Feb. 8, 2016
DRAFT Derived PIV Application and Data Model Test Guidelines
Draft SP 800-166 contains the derived test requirements and test assertions for testing the Derived PIV Application and associated Derived PIV data objects. The tests verify the conformance of these artifacts to the technical specifications of SP 800-157. SP 800-157 specifies standards-based, secure, reliable, interoperable Public Key Infrastructure (PKI)-based identity credentials. Draft SP 800-166 is targeted at vendors of Derived PIV Applications, issuers of Derived PIV Credentials, and entities that will conduct conformance tests on these applications and credentials.
The public comment period closes on: March 14, 2016.
Send comments to email@example.com with “Comments on Draft SP 800-166” in the subject line.
Feb. 5, 2016
DRAFT Best Practices for Privileged User PIV Authentication
This draft white paper is a best practices guide. The paper is in response to the Cybersecurity Strategy and Implementation Plan (CSIP), published by the Office of Management and Budget (OMB) on October 30, 2015, requiring Federal agencies to use Personal Identity Verification (PIV) credentials for authenticating privileged users. The paper outlines the risks of password-based single-factor authentication, explains the need for multi-factor PIV-based user and provides best practices for agencies to implementing PIV authentication for privileged users.
The public comment period closes on: March 4, 2016.
Send comments to firstname.lastname@example.org with “Comments on PIV Credential for privileged use” in the subject line.
First link below is for the Whitepaper "Best Practices for Privileged User PIV Authentication".
Second link below is for the comment template for this Whitepaper. Comment Template
Feb. 3, 2016
NIST IR 8105
DRAFT Report on Post-Quantum Cryptography
NIST requests public comments on NISTIR 8105, Report on Post-Quantum Cryptography. In recent years, there has been a substantial amount of research on quantum computers – machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. This Internal Report shares the National Institute of Standards and Technology (NIST)’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward in this space. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility.
The public comment period will close on: March 9, 2016.
Send comments and/or questions to NISTIR8105email@example.com with “Comments NISTIR 8105” in the subject line.
Feb. 2, 2016
NIST IR 8011
DRAFT Automation Support for Security Control Assessments
Volume 1: Overview
Volume 2: Hardware Asset Management
The National Institute of Standards and Technology (NIST) is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.
NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.
Public comment period is open through March 18, 2016. Please submit public comments to firstname.lastname@example.org. Comments are accepted in any desired format.
Jan. 27, 2016
SP 800-90 B
DRAFT Draft SP 800-90 Series: Random Bit Generators
Recommendation for the Entropy Sources Used for Random Bit Generation
NIST announces the second draft of Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. NIST is planning to host a workshop on Random Number Generation to discuss the SP 800-90 series, specifically, SP 800-90B and SP 800-90C. More information about the workshop is available at: http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm.
The specific areas where comments are solicited on SP 800-90B are:
- Post-processing functions (Section 3.2.2): We provided a list of approved post-processing functions. Is the selection of the functions appropriate?
- Entropy assessment (Section 3.1.5): While estimating the entropy for entropy sources using a conditioning component, the values of n and q are multiplied by the constant 0.85. Is the selection of this constant reasonable?
- Multiple noise sources: The Recommendation only allows using multiple noise sources if the noise sources are independent. Should the use of dependent noise sources also be allowed, and if so, how can we calculate an entropy assessment in this case?
- Health Tests: What actions should be taken when health tests raise an alarm? The minimum allowed value of a type I error for health testing is selected as 2-50. Is this selection reasonable?
NIST requests comments on the revised (second) Draft SP 800-90B by 5:00PM EST on May 9, 2016. Please submit comments on Draft SP 800-90B using the comments template form (Excel Spreadsheet – see link below) to email@example.com with “Comments on Draft SP 800-90B” in the subject line.
Dec. 29, 2015
DRAFT Representation of PIV Chain-of-Trust for Import and Export
NIST announces that Draft Special Publication (SP) 800-156, Representation of PIV Chain-of-Trust for Import and Export, is now available for public comment. This document provides the data representation of a chain-of-trust record for the exchange of records between issuers. The exchanged record can be used by an agency to personalize a PIV Card for a transferred employee, or by a service provider to personalize a PIV Card on behave of client federal agencies. The data representation is based on a common XML schema to facilitate interoperable information sharing and data exchange. The document also provides support for data integrity through digital signatures and confidentiality through encryption of chain-of-trust data in transit and at rest.
The comment period for this draft document closed on: January 28, 2016. Email questions to: firstname.lastname@example.org with "Questions on Draft SP 156” in the subject line.
Dec. 28, 2015
SP 800-116 Rev. 1
DRAFT A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)
NIST announces the release of Draft Special Publication (SP) 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), and requests public comments. It provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document also recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to federal government facilities and assets.
Revision 1 updates SP 800-116 to align with FIPS 201-2. High-level changes include:
• Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
• In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
o Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms.
o Addition of a new section (5.3.1) titled “Migrating Away from the Legacy CHUID Authentication Mechanism” to aid in the transition away from the CHUID + VIS authentication mechanism.
o In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks.
o Addition of a new appendix titled “Improving Authentication Transaction Times” to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK).
• Addition of a new section (5.4) titled “PIV Identifiers” and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS’s access control list.
• In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice’s “Vulnerability Assessment Report of Federal Facilities” document with the ISC’s document titled “Risk Management Process for Federal Facilities” to aid deriving the security requirement for facilities.
The public comment period closed on February 1, 2016.
Dec. 17, 2015
NIST IR 8085
DRAFT Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags
This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.
The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.
The public comment period closed on: January 8, 2016.
Send questions to email@example.com with “Comments NISTIR 8085” in the subject line. Note: The email used for providing public comments is the same as the email used for NISTIR 8060.
Dec. 17, 2015
NIST IR 8060
DRAFT (Fourth & Final Draft) Guidelines for the Creation of Interoperable Software Identification (SWID) Tags
This report provides an overview of the capabilities and usage of Software Identification (SWID) tags as part of a comprehensive software life cycle. As defined by the ISO/IEC 19770-2 standard, SWID tags support numerous applications for software asset management (SAM) and information security management. This publication introduces SWID tags in an operational context, provides guidance for the creation of interoperable SWID tags, and highlights key usage scenarios for which SWID tags are applicable. The application of this guidance supports reliable, standardized software inventory and discovery methods that help organizations achieve cybersecurity and SAM objectives. Application of SWID tags also supports automation for accurate and timely SAM reporting.
This document represents a final discussion draft of this report. The authors have conducted a number of iterations of this report to further develop the concepts and guidelines contained herein based on public feedback. This is the final iteration of public review before finalizing this initial revision of the report. For this final draft, reviewers should focus their reviews on the overall report. Detailed review of all the guidelines in Sections 5 and 6 is also requested to ensure that the guidelines appropriately balance the needs of tag providers and consumers.
The public comment period closed on: January 8, 2016.
Email questions to: firstname.lastname@example.org.
Dec. 2, 2015
DRAFT A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)
NIST requests public comments on Draft NIST Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. The aim of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies on various types of data services. However, the two standards differ with respect to the manner in which access control policies are specified, managed, and enforced.
This document describes XACML and NGAC, and then compares them with respect to five criteria. The goal of this publication is to help ABAC users and vendors make informed decisions when addressing future data service policy enforcement requirements.
The specific areas where comments are solicited are:
• Accuracy in the description of the XACML and NGAC frameworks; and
*The PDF of the draft was updated on December 15, 2015--see the Note to Reviewers on p. iii for details. (You may need to reload/re-save the PDF to see the changes.)
Comment period closed on: January 15, 2016.
Email questions to: email@example.com
Nov. 19, 2015
NIST IR 8080
DRAFT Usability and Security Considerations for Public Safety Mobile Authentication
In cooperation with the Public Safety Communications Research (PSCR) Program, NIST announces the release of NIST Interagency Report (NISTIR) 8080, Usability and Security Considerations for Public Safety Mobile Authentication. There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN), however, these capabilities should not compromise the ability of first responders to complete their missions. This report describes the constraints presented by the personal protective equipment, specialized gear, unique operating environments, and how such constraints may interact with public safety. The overarching goal of this work is analyzing mobile authentication technologies to explore which may be more appropriate and usable for first responders.
The comment period closed on: December 28, 2015.
Email questions to: firstname.lastname@example.org
Nov. 5, 2015
DRAFT Mobile Device Security: Cloud & Hybrid Builds
Mobile devices allow employees to access information resources wherever they are, whenever they need. The constant Internet access available through a mobile device’s cellular and Wi-Fi connections has the potential to make business practices more efficient and effective. As mobile technologies mature, employees increasingly want to use mobile devices to access corporate enterprise services, data, and other resources to perform work-related activities. Unfortunately, security controls have not kept pace with the security risks that mobile devices can pose.
If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data. Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access to not only that data, but also any other data that the user is allowed to access from that mobile device. The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes. Despite the security risks posed by today’s mobile devices, enterprises are under pressure to accept them due to several factors, such as anticipated cost savings and employees’ demand for more convenience.
The NIST Cybersecurity Practice Guide “Mobile Device Security: Cloud & Hybrid Builds” demonstrates how commercially available technologies can meet your organization’s needs to secure sensitive enterprise data accessed by and/or stored on employees’ mobile devices.
In our lab at the NCCoE, part of the National Institute of Standards and Technology (NIST), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution.
We demonstrate how security can be supported throughout the mobile device lifecycle. This includes how to:
• configure a device to be trusted by the organization
• maintain adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device
• handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company.
If you have questions or would like to work on additional mobile device security projects, email the project team at email@example.com.
The comment period closed on: January 8, 2016.
Oct. 29, 2015
DRAFT IT Asset Management
NIST's NCCoE program is excited to announce the release of the latest NIST Cybersecurity Practice Guide, "IT Asset Management" for the Financial Services sector. The document is a draft, and NIST welcomes your comments and feedback (see links below for comment form page).
What's the guide about?
Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Additionally, many financial organizations include subsidiaries, branches, third-party partners, and contractors as well as temporary workers and guests; tracking and managing hardware and software across these groups adds another layer of complexity.
To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to centrally monitor and gain deeper insight into their entire IT asset portfolio with an automated platform. Using open source and commercially available technologies, this example solution addresses questions such as "What operating systems are our laptops running?" and "Which devices are vulnerable to the latest threat?"
The example solution gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.
The comment period closed on: January 8, 2016.
Sep. 29, 2015
SP 800-125 B
DRAFT Secure Virtual Network Configuration for Virtual Machine (VM) Protection
NIST requests public comments on Draft Special Publication 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection. VMs constitute the primary resource to be protected in a virtualized infrastructure, since they are the compute engines on which business/mission critical applications of the enterprise are run. Further, since VMs are end-nodes of a virtual network, the configuration of virtual network forms an important element in the security of VMs and their hosted applications. The virtual network configuration areas considered for VM protection in this document are – Network Segmentation, Network Path Redundancy, Firewall Deployment Architecture and VM Traffic Monitoring. The configuration options in each of these areas are analyzed for their advantages and disadvantages and security recommendations are provided.
The specific areas where comments are solicited are:
• Advantages and Disadvantages of the various configuration options in the four virtual network configuration areas.
• The Security Recommendations
Note: The public comment period closed on October 23, 2015.
Questions? Send email to: firstname.lastname@example.org.
Sep. 29, 2015
DRAFT Attribute Based Access Control
NIST requests public comments on Draft NIST Cybersecurity Practice Guide 1800-3, Attribute Based Access Control.
Most businesses today use Role Based Access Control (RBAC) to assign access to networks and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly—perhaps within several systems. As organizations expand and contract, partner with external vendors or systems, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.
To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence developed a reference design for an Attribute Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability, and security. In fact, Gartner recently predicted that “by 2020, 70% of enterprises will use attribute-based access control…as the dominant mechanism to protect critical assets, up from less than 5% today.”
This newly available practice guide provides IT and security engineers with critical information they can use to recreate the example solution with the same or similar technologies. Our solution is guided by NIST standards and industry best practices.
Read the NIST press release.
The public comment period closed on December 4, 2015.
Sep. 28, 2015
DRAFT Trustworthy Email
NIST requests comments on Special Publication (SP) 800-177, Trustworthy Email. This draft is a complementary guide to NIST SP 800-45 Guidelines on Electronic Mail Security and covers protocol security technologies to secure email transactions. This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP. This guide is written for the enterprise email administrator, information security specialists and network managers.
The public comment period closed on November 30, 2015.
Aug. 25, 2015
DRAFT Identity and Access Management for Electric Utilities
The NCCoE has released a draft the latest NIST Cybersecurity Practice Guide 1800-2, Identity and Access Management for Electric Utilities, and invites you to download the draft and provide feedback.
The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks. Additionally, many utilities run identity and access management (IdAM) systems that are decentralized and controlled by numerous departments. Several negative outcomes can result from this: an increased risk of attack and service disruption, an inability to identify potential sources of a problem or attack, and a lack of overall traceability and accountability regarding who has access to both critical and noncritical assets.
To help the energy sector address this cybersecurity challenge, security engineeres at the National Cybersecurity Center of Excellence (NCCoE) developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.
Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation’s (NERC) Critical Infrastructure Protection (CIP). Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.
Read the press release from NIST.
Comment period is now closed.
Email comments to: email@example.com.
July 28, 2015
DRAFT Securing Electronic Health Records on Mobile Devices
NIST announces the public comment period for Draft NIST Cybersecurity Practice Guide SP 1800-1, Securing Electronic Health Records on Mobile Devices.
The use of mobile devices in health care sometimes outpaces the privacy and security protections on those devices. Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions.
Cybersecurity experts at the National Cybersecurity Center of Excellence (NCCoE) collaborated with health care industry leaders and technology vendors to develop an example solution to show health care organizations how they can secure electronic health records on mobile devices. The guide provides IT implementers and security engineers with a detailed architecture so that they can recreate the security characteristics of the example solution with the same or similar technologies. Our solution is guided by relevant standards and best practices from NIST and others, including those in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Comment period is now closed.
Comments will be made public after review and can be submitted anonymously. Submit comments online or via email to HIT_NCCoE@nist.gov.
Jun. 8, 2015
SP 800-85 A-4
DRAFT PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
NIST announces that Draft Special Publication (SP) 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance), is now available for public comment. This document provides derived test requirements and test assertions for testing PIV Middleware and PIV Card Applications for conformance to specifications in SP 800-73-4, Interfaces for Personal Identity Verification. The document has been updated to include additional tests necessary to test the new features added to the PIV Data Model and card interface as well as to the PIV Middleware in SP 800-73-4 Parts 1, 2, and 3.
• Tests for retrieving newly added optional PIV data objects such as the Biometric Information Templates Group Template data object, the Pairing Code Reference Data Container and the Secure Messaging Certificate Signer data object,
• Tests for populating these newly added data objects in the PIV Card Application,
• Tests to verify the on-card biometric comparison mechanism,
• Tests to verify the correct behavior of secure messaging and the virtual contact interface and,
• Tests to verify that the PIV Card Application enforces PIN length and format requirements.
The public comment period closed July 10, 2015.
May 28, 2015
NIST IR 8062
DRAFT Privacy Risk Management for Federal Information Systems
NIST requests comments on the draft report NISTIR 8062, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.
Please send comments to firstname.lastname@example.org. (Please Note: The deadline for submitting comments on NISTIR 8062 has been extended to July 31, 2015).
Expanding opportunities in cloud computing, big data, and cyber-physical systems are bringing dramatic changes to how we use information technology. While these technologies bring advancements to U.S. national and economic security and our quality of life, they also pose risks to individuals’ privacy.
Privacy Risk Management for Federal Information Systems (NISTIR 8062) introduces a privacy risk management framework for anticipating and addressing risks to individuals’ privacy. In particular, it focuses on three privacy engineering objectives and a privacy risk model. To develop this document, NIST conducted significant public outreach and research. We are soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.
Note to Reviewers:
To facilitate public review, we have compiled a number of topics of interest to which we would like reviewers to respond. Please keep in mind that it is not necessary to respond to all topics listed below, Reviewers should also feel free to suggest other areas of revision or enhancement to the document.
• Privacy Risk Management Framework: Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy? Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel? Are there any gaps in the framework?
• Privacy Engineering Objectives: Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies’ privacy goals and requirements? Are there properties or capabilities that systems should have that these objectives do not cover?
• Privacy Risk Model:
o Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
o Can data actions be evaluated as the document proposes? Is the approach of identifying and assessing problematic data actions usable and actionable?
o Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
o The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment
May 1, 2015
NIST IR 8058
DRAFT Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content
NIST announces the public comment release of NIST Internal Report (NIST IR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Over time, certain stylistic conventions regarding the authoring of SCAP 1.2 content have become best practices. They improve the quality of SCAP content in several ways, such as improving the accuracy and consistency of results, avoiding performance problems, reducing user effort, lowering content maintenance burdens, and enabling content reuse. This document has been created to capture the best practices and encourage their use by SCAP content authors and maintainers.
The public comment period closed July 1, 2015.
Apr. 2, 2015
NIST IR 8050
DRAFT Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy: Summary and Next Steps
Draft NISTIR 8050 summarizes the Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy, held in collaboration with Stanford University, which brought together chief technology officers, information officers, and security executives to discuss the challenges their organizations and industries face in implementing advanced cybersecurity and privacy technologies.
The comment period closed on July 17, 2015.
Jan. 23, 2015
NIST IR 7977
DRAFT NIST Cryptographic Standards and Guidelines Development Process (Second Draft)
NIST requests comments on a revised (second) draft on NIST Interagency Report (NISTIR) 7977, Cryptographic Standards and Guidelines Development Process. This revised document describes the principles, processes and procedures behind our cryptographic standards development efforts.
The public comment period closed March 27, 2015.
Dec. 16, 2014
NIST IR 7621 Rev.1
DRAFT Small Business Information Security: The Fundamentals
NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.
The public comment period closed February 9, 2015.
Oct. 28, 2014
DRAFT Guide to Cyber Threat Information Sharing
NIST announces the public comment release of Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. The purpose of this publication is to assist organizations in establishing, participating in, and maintaining information sharing relationships throughout the incident response life cycle. The publication explores the benefits and challenges of coordination and sharing, presents the strengths and weaknesses of various information sharing architectures, clarifies the importance of trust, and introduces specific data handling considerations. The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices, examining the value of standard data formats and transport protocols to foster greater interoperability, and providing guidance on the planning, implementation, and maintenance of information sharing programs.
The public comment period closed November 28, 2014.
Oct. 20, 2014
SP 800-125 A
DRAFT Security Recommendations for Hypervisor Deployment
NIST announces the public comment release of NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment. Server Virtualization (enabled by Hypervisor) is finding widespread adoption in enterprise data centers both for hosting in-house applications as well as for providing computing resources for cloud services. The hypervisor provides abstraction of all physical resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (each consisting of an O/S (called Guest O/S), Middleware and a set of Application programs) to be run on a single physical host (referred to virtualized host or hypervisor host).
Since the NIST publication of SP 800-125 (Guide to Security for Full Virtualization Technologies) in January 2011, both the feature set of hypervisors as well as the tools for configuration and administration of virtualized infrastructure spawned by the hypervisor has seen considerable increase. This has generated the need to develop security recommendations for secure deployment of hypervisor platforms. This special publication defines a focused set of twenty-two security recommendations (in terms of architectural choices and configuration settings), intended to ensure secure execution of tasks performed by the hypervisor components under the umbrella of five baseline functions.
The public comment period closed November 10, 2014.
Aug. 6, 2014
SP 800-85 B-4
DRAFT PIV Data Model Conformance Test Guidelines
NIST produced a revised version of NIST Special Publication SP 800-85B PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4.
The public comment period closed September 5, 2014.
Please note that NIST has made a one-time change in the revision number of SP 800-85B (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-73-4.
Jun. 23, 2014
NIST IR 8006
DRAFT NIST Cloud Computing Forensic Science Challenges
This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group, and aggregates, categorizes and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.
The public comment period closed on August 25, 2014.
May 29, 2014
NIST IR 7924
DRAFT Reference Certificate Policy (Second Draft)
NIST announces the public comment release of second draft of Interagency Report 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).
NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.
The public comment period closed on August 1, 2014.
May 12, 2014
DRAFT Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems
NIST requests comments on the initial public draft of Special Publication (SP) 800-160, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems. The new security guidelines recommend steps to help develop a more defensible and survivable information technology (IT) infrastructure—including the component products, systems, and services that compose the infrastructure. A formal announcement of the publication is planned on May 13, 2014 at the College of Science and Engineering, Technology Leadership Institute, University of Minnesota.
The public comment period closed on July 11, 2014.
Mar. 14, 2014
SP 800-16 Rev. 1-3rd-draft
DRAFT A Role-Based Model for Federal Information Technology / Cyber Security Training (3rd public draft)
NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.
Please submit comments to email@example.com with “Comments on SP 800-16 Rev 1 (3rd draft)” in the subject line.
The public comment period closed on April 30, 2014.
Mar. 7, 2014
NIST IR 7981
DRAFT Mobile, PIV, and Authentication
NIST announces public comment release of NIST IR 7981, Mobile, PIV, and Authentication. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.
There is a comment template provided for submitting comments for this draft NISTIR - see link below. Comments on this publication may be submitted to firstname.lastname@example.org.
The public comment period closed on April 21, 2014.
Sep. 9, 2013
SP 800-90 C
DRAFT Draft SP 800-90 Series: Random Bit Generators
800-90 C: Recommendation for Random Bit Generator (RBG) Constructions
In light of recent reports, NIST is reopening the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C.
NIST is interested in public review and comment to ensure that the recommendations are accurate and provide the strongest cryptographic recommendations possible.
The public comment period closed on November 6, 2013.
In addition, the Computer Security Division has released a supplemental ITL Security Bulletin titled "NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, For Review and Comment (Supplemental ITL Bulletin for September 2013)" to support the draft revision effort.
July 8, 2013
SP 800-38 G
DRAFT Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption
NIST is pleased to announce that Draft NIST Special Publication 800-38G, Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption, is available for public comment. Format-preserving encryption (FPE) has emerged as a useful cryptographic tool, whose applications include financial-information security, data sanitization, and transparent encryption of fields in legacy databases.
Three methods are specified in this publication: FF1, FF2, and FF3. Each is a format-preserving, Feistel-based mode of operation of the AES block cipher. FF1 was submitted to NIST by Bellare, Rogaway and Spies under the name FFX[Radix]; FF2 was submitted to NIST by Vance under the name VAES3; and FF3 is the main component of the BPS mechanism that was submitted to NIST by Brier, Peyrin, and Stern. The submission documents are available at http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html.
The public comment period closed on September 3, 2013.
DRAFT NIST Cloud Computing Security Reference Architecture
The NIST Cloud Computing Security Working Group (NCC-SWG) issued Draft SP 500-299, NIST Cloud Computing Security Reference Architecture in May 2013, and the comment period is now closed. See the NCC-SWG homepage for additional details.NIST Cloud Computing Security Working Group homepage
Oct. 31, 2012
DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices
NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.
The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.
The public comment period closed on December 14, 2012.
July 25, 2012
SP 800-94 Rev. 1
DRAFT Guide to Intrusion Detection and Prevention Systems (IDPS)
NIST announces the public comment release of Draft Special Publication 800-94 (SP) Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.
The public comment period closed on August 31, 2012.
May 7, 2012
NIST IR 7848
DRAFT Specification for the Asset Summary Reporting Format 1.0
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.
The public comment period closed on June 6, 2012.
Jan. 20, 2012
NIST IR 7800
DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.
The public comment period closed on February 17, 2012.
Jan. 6, 2012
SP 800-117 Rev. 1
DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2
NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of the Security Content Automation Protocol (SCAP) version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.
The public comment period closed on February 17, 2012.
Jan. 6, 2012
NIST IR 7799
DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.
The public comment period closed on February 17, 2012.
Jan. 6, 2012
NIST IR 7756
DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture
NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security’s CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.
The public comment period closed on February 17, 2012.
Dec. 8, 2011
DRAFT BIOS Integrity Measurement Guidelines
NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization —either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.
The public comment period closed on January 20, 2012.
Dec. 6, 2011
NIST IR 7831
DRAFT Common Remediation Enumeration (CRE) Version 1.0
NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7831, Common Remediation Enumeration Version 1.0. NISTIR 7831 defines the Common Remediation Enumeration (CRE) specification. CRE is part of an emerging suite of enterprise remediation specifications that enable automation and enhanced correlation of enterprise remediation activities. Each CRE entry represents a unique remediation activity and is assigned a globally unique CRE identifier (CRE-ID). This specification describes the core concepts of CRE and the technical components of a CRE entry, outlines how CRE entries are created, and defines the technical requirements for constructing CRE entries.
The public comment period closed on January 20, 2012.
Feb. 10, 2011
NIST IR 7670
DRAFT Proposed Open Specifications for an Enterprise Remediation Automation Framework
NIST announces the public comment release of the draft NIST Interagency Report (NISTIR) 7670, Proposed Open Specifications for an Enterprise Remediation Automation Framework. This report examines technical use cases for enterprise remediation, identifies high-level requirements for these use cases, and proposes a set of emerging specifications that satisfy those requirements.
The public comment period closed on March 11, 2011.
Mar. 10, 2010
NIST IR 7669
DRAFT Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements
Draft NIST Interagency Report (IR) 7669, Open Vulnerability Assessment Language (OVAL) Validation Program Derived Test Requirements, describes the requirements that must be met by products to achieve OVAL Validation. Validation is awarded based on a defined set of OVAL capabilities by independent laboratories that have been accredited for OVAL testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7669 has been written primarily for accredited laboratories and for vendors interested in receiving OVAL validation for their products.
The public comment period closed on April 9, 2010.
July 14, 2009
SP 800-65 Rev. 1
DRAFT Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC)
NIST announces that Draft Special Publication (SP) 800-65 Revision 1, Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC), has been released for public comment. SP 800-65 is intended to help organizations in integrating information security into their CPIC processes by providing guidance on selecting, managing, and evaluating information security investments and accounting for information security in all IT investments.
The public comment period closed on August 14, 2009.
Apr. 21, 2009
DRAFT Guide to Enterprise Password Management
NIST announces that Draft Special Publication (SP) 800-118, Guide to Enterprise Password Management, has been released for public comment. SP 800-118 is intended to help organizations understand and mitigate common threats against their character-based passwords. The guide focuses on topics such as defining password policy requirements and selecting centralized and local password management solutions.
The public comment period closed on May 29, 2009.
Oct. 6, 2006
DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation
NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information.
The public comment period closed on November 15, 2006.