencies. Compromises of this information can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. This publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) as defined by Executive Order 13556, when such information resides in nonfederal information systems and organizations. The requirements apply to:
• Nonfederal information systems that are beyond the scope of the systems covered by the Federal Information Security Management Act (FISMA); and
• All components of nonfederal systems that process, store, or transmit CUI.
The CUI protection requirements were obtained from the security requirements and controls in FIPS Publication 200 and NIST SP 800-53, and then tailored appropriately to eliminate requirements that are:
• Primarily the responsibility of the federal government (i.e., uniquely federal);
• Related primarily to availability; or
• Assumed to be routinely satisfied by nonfederal organizations without any further specification.
Nonfederal organizations include, for example: federal contractors; state, local, and tribal governments; and colleges and universities.
This publication is part of a larger initiative by the National Archives and Records Administration (NARA) to fulfill their responsibilities as Executive Agent for Executive Order 13556 for CUI. NARA has a three-part plan to help standardize the naming conventions and protection requirements for sensitive information (designated CUI) both within the federal government and when such information resides in nonfederal information systems and organizations. NARA’s plan includes:
• Incorporating uniform CUI policies and practices into the Code of Federal Regulations;
• Using NIST SP 800-171 to define requirements to protect the confidentiality of CUI; and
• Developing a standard Federal Acquisition Regulation (FAR) clause to levy the SP 800-171 security requirements to contractor environments.
Please send comments to email@example.com with "Comments Draft SP 800-171” in the subject line. Comments will be accepted through January 16, 2015.
Oct. 28, 2014
DRAFT Guide to Cyber Threat Information Sharing
NIST announces the public comment release of Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.
Please send your comments to firstname.lastname@example.org by November 28, 2014 using the following template (See 2nd link below).
Oct. 20, 2014
SP 800-125 A
DRAFT Security Recommendations for Hypervisor Deployment
NIST announces the public comment release of NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment. Server Virtualization (enabled by Hypervisor) is finding widespread adoption in enterprise data centers both for hosting in-house applications as well as for providing computing resources for cloud services. The hypervisor provides abstraction of all physical resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (each consisting of an O/S (called Guest O/S), Middleware and a set of Application programs) to be run on a single physical host (referred to virtualized host or hypervisor host).
Since the NIST publication of SP 800-125 (Guide to Security for Full Virtualization Technologies) in January 2011, both the feature set of hypervisors as well as the tools for configuration and administration of virtualized infrastructure spawned by the hypervisor has seen considerable increase. This has generated the need to develop security recommendations for secure deployment of hypervisor platforms. This special publication defines a focused set of twenty-two security recommendations (in terms of architectural choices and configuration settings), intended to ensure secure execution of tasks performed by the hypervisor components under the umbrella of five baseline functions.
The public comment period closes on Monday, November 10, 2014. Please send comments to email@example.com
Sept. 10, 2014
NIST IR 8023
DRAFT Risk Management for Replication Devices
NIST announces the release of Draft NIST IR 8023, Risk Management for Replication Devices. For the purposes of this NISTIR, replication devices (RDs) include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines when used as a copier, printer, or scanner.
RDs are found throughout most organizations and are components included in many information systems. NISTIR 8023 provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs. Appropriate countermeasures in the context of the System Development Life Cycle are suggested. A security risk assessment template in table and flowchart format is also provided to help organizations determine the risk associated with replication devices.
As always, we look forward to your feedback during the public comment period.
Please send comments to firstname.lastname@example.org with "Comments - Draft NISTIR 8023” in subject line. Comments will be accepted through October 17, 2014.
August 28, 2014
SP 800-53 Rev. 4 Appendix H
DRAFT Appendix H: Security and Privacy Controls for Federal Information Systems and Organizations
NIST announces the release of Draft Special Publication 800-53, Revision 4, Appendix H, International Information Security Standards, Security Control Mappings for ISO/IEC 27001: 2013. This update to Appendix H was initiated due to the 2013 revision to ISO/IEC 27001, which occurred after the final publication of SP 800-53, Revision 4. In addition to considering the new content in ISO/IEC 27001 for the mapping tables, new mapping criteria were employed in conducting the mapping analysis. The new criteria are intended to produce more accurate results—that is, to successfully meet the mapping criteria, the implementation of the mapped controls should result in an equivalent information security posture. While mapping exercises may by their very nature, include a degree of subjectivity, the new criteria attempts to minimize that subjectivity to the greatest extent possible.
Please send comments to email@example.com with "Comments Draft SP 800-53, Appendix H” in subject line. Comments will be accepted through September 26, 2014.
Aug. 22, 2014
DRAFT Guide to Application Whitelisting
NIST announces the public comment release of Draft Special Publication (SP) 800-167, Guide to Application Whitelisting. The purpose of this publication is to assist organizations in understanding the basics of application whitelisting (also known as application control) by examining the basics of application whitelisting and explaining the planning and implementation for application whitelisting technologies throughout the security deployment lifecycle.
Please send your comments to firstname.lastname@example.org by September 26, 2014 using the following template (See 2nd link below).
Aug. 21, 2014
NIST IR 7966
DRAFT Security of Automated Access Management Using Secure Shell (SSH)
NIST announces the public comment release of Draft Interagency Report (IR) 7966, Security of Automated Access Management Using Secure Shell (SSH). The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) and SSH automated access management in an enterprise, focusing on the management of SSH access tokens. It discusses the basics of access management and automated access management and it examines the basics of SSH version 2.0. It describes the primary categories of vulnerabilities in SSH user key management and recommends possible mitigations for each category of vulnerability then it lists recommended practices for management. It explains risk mitigation for SSH access tokens. and it concludes with solution planning and deployment.
Please send your comments to NISTIR7966email@example.com by September 26, 2014 using the following template (see 2nd link below).
Aug 19, 2014
DRAFT Technical Considerations for Vetting 3rd Party Mobile Applications
NIST announces that Draft Special Publication 800-163, Technical Considerations for Vetting 3rd Party Mobile Applications, is now available for public comment. The purpose of this document is to provide guidance for vetting 3rd party software applications (apps) for mobile devices. Mobile app vetting is intended to assess a mobile app’s operational characteristics of secure behavior and reliability (including performance) so that organizations can determine if the app is acceptable for use in their expected environment. This document provides key technical software assurance considerations for organizations as they adopt mobile app vetting processes.
NIST requests comments on Draft Special Publication 800-163 by 5:00pm EDT on September 18, 2014. Please submit comments using the SP 800-163 comment template (see link below for Excel spreadsheet) to firstname.lastname@example.org with "Comments on Draft SP 800-163" in the subject line.
Aug. 6, 2014
SP 800-85 B-4
DRAFT PIV Data Model Conformance Test Guidelines
NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4. Federal agencies and private organizations including test laboratories as well as individuals are invited to review the draft Guidelines and submit comments to NIST by sending them to email@example.com with "Comments on Public Draft SP 800-85B-4" in the subject line.
Comments should be submitted using the comment template (Excel spreadsheet) - see second link below. The comment period closes at 5:00 EST (US and Canada) on September 5, 2014. All comments will be analyzed, consolidated, and used in revising the draft Guidelines before final publication.
Please note that NIST has made a one-time change in the revision number of SP 800-85B (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-73-4.
July 31, 2014
SP 800-53 A Rev.4
DRAFT Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
NIST announces the release of Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Initial Public Draft). SP 800-53A is a Joint Task Force publication and a companion guideline to SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations.
This update to SP 800-53A contains significant changes to the 2010 version of the publication in both content and format. The changes have been driven by four fundamental needs of federal agencies:
• The need for new or updated assessment procedures for the security controls and privacy controls defined in NIST SP 800-53, Revision 4;
• The need for a more granular breakdown of assessment objectives to support continuous monitoring and ongoing authorization programs;
• The need for a more structured format and syntax for assessment procedures to support the use of automated tools for assessment and monitoring activities; and
• The need to support assessments of security capabilities and privacy capabilities and root cause analysis of failure modes for individual security or privacy controls or groups of controls.
By addressing the above needs, organizations will have the flexibility to: (i) define specific parts of security controls and privacy controls requiring greater scrutiny; (ii) more effectively tailor the scope and level of effort required for assessments; (iii) assign assessment and monitoring frequencies on a more targeted basis; and (iv) take advantage of potential new opportunities to conduct assessments of security or privacy capabilities including analysis of control dependencies.
There have also been some significant improvements in the current security assessment procedures based on feedback from federal agencies reflecting lessons learned during the conduct of actual assessments as part of the Risk Management Framework (RMF) process. The improvements include, for example, clarification of terminology, expansion of the number of potential assessment methods and assessment objects on a per-control basis, and a simpler decomposition of assessment objects to align more closely with control statements.
In addition to the above, privacy terminology has been integrated into SP 800-53A in a manner that is complementary to and supportive of the privacy controls defined in SP 800-53, Appendix J. While security and privacy disciplines are distinct programmatic entities, there are also important dependencies between those entities—highlighting the need for the programs to complement one another to ensure the security and privacy goals and objectives of organizations are satisfied. As with any transformation, there will be changes in this publication and other supporting publications as the privacy integration moves forward and is completed. Privacy assessment procedures are not included in this draft. The privacy assessment procedures that will eventually populate Appendix J in this publication are currently under development by a joint interagency working group established by the Best Practices Subcommittee of the CIO Council Privacy Committee. The new assessment procedures, when completed, will be separately vetted through the traditional public review process employed by NIST and integrated into this publication at the appropriate time.
The changes to the current security assessment procedures in SP 800-53A and the future privacy assessment procedures, should result in significant improvements in the efficiency and cost-effectiveness of control assessments for federal agencies. Efficient and cost-effective assessments are essential in order to provide senior leaders with the necessary information to understand the security and privacy posture of their organizations and to be able to make credible, risk-based information security and privacy decisions.
Please note that NIST has made a one-time change in the revision number of SP 800-53A (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-53.
Please send comments to firstname.lastname@example.org with "Comments Draft SP 800-53Arev4 in subject line. Comments will be accepted through September 26, 2014.
July 29, 2014
NIST IR 8018
DRAFT Public Safety Mobile Application Security Requirements Workshop Summary
On February 25, 2014, the Association of Public-Safety Communications Officials (APCO) International, in cooperation with FirstNet and the Department of Commerce held a half-day workshop titled “Public Safety Mobile Application Security Requirements” attended by public safety practitioners, mobile application developers, industry experts, and government officials. In this first-of-its-kind workshop, attendees contributed their experience and knowledge to provide input in identifying security requirements for public safety mobile applications. NISTIR 8018 describes the workshop and captures the input that was received from the workshop attendees.
The public comment period is from July 29, 2014 through September 13, 2014. Please send comments to: email@example.com
July 15, 2014
NIST IR 8014
DRAFT Considerations for Identity Management in Public Safety Mobile Networks
In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8014, Considerations for Identity Management in Public Safety Mobile Networks. This document analyzes approaches to identity management for public safety networks in an effort to assist individuals developing technical and policy requirements for public safety use. These considerations are scoped into the context of their applicability to public safety communications networks with a particular focus on the nationwide public safety broadband network (NPSBN) based on the Long Term Evolution (LTE) family of standards. A short background on identity management is provided alongside a review of applicable federal and industry guidance. Considerations are provided for identity proofing, selecting tokens, and the authentication process.
The public comment period closed on August 22, 2014.
Jun. 23, 2014
NIST IR 8006
DRAFT NIST Cloud Computing Forensic Science Challenges
This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group, and aggregates, categorizes and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.
PLEASE NOTE: NIST Computer Security Division has extended the public review period of the recently posted Draft NISTIR 8006, NIST Cloud Forensic Science Challenges. Comments on the document will be accepted until August 25, 2014
The public comment period closed on August 25, 2014.
Jun. 3, 2014
DRAFT Supply Chain Risk Management Practices for Federal Information Systems and Organizations (Second Draft)
This document provides guidance to federal departments and agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels in their organizations. It integrates ICT supply chain risk management (SCRM) into federal agency enterprise risk management activities by applying a multi-tiered SCRM-specific approach, including supply chain risk assessments and supply chain risk mitigation activities and guidance.
The public comment period closed on July 18, 2014.
Jun 2, 2014
SP 800-79 2
DRAFT Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)
NIST announces that Draft Special Publication 800-79-2, Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI), is now available for public comment. This document has been updated to align with the release of FIPS 201-2, published in September 2013. The major changes for this revision of SP 800-79 include additions and updates to issuer controls in response to new or changed requirements in FIPS 201-2. These are:
• Inclusion of issuer controls for Derived PIV Credentials Issuers (DPCI),
• Addition of issuer controls for issuing PIV Cards under the grace period and for issuing PIV Cards to individuals under pseudonymous identity,
• Addition of issuer controls for the PIV Card’s visual topography,
• Updated issuer controls to detail controls for post-issuance updates of PIV Cards,
• Updated references to the more recent credentialing guidance issued by OPM,
• Addition of issuer controls with respect to the optional chain-of-trust records maintained by a PIV Card issuer, and.
• Modified process to include an independent review prior to authorization of issuer.
The public comment period closed on June 30, 2014.
May 29, 2014
NIST IR 7924
DRAFT Reference Certificate Policy (Second Draft)
NIST announces the public comment release of second draft of Interagency Report 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.
The public comment period closed on August 1, 2014.
May 28, 2014
DRAFT SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
NIST published a Federal Register Notice, FRN 2014-12336, on May 28, 2014 to announce the publication of Draft FIPS 202, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, and Draft Revision of the Applicability Clause of FIPS 180-4, Secure Hash Standard, and request for comments. A 90-day public comment period is provided.
The public comment period closed on August 26, 2014.
May 19, 2014
DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification
NIST announces that Revised Draft Special Publication 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, is now available for public comment. The document has been modified to remove information about algorithms and key sizes that can no longer be used because their "Time Period for Use" is in the past. Revised Draft SP 800-78-4 also reflects changes to align with updates in Revised Draft SP 800-73-4. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-78-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft below titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-78-4".
The public comment period closed on June 16, 2014.
May 19, 2014
DRAFT Interfaces for Personal Identity Verification (3 Parts)
Part 1- PIV Card Application Namespace, Data Model and Representation
Part 2- PIV Card Application Card Command Interface
Part 3- PIV Client Application Programming Interface
NIST announces that Revised Draft Special Publication 800-73-4, Interfaces for Personal Identity Verification, is now available for public comment. This document has been updated to reflect the disposition of comments that were received on the first draft of SP 800-73-4, which was published on May 13, 2013. The complete set of comments and dispositions is provided below (see last link for this draft below titled "Comments Received & Disposition from May 2013 draft to Revised Draft SP 800-73-4".
High level changes include:
• A new data object has been created from which the value of the pairing code may be read, and additional clarifying information about the use of the pairing code has been provided.
• In collaboration with the FICAM FIPS 201 Test Program (in response to comment # GSA-3), reduced some of the PIV Card options where possible, including deprecating:
• rarely used data elements Buffer Length, DUNS and Organization Identifier in the CHUID data object
• legacy data element MSCUID in all X.509 Certificate data objects and
• legacy data elements Extended Application CardURL and Security Object Buffer in the Card Capability Container
• Removed the two new optional data elements from the Discovery Object and created new data objects to store this new information.
• Modified the key-establishment protocol to add additional details and to address security issues that were raised in the public comments and in “A Cryptographic Analysis of OPACITY.”
NIST also requests comments on the pairing code, which is part of the new Virtual Contact Interface (VCI) of the PIV Card. Its purpose is to prevent skimming of cardholder data in wireless environment by an unauthorized wireless reader in the vicinity of the cardholder and to ensure that ‘cardholder consent’ for the release of cardholder data is enabled. The pairing code is part of the Virtual Contact Interface that provides for communication and enables wireless transactions between the PIV Card and NFC-enabled devices for authentication, signing or encryption. . NIST assesses that the pairing code concept is the optimum method available to provide mitigation against a skimming threat.
NIST has received some comments objecting to the use of a pairing code to protect data against skimming in wireless environment and strongly recommending that this be removed. NIST is interested in receiving feedback on whether the new skimming protection measure shall be included on all PIV Cards that implement the VCI, or if it departments and agencies that issue the cards shall have the ability to disable this security control if there are specific use cases that conflict with pairing code function and alternate mitigating controls are available and identified.
(Endnote: Until now, signing and encryption functionalities have been restricted to the PIV Card’s contact interface and thus skimming has not been an issue)
The public comment period closed on June 16, 2014.
May 14, 2014
SP 800-82 Rev.2
DRAFT Guide to Industrial Control Systems (ICS) Security
NIST announces the release of Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security. Special Publication 800-82 provides guidance on how to improve the security in Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing unique performance, reliability, and safety requirements. Special Publication 800-82: (i) provides an overview of ICS and typical system topologies; (ii) identifies typical threats to organizational missions and business functions supported by ICS; (iii) describes typical vulnerabilities in ICS; and (iv) provides recommended security controls (i.e., safeguards and countermeasures) to respond to the associated risks.
This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include:
• Updates to ICS threats and vulnerabilities.
• Updates to ICS risk management, recommended practices and architectures,
• Updates to current activities in ICS security,
• Updates to security capabilities and tools for ICS,
• Additional alignment with other ICS security standards and guidelines,
• New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays,
• An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS.
The public comment period closed on July 18, 2014.
May 12, 2014
DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
NIST requests comments on the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. A formal announcement of the publication is planned on May 13, 2014 at the College of Science and Engineering, Technology Leadership Institute, University of Minnesota.
The public comment period closed on July 11, 2014.
May 5, 2014
SP 800-57 Part 3-Rev.1
DRAFT Recommendation for Key Management: Part 3 - Application-Specific Key Management Guidance
NIST would like to request comments on a Draft Revision of SP 800-57 Part 3, Recommendation for Key Management: Application-Specific Key Management Guidance.
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, and a new section for Secure Shell (SSH).
The public comment period closed on July 5, 2014.
Mar. 14, 2014
SP 800-16 Rev. 1 (3rd draft)
DRAFT A Role-Based Model for Federal Information Technology / Cyber Security Training (3rd public draft)
NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
Please submit comments to firstname.lastname@example.org with “Comments on SP 800-16 Rev 1 (3rd draft)” in the subject line.
The public comment period closed on April 30, 2014.
Mar 7, 2014
DRAFT Guidelines for Derived Personal Identity Verification (PIV) Credentials
NIST announces that Draft Special Publication (SP) 800-157, Guidelines for Derived Personal Identity Verification (PIV) Credentials, is now available for public comments. Draft SP 800-157 defines a technical specification for implementing and deploying Derived PIV Credentials to mobile devices, such as smart phones and tablets. The goal of the Derived PIV Credential is to provide PIV-enabled authentication services from mobile devices to authenticate to remote systems.
There is a comment template provided for submitting comments for this draft SP - see link below. Comments on this publication may be submitted to email@example.com.
The public comment period closed on April 21, 2014.
Mar. 7, 2014
NIST IR 7981
DRAFT Mobile, PIV, and Authentication
NIST announces public comment release of NIST IR 7981, Mobile, PIV, and Authentication. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
There is a comment template provided for submitting comments for this draft NISTIR - see link below. Comments on this publication may be submitted to firstname.lastname@example.org.
The public comment period closed on April 21, 2014.
Feb. 18, 2014
NIST IR 7977
DRAFT NIST Cryptographic Standards and Guidelines Development Process
NIST requests comments on Draft NIST Interagency Report 7977, NIST Cryptographic Standards and Guidelines Development Process. This document describes the principles, processes and procedures behind our cryptographic standards development efforts. Comment period is now closed (April 18, 2014).
In November 2013, NIST initiated a review of its cryptographic standards development process in response to public concerns about the security of NIST cryptographic standards and guidelines.
To enable this review, we have compiled information about the principles, processes and procedures that drive our cryptographic standards development efforts to help the public understand how we develop our standards. This information is being published in draft NIST IR 7977, NIST Cryptographic Standards and Guidelines Development Process. We are soliciting public comments on this draft NIST IR to obtain feedback on the mechanisms we use to engage experts in industry, academia and government to develop these standards.
We will review all public comments, post them on the CSRC website, and publish a revised NIST IR based on the feedback we receive. This revised publication will serve as basis for our future standards development efforts.
The revised NIST IR 7977 will also serve as the basis for a review of our existing body of cryptographic work. We will examine the procedures used to develop each of our cryptographic standards or guidelines to ensure they were developed in accordance with the principles outlined in NIST IR 7977. If any current guidance does not meet the high standards set out in this process, we will address these issues as quickly as possible, taking into consideration the process used to develop the guidance and a technical review of the affected cryptographic algorithms or schemes.
Note to Reviewers:
As part of your review of NIST IR 7977, we request comments on the following topics:
• Are there other principles that we should use to drive our standards development efforts?
• What are the most effective processes identified in the draft for engaging the cryptographic community for providing the necessary inclusivity and transparency to develop strong, trustworthy standards? Are there other processes we should consider?
• Do these processes include appropriate mechanisms to ensure proposed standards are thoroughly reviewed and interested parties’ views are heard? Are there other mechanisms that should be included in our process?
• What are other communication channels that NIST should consider to effectively communicate with its stakeholders?
Jan 7, 2014
DRAFT A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS)
NIST requests comments on the Draft of Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. SP 800-152 contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a CKMS by U. S. Federal organizations. The Profile is based on SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS).
The public comment period closed on March 5, 2014.
Dec 13, 2013
NIST IR 7863
DRAFT Cardholder Authentication for the PIV Digital Signature Key
NIST is pleased to announce Draft NIST Interagency Report 7863, Cardholder Authentication for the PIV Digital Signature Key, is available for public comment. NISTIR 7863 provides clarification for the requirement in FIPS 201-2 that a PIV cardholder perform an explicit user action prior to each use of the digital signature key stored on the card.
The public comment period closed on January 17, 2014.
Sep. 9, 2013
SP 800-90 Arev1-B-C
DRAFT Draft SP 800-90 Series: Random Bit Generators
800-90 A Rev. 1: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
800-90 B: Recommendation for the Entropy Sources Used for Random Bit Generation
800-90 C: Recommendation for Random Bit Generator (RBG) Constructions
In light of recent reports, NIST is reopening the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C.
NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible.
The public comment period closed on November 6, 2013.
In addition, the Computer Security Division has released a supplemental ITL Security Bulletin titled "NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Supplemental ITL Bulletin for September 2013)" to support the draft revision effort.
July 8, 2013
SP 800-38 G
DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
NIST is pleased to announce that Draft NIST Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, is available for public comment. Format-preserving encryption (FPE) has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases.
Three methods are specified in this publication: FF1, FF2, and FF3. Each is a format-preserving, Feistel-based mode of operation of the AES block cipher. FF1 was submitted to NIST by Bellare, Rogaway and Spies under the name FFX[Radix]; FF2 was submitted to NIST by Vance under the name VAES3; and FF3 is the main component of the BPS mechanism that was submitted to NIST by Brier, Peyrin, and Stern. The submission documents are available at http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html.
The public comment period closed on September 3, 2013.
Dec. 21, 2012
NIST IR 7904
DRAFT Trusted Geolocation in the Cloud: Proof of Concept Implementation
NIST announces the public comment release of Draft Interagency Report (IR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof of concept implementation that was designed to address those challenges. The publication provides sufficient details about the proof of concept implementation so that organizations can reproduce it if desired. The publication is intended to be a blueprint or template that can be used by the general security community to validate and implement the described proof of concept implementation.
The public comment period closed on January 31, 2013.
Oct. 31, 2012
DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices
NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.
The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.
The public comment period closed on December 14, 2012.
Sep. 6, 2012
SP 800-88 Rev. 1
DRAFT Guidelines for Media Sanitization
NIST announces the release of Draft Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for public review and comment. SP 800-88 discussed methods, techniques and best practices for the sanitization of target data on different media types and risk based approaches organizations can apply to establish and maintain a media sanitization program.
The public comment period closed on November 30, 2012.
July 25, 2012
SP 800-94 Rev. 1
DRAFT Guide to Intrusion Detection and Prevention Systems (IDPS)
NIST announces the public comment release of Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.
The public comment period closed on August 31, 2012.
Jul. 10, 2012
NIST IR 7823
DRAFT Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework. Draft NISTIR 7823 proposes an example test framework and conformance test requirements for the firmware upgradeability process for the Advanced Metering Infrastructure (AMI) Smart Meters. The voluntary conformance test requirements in the Draft NISTIR 7823 are derived from the National Electrical Manufacturers Association (NEMA) Requirements for Smart Meter Upgradeability standard, which defines requirements for Smart Meter firmware upgradeability in the context of an AMI system for industry stakeholders such as regulators, utilities, and vendors. Draft NISTIR 7823 identifies test procedures that the vendors and testers can voluntarily use to demonstrate a system’s conformance with the NEMA standard.
The public comment period closed on August 9, 2012.
May 7, 2012
NIST IR 7848
DRAFT Specification for the Asset Summary Reporting Format 1.0
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
The public comment period closed on June 6, 2012.
Jan. 20, 2012
NIST IR 7800
DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.
The public comment period closed on February 17, 2012.
Jan. 6, 2012
SP 800-117 Rev. 1
DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2
NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.
The public comment period closed on February 17, 2012.
Jan. 6, 2012
NIST IR 7799
DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.
The public comment period closed on February 17, 2012.
Jan. 6, 2012
NIST IR 7756
DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture
NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
The public comment period closed on February 17, 2012.
Dec. 8, 2011
DRAFT BIOS Integrity Measurement Guidelines
NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
The public comment period closed on January 20, 2012.
Dec. 6, 2011
NIST IR 7831
DRAFT Common Remediation Enumeration (CRE) Version 1.0
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
The public comment period closed on January 20, 2012.
Feb. 10, 2011
NIST IR 7670
DRAFT Proposed Open Specifications for an Enterprise Remediation Automation Framework
NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
The public comment period closed on March 11, 2011.
Mar. 10, 2010
NIST IR 7669
DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements
Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
The public comment period closed on April 9, 2010.
Dec. 11, 2009
DRAFT Security Requirements for Cryptographic Modules (Revised Draft)
The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing.
The public comment period closed on March 11, 2010.
NOTE: Additional information regarding the FIPS 140-3 draft development can be found here on CSRC. Also, a complete set of all comments received in response to the July 2007 FIPS 140-3 draft and NIST’s responses to these commentsare available.
July 14, 2009
SP 800-65 Rev. 1
DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)
NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
The public comment period closed on August 14, 2009.
Apr. 21, 2009
DRAFT Guide to Enterprise Password Management
NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
The public comment period closed on May 29, 2009.
Oct. 6, 2006
DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information.
The public comment period closed on November 15, 2006.