Aug 16, 2016

SP 800-171 Rev. 1

DRAFT Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Draft Special Publication 800-171, Revision 1, represents a limited update to the original publication released in June 2015. In particular, this update includes:

  • A clarification of the purpose and applicability statement;
  • Minor clarifications, additions, and adjustments to selected CUI requirements;
  • Guidance on the use of system security plans (SSPs) and plans of action and milestones (POAMs) to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations;
  • Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations;
  • Additional definitions and terms for the glossary; and
  • The implementation of hyperlinks to facilitate ease of use in navigating the document.

Both markup and clean copies of the draft publication are provided to facilitate a more efficient reviewing process. The feedback obtained from this public review will be incorporated into a final publication targeted for release in the Fall 2016.

Email comments to: sec-cert@nist.gov(Subject: "Comments on Draft SP 800-171 Rev. 1")
Comments due by: September 16, 2016

Draft SP 800-171 Rev. 1
Mark-up Copy of Draft SP 800-171 Rev. 1

Aug 11, 2016

NISTIR 8114

DRAFT Report on Lightweight Cryptography

NIST-approved cryptographic standards were designed to perform well using general-purpose computers. In recent years, there has been increased deployment of small computing devices that have limited resources with which to implement cryptography. When current NIST-approved algorithms can be engineered to fit into the limited resources of constrained environments, their performance may not be acceptable. For these reasons, NIST started a lightweight cryptography project that was tasked with learning more about the issues and developing a strategy for the standardization of lightweight cryptographic algorithms. This report provides an overview of the lightweight cryptography project at NIST, and describes plans for the standardization of lightweight cryptographic algorithms.

Email comments to: lightweight-crypto@nist.gov(Subject: "Comments on Draft NISTIR 8114")
Comments due by: October 31, 2016

Draft NISTIR 8114

Aug 04, 2016

SP 800-185

DRAFT SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash

NIST SP 800-185 specifies four types of SHA-3-derived functions: cSHAKE, KMAC, TupleHash, and ParallelHash, each defined for a 128- and 256-bit security level. cSHAKE is a customizable variant of the SHAKE function, as defined in FIPS 202. KMAC (for KECCAK Message Authentication Code) is a pseudorandom function and keyed hash function based on KECCAK. TupleHash is a variable-length hash function designed to hash tuples of input strings without trivial collisions. ParallelHash is a variable-length hash function that can hash very long messages in parallel.

Email comments to: SP800-185@nist.gov(Subject: "Draft SP 800-185 Comments")
Comments due by: September 30, 2016

Draft SP 800-185

Aug 01, 2016

NISTIR 8112

DRAFT Attribute Metadata

NIST invites comments on Draft NIST Internal Report (NISTIR) 8112, Attribute Metadata. This report proposes a schema intended to convey information about a subject's attribute(s) to allow for a relying party (RP) to:

  • Obtain greater understanding of how the attribute and its value were obtained, determined, and vetted;
  • Have greater confidence in applying appropriate authorization decisions to subjects external to the domain of a protected system or data;
  • Develop more granular access control policies;
  • Make more effective authorization decisions; and
  • Promote federation of attributes.

The schema can be used by relying parties to enrich access control policies, as well as during runtime evaluation of an individual's ability to access protected resources. We opted to publish this document as a NISTIR in an effort to treat it as an implementers' draft, an approach common in the development lifecycle of many private sector standards and specifications. This allows the developer and policy community, in both the public and private sectors, to apply some or all of the metadata in this NISTIR on a volunteer basis, and provide us with practical feedback gained through implementation experience. As such, we will be maintaining the public issues page beyond the initial 60-day period to continually receive input and iteratively improve the document in anticipation of a second revision.

Submitting Comments

Commenters are STRONGLY encouraged to publicly collaborate with the team and other participants via the GitHub pages for NISTIR 8112. We have posted details on how to submit comments on GitHub. Additionally, we are providing a PDF for offline reading, as well as a traditional comment matrix for those that prefer this approach. 

All comments, regardless of how they are provided to NIST, will be made public as a GitHub "issue."

Email comments to: nsticworkshop@nist.gov(Subject: "Comments Draft IR 8112")
Comments due by: September 30, 2016

Draft NISTIR 8112 (HTML on GitHub)
How to Submit Comments (GitHub)
Submitted issues (GitHub)
Draft NISTIR 8112 (PDF)
Comment Template

Jul 27, 2016

Whitepaper

DRAFT [Project Description] Mobile Application Single Sign-On: for Public Safety and First Responders

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Mobile Application Single Sign-On: for Public Safety and First Responders.

On-demand access to public safety data is critical to ensuring that public safety and first responder (PSFR) personnel can deliver the proper care and support during an emergency. This requirement necessitates that PSFR personnel rely heavily on mobile platforms while in the field, which may be used to access sensitive information such as personally identifiable information, law enforcement sensitive information, or protected health information. The vast diversity of public safety personnel, missions, and operational environments presents unique challenges to implementing efficient and secure authentication mechanisms in order to protect access to this sensitive information.

This project seeks to demonstrate a reference design for multifactor authentication and mobile single sign-on for native and web applications, while improving interoperability between mobile platforms, applications, and identity providers irrespective of the application development platform used in their construction. Ultimately, this project and its example solution aims to help PSFR personnel efficiently and securely gain access to mission data via mobile devices and applications.

Email comments to: psfr-nccoe@nist.gov
Comments due by: September 16, 2016

Draft Project Description
Submit Comments
Project Homepage

Jul 18, 2016

SP 800-126 Rev. 3

DRAFT The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3

NIST invites comments on two draft publications on the Security Content Automation Protocol (SCAP). The first is Special Publication (SP) 800-126 Revision 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. The second is SP 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3.

SP 800-126 Revision 3 and SP 800-126A collectively define the proposed technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification. SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of selected minor version updates of SCAP component specifications, as well as designated Open Vulnerability and Assessment Language (OVAL) platform schema versions.

The public comment period closed on August 19, 2016
Questions? Send email to : 800-126comments@nist.gov

Draft SP 800-126 Rev. 3
Comment Template

Jul 18, 2016

SP 800-126A

DRAFT SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3

NIST invites comments on two draft publications on the Security Content Automation Protocol (SCAP). The first is Special Publication (SP) 800-126 Revision 3, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. The second is SP 800-126A, SCAP 1.3 Component Specification Version Updates: An Annex to NIST Special Publication 800-126 Revision 3.

SP 800-126 Revision 3 and SP 800-126A collectively define the proposed technical specification for SCAP version 1.3, which is based on enhancements and clarifications to the SCAP 1.2 specification. SP 800-126A is a new publication that allows SCAP 1.3 to take advantage of selected minor version updates of SCAP component specifications, as well as designated Open Vulnerability and Assessment Language (OVAL) platform schema versions.

The public comment period closed on August 19, 2016
Questions? Send email to : 800-126comments@nist.gov

Draft SP 800-126A
Comment Template

Jun 23, 2016

SP 800-179

DRAFT Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist

NIST invites comments on Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist. This publication assists IT professionals in securing Apple OS X 10.10 desktop and laptop systems within various environments. It provides detailed information about the security features of OS X 10.10 and security configuration guidelines. The publication recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of OS X 10.10 systems in three types of environments: Standalone, Managed, and Specialized Security-Limited Functionality.

A template for submitting comments is available below.

The public comment period closed on August 15, 2016
Questions? Send email to : 800-179comments@nist.gov

Draft SP 800-179
Comment Template

Jun 06, 2016

SP 800-184

DRAFT Guide for Cybersecurity Event Recovery

NIST Draft Special Publication 800-184, Guide for Cybersecurity Event Recovery, is available for public comment. The purpose of this document is to support federal agencies in a technology-neutral way in improving their cyber event recovery plans, processes, and procedures. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning. It also provides an example scenario that demonstrates guidance and informative metrics that may be helpful for improving resilience of the information systems.

A template for submitting comments is provided below.

The public comment period closed on July 11, 2016
Questions? Send email to : csf-recover@nist.gov

Draft SP 800-184
Comment Template

Jun 06, 2016

Whitepaper

DRAFT [Concept Paper] Identity and Access Management for Smart Home Devices

The National Cybersecurity Center of Excellence (NCCoE) is seeking comments from industry on the challenges of identification, authentication, and authorization for devices in the Internet of Things (IoT) space; specifically requirements for authentication and authorization of autonomous non-person entities (NPE) found in smart home devices. Areas of interest include the following:

  • models for the lifecycle of IoT and/or smart home devices;
  • threat vectors and attack surfaces of smart home devices throughout their lifecycle;
  • using commercially available technology, methods for the identification, authentication, and authorization of smart home devices including:
    • core requirements in addressing these three capabilities;
    • implementation challenges;
    • potential security weaknesses or gaps;
    • mechanisms for NPE-to-NPE, NPE-to-Network, and NPE-to-Cloud authentication;
    • mechanisms for binding device, APIs, and user identity with applicable authentication contexts;
    • privacy risks to individuals raised by improving smart home device identification and authentication;
    • mechanisms that enable improved identification and authentication of smart home devices while maintaining individuals' privacy;
  • models for handling encryption on constrained devices; and
  • business cases for the identification, authentication, and authorization of smart home devices for which the NCCoE could build a demonstrable solution.

Based upon community feedback on these topics, the NCCoE will consider instantiating a project to engage in building an example solution using commercially available technology.

Comments due: None--comments accepted on an ongoing basis.
Submit comments using the link below.

Draft Concept Paper
Submit Comments
Project Homepage

Jun 01, 2016

NISTIR 8136

DRAFT Mobile Application Vetting Services for Public Safety: an Informal Survey

The creation of the nation's first public safety broadband network (FirstNet) will require the vetting of mobile apps to ensure they meet public safety's cyber security requirements. It will be beneficial for the public safety community to leverage the mobile application vetting services and infrastructures that already exist. The purpose of this document is to be an informal survey of existing mobile application vetting services and the features these services provide. It also relates these features for their applicability to the public safety domain. This document is intended to aid public safety organizations when selecting mobile application vetting services for use in analyzing mobile applications.

The public comment period closed on June 30, 2016
Questions? Send email to : MobileAppSurveyDraft@nist.gov

Draft NISTIR 8136

May 09, 2016

Whitepaper

DRAFT [Project Description] Securing Non-Credit Card, Sensitive Consumer Data: Consumer Data Security for the Retail Sector

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Non-Credit Card, Sensitive Consumer Data.
 
Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email address, which can be used by various internal users and external partners to accelerate business operations and revenue. There has been an increase in the value of non-credit card, sensitive consumer data on the black market; however, there are relatively few regulations or standards specific to this topic in the consumer-facing/retail industry in the United States. As seen following high-profile data breaches in the healthcare sector, personally identifiable information (PII) is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual's PII sold at $20.
 
This project and its example solution will help secure non-credit card, sensitive consumer data through data masking and tokenization, coupled with fine-grained access control to improve the security of data transmitted and stored during commercial payment transactions, as well as data shared internally within a retail organization and externally with business partners.

The public comment period closed on June 3, 2016
Questions? Send email to : consumer-nccoe@nist.gov

Draft Project Description
Submit Comments
Project Homepage

May 09, 2016

Whitepaper

DRAFT [Project Description] Multifactor Authentication for e-Commerce: Online Authentication for the Retail Sector

The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Multifactor Authentication for e-Commerce.

As greater security control mechanisms are implemented at the point of sale, retailers in the United States may see a drastic increase in e-commerce fraud, similar to what has been widely observed in the UK and Europe following the rollout of EMV chip-and-PIN technology approximately ten years ago. Consumers, retailers, payment processors, banks, and card issuers are all impacted by the security risks of e-commerce transactions. Retailers bear the cost for fraudulent, card-not-present (CNP) transactions, motivating them to reduce fraud in order to avoid damage to their reputation and eliminate potential revenue losses, which have been estimated to be over $3 billion. Part of e-commerce fraud reduction includes an increased level of assurance in purchaser or user identity.

This project and its example solution will help reduce the risk of false online identification and authentication fraud for e-commerce transaction with multifactor authentication tied to existing web analytics and contextual risk calculation.

The public comment period closed on June 3, 2016
Questions? Send email to : consumer-nccoe@nist.gov

Draft Project Description
Submit Comments
Project Homepage

May 08, 2016

SP 800-63-3

DRAFT PRE-DRAFT: Digital Authentication Guideline (Public Preview)

NIST has initiated an effort to update Special Publication 800-63-2, Electronic Authentication Guideline. After a call for comments on SP 800-63-2 in 2015, NIST began drafting a revision of the Guideline, which is being reorganized into multiple parts:

SP 800-63-3    Digital Authentication Guideline
SP 800-63A    Enrollment and Identity Proofing Requirements
SP 800-63B    Authentication and Lifecycle Management
SP 800-63C    Federation and Assertions

SP 800-63-3 development will follow a four-phase approach:

Phase I - Initial Drafting (March-April)
Phase II - Public Preview (May-September*)
Phase III - Public Comment (October-November)
Phase IV - Document Finalization (November-December)

[*7/7/16 - The italicized dates above have been updated. The Phase II milestones link below provides some additional dates.]

With Phase I completed, the Public Preview phase (Phase II) is now in process. Stakeholders are invited to participate via the SP 800-63-3 Public Preview Site. Preliminary drafts will be posted iteratively for short-term, open comment periods.

NIST will then post the resulting drafts for public comment on this Drafts page during the Public Comment phase (Phase III), comprising a traditional, extended public comment period.

Visit the links below to learn more:

SP 800-63-3 Development: Public Preview Site (GitHub)
Phase II Milestones (4 iterations)

May 04, 2016

SP 800-160

DRAFT Systems Security Engineering Guideline: An Integrated Approach to Building Trustworthy Resilient Systems

NIST announces the release of Draft SP 800-160, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.

The United States has developed incredibly powerful and complex systems-systems that are inexorably linked to the economic and national security interests of the Nation. The complete dependence on those systems for mission and business success in both the public and private sectors, including the critical infrastructure, has left the Nation extremely vulnerable to hostile cyber-attacks and other serious threats. With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and threats to federal, state, and local governments, the military, businesses, industry, and the critical infrastructure, the need for trustworthy secure systems has never been more important.

Engineering-based approaches to solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today's systems-as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. Managing the complexity of today's systems and being able to claim that those systems are trustworthy and secure means that first and foremost, there must be a level of confidence in the feasibility and correctness-in-concept, philosophy, and design, regarding the ability of a system to function securely as intended. Failure to address the complexity issue in this manner will continue to leave the Nation susceptible to the consequences of an increasingly pervasive set of disruptions, hazards, and threats with potential for causing serious, severe, or even catastrophic consequences.

NIST Special Publication 800-160 attempts to bring greater clarity to the difficult and challenging problems associated with a systems-oriented viewpoint on realizing trustworthy secure systems-and does so through the considerations set forth in a set of standards-based systems engineering processes applied throughout the life cycle.

The public comment period closed on July 1, 2016
Questions? Send email to : sec-cert@nist.gov

Second Draft SP 800-160
Press Release

Apr 21, 2016

SP 800-150

DRAFT Guide to Cyber Threat Information Sharing

NIST requests comments on the second draft of Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing. This draft provides guidelines for establishing, participating in, and maintaining cyber threat information sharing relationships. The publication describes the benefits and challenges of sharing, the importance of building trust, the handling of sensitive information, and the automated exchange of cyber threat information. The goal of the publication is to provide guidelines that help improve cybersecurity operations and risk management activities through safe and effective information sharing practices. The guide is intended for computer security incident response teams (CSIRTs), system and network administrators, security staff, privacy officers, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and other stakeholders in cyber threat information sharing activities.

The public comment period closed on May 24, 2016
Questions? Send email to : sp800-150comments@nist.gov

Second Draft SP 800-150
Comment Template

Apr 13, 2016

SP 800-90C

DRAFT Recommendation for Random Bit Generator (RBG) Constructions

NIST invites comments on the second draft of Special Publication (SP) 800-90C, Recommendation for Random Bit Generator (RBG) Constructions. This Recommendation specifies constructions for the implementation of RBGs. An RBG may be a deterministic random bit generator (DRBG) or a non-deterministic random bit generator (NRBG). The constructed RBGs consist of DRBG mechanisms, as specified in SP 800-90A, and entropy sources, as specified in SP 800-90B.

On May 2-3, 2016, NIST hosted a workshop on Random Number Generation to discuss the SP 800-90 series of documents--specifically, SP 800-90B and SP 800-90C.

The public comment period closed on June 13, 2016
Questions? Send email to : rbg_comments@nist.gov

Second Draft SP 800-90C
Comment Template

Apr 12, 2016

NISTIR 8071

DRAFT LTE Architecture Overview and Security Analysis

NIST invites comments on Draft NIST Internal Report (NISTIR) 8071, LTE Architecture Overview and Security Analysis. Cellular technology plays an increasingly large role in society as it has become the primary portal to the Internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long Term Evolution (LTE) cellular technologies. This document serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture. This is followed by an analysis of the threats posed to LTE networks and supporting mitigations. This document introduces high-level LTE concepts and discusses technical LTE security mechanisms in detail. Technical readers are expected to understand fundamental networking concepts and general network security. It is intended to assist those evaluating, adopting, and operating LTE networks, specifically telecommunications engineers, system administrators, cybersecurity practitioners, and security researchers.

The public comment period closed on June 1, 2016
Questions? Send email to : nistir8071@nist.gov

Draft NISTIR 8071
Comment Template

Mar 30, 2016

SP 800-177

DRAFT Trustworthy Email

NIST requests comments on the second draft of Special Publication (SP) 800-177, Trustworthy Email. This draft is a complementary guide to NIST SP 800-45, Guidelines on Electronic Mail Security, and covers protocol security technologies to secure email transactions. This draft guide includes recommendations for the deployment of domain-based authentication protocols for email as well as end-to-end cryptographic protection for email contents. Technologies recommended in support of core Simple Mail Transfer Protocol (SMTP) and the Domain Name System (DNS) include mechanisms for authenticating a sending domain (Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain based Message Authentication, Reporting and Conformance (DMARC). Email content security is facilitated through encryption and authentication of message content using S/MIME and/or Transport Layer Security (TLS) with SMTP. This guide is written for federal agency email administrators, information security specialists and network managers, but contains general recommendations for all enterprise email administrators.

The public comment period closed on April 29, 2016
Questions? Send email to : SP800-177@nist.gov

Second Draft SP 800-177
Comment Template

Mar 14, 2016

SP 800-154

DRAFT Guide to Data-Centric System Threat Modeling

NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides information on the basics of data-centric system threat modeling so that organizations can use it as part of their risk management processes instead of relying solely on conventional "best practice" recommendations.

The public comment period closed on April 15, 2016
Questions? Send email to : 800-154comments@nist.gov

Draft SP 800-154
Comment Template

Feb 23, 2016

SP 800-53 Rev. 5

DRAFT Call for Comments: Security and Privacy Controls for Federal Information Systems and Organizations

NIST Special Publication 800-53 Revision 5, Pre-Draft Call for Comments

Recognizing the importance of maintaining the relevance and currency of Special Publication (SP) 800-53, NIST will update Revision 4 to Revision 5 during calendar year 2016 beginning with this pre-draft request for comments. NIST seeks the input of SP 800-53 customers to ensure Revision 5 will continue to deliver a comprehensive security and privacy control set that addresses current threats, technologies, and environments of operation while remaining functional and usable.

To learn more, please visit the link below.

The public comment period closed on April 1, 2016
Questions? Send email to : sec-cert@nist.gov

SP 800-53 Rev. 5 (Pre-Draft Call for Comments)

Feb 18, 2016

SP 800-180

DRAFT NIST Definition of Microservices, Application Containers and System Virtual Machines

NIST requests public comments on Draft SP 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines. This document serves to provide a NIST-standard definition to application containers, microservices which reside in application containers and system virtual machines. Furthermore, this document explains the similarities and differences between a Services Oriented Architecture (SOA) and Microservices as well as the similarities and differences between System Virtual Machines and Application Containers.

The public comment period closed on March 18, 2016
Questions? Send email to : sec-cloudcomputing@nist.gov

Draft SP 800-180
Comment Template

Feb 17, 2016

NISTIR 8103

DRAFT Advanced Identity Workshop on Applying Measurement Science in the Identity Ecosystem: Summary and Next Steps

On January 12-13, 2016 the Applied Cybersecurity Division (ACD) in NIST's Information Technology Laboratory hosted the Applying Measurement Science in the Identity Ecosystem workshop to discuss the application of measurement science to digital identity management. Draft NISTIR 8103 summarizes the concepts and ideas presented at the workshop and serves as a platform to receive feedback on the major themes discussed at that event.

The public comment period closed on March 31, 2016
Questions? Send email to : NSTICworkshop@nist.gov

Draft NISTIR 8103
Comment Template

Feb 02, 2016

NISTIR 8011 Vol. 1

DRAFT Automation Support for Security Control Assessments: Overview

NIST is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.

NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.

The public comment period closed on March 18, 2016
Questions? Send email to : sec-cert@nist.gov

Draft NISTIR 8011 Vol. 1: Overview

Feb 02, 2016

NISTIR 8011 Vol. 2

DRAFT Automation Support for Security Control Assessments: Hardware Asset Management

NIST is pleased to announce the initial public draft release of NIST Internal Report (NISTIR) 8011, Automation Support for Security Control Assessments, Volumes 1 and 2. This NISTIR represents a joint effort between NIST and the Department of Homeland Security to provide an operational approach for automating security control assessments in order to facilitate information security continuous monitoring (ISCM), ongoing assessment, and ongoing security authorizations in a way that is consistent with the NIST Risk Management Framework overall and the guidance in NIST SPs 800-53 and 800-53A in particular.

NISTIR 8011 will ultimately consist of 13 volumes. Volume 1 introduces the general approach to automating security control assessments, 12 ISCM security capabilities, and terms and concepts common to all 12 capabilities. Volume 2 provides details specific to the hardware asset management security capability. The remaining 11 ISCM security capability volumes will provide details specific to each capability but will be organized in a very similar way to Volume 2.

The public comment period closed on March 18, 2016
Questions? Send email to : sec-cert@nist.gov

Draft NISTIR 8011 Vol. 2: Hardware Asset Management

Jan 27, 2016

SP 800-90B

DRAFT Recommendation for the Entropy Sources Used for Random Bit Generation

NIST announces the second draft of Special Publication (SP) 800-90B, Recommendation for the Entropy Sources Used for Random Bit Generation. This Recommendation specifies the design principles and requirements for the entropy sources used by Random Bit Generators, and the tests for the validation of entropy sources. These entropy sources are intended to be combined with Deterministic Random Bit Generator mechanisms that are specified in SP 800-90A to construct Random Bit Generators, as specified in SP 800-90C. NIST is planning to host a workshop on Random Number Generation to discuss the SP 800-90 series, specifically, SP 800-90B and SP 800-90C. More information about the workshop is available at: http://www.nist.gov/itl/csd/ct/rbg_workshop2016.cfm.

The specific areas where comments are solicited on SP 800-90B are:

  • Post-processing functions (Section 3.2.2): We provided a list of approved post-processing functions. Is the selection of the functions appropriate?
  • Entropy assessment (Section 3.1.5): While estimating the entropy for entropy sources using a conditioning component, the values of n and q are multiplied by the constant 0.85. Is the selection of this constant reasonable?
  • Multiple noise sources: The Recommendation only allows using multiple noise sources if the noise sources are independent. Should the use of dependent noise sources also be allowed, and if so, how can we calculate an entropy assessment in this case?
  • Health Tests: What actions should be taken when health tests raise an alarm? The minimum allowed value of a type I error for health testing is selected as 2-50. Is this selection reasonable?

The public comment period closed on May 9, 2016
Questions? Send email to : rbg_comments@nist.gov

Second Draft SP 800-90 B
Comment Template
NIST Press Release

Dec 28, 2015

SP 800-116 Rev. 1

DRAFT A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

NIST announces the release of Draft Special Publication (SP) 800-116 Revision 1, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS), and requests public comments. It provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. The document also recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to federal government facilities and assets.

Revision 1 updates SP 800-116 to align with FIPS 201-2. High-level changes include:

  • Addition of the OCC-AUTH authentication mechanisms introduced in FIPS 201-2.
  • In light of the deprecation of the CHUID authentication mechanism in FIPS 201-2 and its expected removal in the next revision of FIPS 201:
    • Removal of the CHUID +VIS authentication mechanism from the list of recommended authentication mechanisms.
    • Addition of a new section (5.3.1) titled "Migrating Away from the Legacy CHUID Authentication Mechanism" to aid in the transition away from the CHUID + VIS authentication mechanism.
    • In coordination with OMB, added text indicating that the use of the CHUID authentication mechanism past September 2019 requires the official that signs an Authorization to Operate (ATO) to indicate acceptance of the risks.
    • Addition of a new appendix titled "Improving Authentication Transaction Times" to aid transiting away from the weak CHUID authentication mechanism to stronger but computationally expensive cryptographic one-factor authentication (PKI-CAK).
  • Addition of a new section (5.4) titled "PIV Identifiers" and a summary table with pro and cons to describe the identifiers available on the PIV Card that can map to a PACS's access control list.
  • In coordination with the Interagency Security Committee (ISC), replaced the Department of Justice's "Vulnerability Assessment Report of Federal Facilities" document with the ISC's document titled "Risk Management Process for Federal Facilities" to aid deriving the security requirement for facilities.

The public comment period closed on March 1, 2016
Questions? Send email to : piv_comments@nist.gov

Draft SP 800-116 Rev. 1
Comment Template

Dec 17, 2015

NISTIR 8085

DRAFT Forming Common Platform Enumeration (CPE) Names from Software Identification (SWID) Tags

This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO/IEC 19770-2 standard, support comprehensive software asset management and cybersecurity procedures throughout a software product's deployment lifecycle.

The Common Platform Enumeration (CPE) is a standardized method of naming classes of applications, operating systems, and hardware devices that may be present on computing devices. CPE is one of 11 specifications that are part of the Security Content Automation Protocol (SCAP) Version 1.2. Because CPE names are used extensively in the SCAP and related vulnerability management community use cases (including the National Vulnerability Database, or NVD), SWID tag derived CPE names are useful to associate vulnerability reports with vulnerability reports that reference software products that may be vulnerable. NISTIR 8085 supplies a consistent, automatic procedure for forming CPE names using pertinent SWID tag attribute values.

[Note: The email used for providing public comments is the same as the email used for NISTIR 8060.]

The public comment period closed on January 8, 2016
Questions? Send email to : nistir8060-comments@nist.gov

Draft NISTIR 8085

Dec 02, 2015

SP 800-178

DRAFT A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC)

NIST requests public comments on Draft NIST Special Publication 800-178, A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control standards with similar goals and objectives. The aim of both is to provide a standardized way for expressing and enforcing vastly diverse access control policies on various types of data services. However, the two standards differ with respect to the manner in which access control policies are specified, managed, and enforced.

This document describes XACML and NGAC, and then compares them with respect to five criteria. The goal of this publication is to help ABAC users and vendors make informed decisions when addressing future data service policy enforcement requirements.

The specific areas where comments are solicited are:

  • Accuracy in the description of the XACML and NGAC frameworks; and
  • Analysis

*The PDF of the draft was updated on December 15, 2015--see the Note to Reviewers on p. iii for details. (You may need to reload/re-save the PDF to see the changes.)

The public comment period closed on January 15, 2016
Questions? Send email to : sp800-178@nist.gov

Draft SP 800-178
Comment Template

Nov 02, 2015

SP 1800-4

DRAFT Mobile Device Security: Cloud and Hybrid Builds

Mobile devices allow employees to access information resources wherever they are, whenever they need. The constant Internet access available through a mobile device's cellular and Wi-Fi connections has the potential to make business practices more efficient and effective. As mobile technologies mature, employees increasingly want to use mobile devices to access corporate enterprise services, data, and other resources to perform work-related activities. Unfortunately, security controls have not kept pace with the security risks that mobile devices can pose.

If sensitive data is stored on a poorly secured mobile device that is lost or stolen, an attacker may be able to gain unauthorized access to that data. Even worse, a mobile device with remote access to sensitive organizational data could be leveraged by an attacker to gain access to not only that data, but also any other data that the user is allowed to access from that mobile device. The challenge lies in ensuring the confidentiality, integrity, and availability of the information that a mobile device accesses, stores, and processes. Despite the security risks posed by today's mobile devices, enterprises are under pressure to accept them due to several factors, such as anticipated cost savings and employees' demand for more convenience.

Solution

The NIST Cybersecurity Practice Guide, Mobile Device Security: Cloud and Hybrid Builds, demonstrates how commercially available technologies can meet your organization's needs to secure sensitive enterprise data accessed by and/or stored on employees' mobile devices.

In our lab at the National Cybersecurity Center of Excellence (NCCoE), we built an environment based on typical mobile devices and an enterprise email, calendaring, and contact management solution.

We demonstrate how security can be supported throughout the mobile device lifecycle. This includes how to:

  • configure a device to be trusted by the organization
  • maintain adequate separation between the organization's data and the employee's personal data stored on or accessed from the mobile device
  • handle the de-provisioning of a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company.

The public comment period closed on January 8, 2016
Questions? Send email to : mobile-nccoe@nist.gov

Draft SP 1800-4a: Executive Summary (PDF)
Draft SP 1800-4a: Executive Summary (HTML5)
Draft SP 1800-4b:: Approach, Architecture, and Security Characteristics (PDF)
Draft SP 1800-4b: Approach, Architecture, and Security Characteristics (HTML5)
Draft SP 1800-4c: How-To Guides (PDF)
Draft SP 1800-4c: How To Guides (HTML5)
Draft SP 1800-4: Zip File includes all volumes & including supplemental files
Submit Comments
Project Homepage
NIST Press Release

Oct 26, 2015

SP 1800-5

DRAFT IT Asset Management: Financial Services

NIST's NCCoE program is excited to announce the release of the latest NIST Cybersecurity Practice Guide, "IT Asset Management" for the Financial Services sector. The document is a draft, and NIST welcomes your comments and feedback (see links below for comment form page).

What's the guide about?

Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Additionally, many financial organizations include subsidiaries, branches, third-party partners, and contractors as well as temporary workers and guests; tracking and managing hardware and software across these groups adds another layer of complexity.

To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to centrally monitor and gain deeper insight into their entire IT asset portfolio with an automated platform. Using open source and commercially available technologies, this example solution addresses questions such as "What operating systems are our laptops running?" and "Which devices are vulnerable to the latest threat?"

The example solution gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.

The public comment period closed on January 8, 2016
Questions? Send email to : financial_nccoe@nist.gov

Draft SP 1800-5a: Executive Summary (PDF)
Draft SP 1800-5a: Executive Summary (HTML5)
Draft SP 1800-5b: Approach, Architecture, and Security Characteristics (PDF)
Draft SP 1800-5b: Approach, Architecture, and Security Characteristic (HTML5)
Draft SP 1800-5c: How-To Guides (PDF)
Draft SP 1800-5c: How-To Guides (HTML5)
Submit Comments
Project Homepage
NIST Press Release

Sep 29, 2015

SP 1800-3

DRAFT Attribute Based Access Control

NIST requests public comments on Draft NIST Cybersecurity Practice Guide 1800-3, Attribute Based Access Control.

Most businesses today use Role Based Access Control (RBAC) to assign access to networks and systems based on job title or defined role. But if an employee changes roles or leaves the company, an administrator must manually change access rights accordingly-perhaps within several systems. As organizations expand and contract, partner with external vendors or systems, and modernize systems, this method of managing user access becomes increasingly difficult and inefficient.

To help address this growing cybersecurity challenge and support the next generation of identity management, security engineers at the National Cybersecurity Center of Excellence (NCCoE) developed a reference design for an Attribute Based Access Control (ABAC) system. ABAC is an advanced method for managing access rights for people and systems connecting to networks and assets, offering greater efficiency, flexibility, scalability, and security. In fact, Gartner recently predicted that "by 2020, 70% of enterprises will use attribute-based access control...as the dominant mechanism to protect critical assets, up from less than 5% today."

This newly available practice guide provides IT and security engineers with critical information they can use to recreate the example solution with the same or similar technologies. Our solution is guided by NIST standards and industry best practices.

The public comment period closed on December 4, 2015
Questions? Send email to : abac-nccoe@nist.gov

Draft SP 1800-3a: Executive Summary
Draft SP 1800-3b: Approach, Architecture, and Security Characteristics
Draft SP 1800-3c: How-To Guides
All files (.zip)
Project Homepage
NIST Press Release

Aug 25, 2015

SP 1800-2

DRAFT Identity and Access Management for Electric Utilities

The NCCoE has released a draft the latest NIST Cybersecurity Practice Guide 1800-2, Identity and Access Management for Electric Utilities, and invites you to download the draft and provide feedback.

The electric power industry is upgrading older, outdated infrastructure to take advantage of emerging technologies, but this also means greater numbers of technologies, devices, and systems connecting to the grid that need protection from physical and cybersecurity attacks. Additionally, many utilities run identity and access management (IdAM) systems that are decentralized and controlled by numerous departments. Several negative outcomes can result from this: an increased risk of attack and service disruption, an inability to identify potential sources of a problem or attack, and a lack of overall traceability and accountability regarding who has access to both critical and noncritical assets.

To help the energy sector address this cybersecurity challenge, security engineeres at the National Cybersecurity Center of Excellence (NCCoE) developed an example solution that utilities can use to more securely and efficiently manage access to the networked devices and facilities upon which power generation, transmission, and distribution depend. The solution demonstrates a centralized IdAM platform that can provide a comprehensive view of all users within the enterprise across all silos, and the access rights users have been granted, using multiple commercially available products.

Electric utilities can use some or all of the guide to implement a centralized IdAM system using NIST and industry standards, including North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP). Commercial, standards-based products, like the ones we used, are easily available and interoperable with commonly used information technology infrastructure and investments.

The public comment period closed on October 23, 2015
Questions? Send email to : energy_nccoe@nist.gov

Draft SP 1800-2a: Executive Summary
Draft SP 1800-2b: Approach, Architecture, and Security Characteristics
Draft SP 1800-2c: How-To Guides
Supplemental Files (.zip)
All Files (.zip)
Project Homepage
NIST Press Release

Jul 28, 2015

SP 1800-1

DRAFT Securing Electronic Health Records on Mobile Devices

NIST announces the public comment period for Draft NIST Cybersecurity Practice Guide SP 1800-1, Securing Electronic Health Records on Mobile Devices.

The use of mobile devices in health care sometimes outpaces the privacy and security protections on those devices. Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person's health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions.

Cybersecurity experts at the National Cybersecurity Center of Excellence (NCCoE) collaborated with health care industry leaders and technology vendors to develop an example solution to show health care organizations how they can secure electronic health records on mobile devices. The guide provides IT implementers and security engineers with a detailed architecture so that they can recreate the security characteristics of the example solution with the same or similar technologies. Our solution is guided by relevant standards and best practices from NIST and others, including those in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The public comment period closed on September 25, 2015
Questions? Send email to : HIT_NCCoE@nist.gov

Draft SP 1800-1a: Executive Summary
Draft SP 1800-1b: Approach, Architecture and Security Characteristics
Draft SP 1800-1c: How-To Guides
Draft SP 1800-1d: Standards and Controls Mapping
Draft SP 1800-1e: Risk Assessment and Outcomes
All files (.zip)
Project Homepage
NIST Press Release

May 28, 2015

NISTIR 8062

DRAFT Privacy Risk Management for Federal Information Systems

NIST requests comments on the draft report NISTIR 8062, Privacy Risk Management for Federal Information Systems, which describes a privacy risk management framework for federal information systems. The framework provides the basis for establishing a common vocabulary to facilitate better understanding of - and communication about - privacy risks and the effective implementation of privacy principles in federal information systems.

Background:

Expanding opportunities in cloud computing, big data, and cyber-physical systems are bringing dramatic changes to how we use information technology. While these technologies bring advancements to U.S. national and economic security and our quality of life, they also pose risks to individuals' privacy.

Privacy Risk Management for Federal Information Systems (NISTIR 8062) introduces a privacy risk management framework for anticipating and addressing risks to individuals' privacy. In particular, it focuses on three privacy engineering objectives and a privacy risk model. To develop this document, NIST conducted significant public outreach and research. We are soliciting public comments on this draft to obtain further input on the proposed privacy risk management framework, and we expect to publish a final report based on this additional feedback.

Note to Reviewers:

To facilitate public review, we have compiled a number of topics of interest to which we would like reviewers to respond. Please keep in mind that it is not necessary to respond to all topics listed below, Reviewers should also feel free to suggest other areas of revision or enhancement to the document.

  • Privacy Risk Management Framework: Does the framework provide a process that will help organizations make more informed system development decisions with respect to privacy? Does the framework seem likely to help bridge the communication gap between technical and non-technical personnel? Are there any gaps in the framework?
  • Privacy Engineering Objectives: Do these objectives seem likely to assist system designers and engineers in building information systems that are capable of supporting agencies' privacy goals and requirements? Are there properties or capabilities that systems should have that these objectives do not cover?
  • Privacy Risk Model:
    • Does the equation seem likely to be effective in helping agencies to distinguish between cybersecurity and privacy risks?
    • Can data actions be evaluated as the document proposes? Is the approach of identifying and assessing problematic data actions usable and actionable?
    • Should context be a key input to the privacy risk model? If not, why not? If so, does this model incorporate context appropriately? Would more guidance on the consideration of context be helpful?
    • The NISTIR describes the difficulty of assessing the impact of problematic data actions on individuals alone, and incorporates organizational impact into the risk assessment. Is this appropriate or should impact be assessed for individuals alone? If so, what would be the factors in such an assessment

The public comment period closed on July 31, 2015
Questions? Send email to : privacyeng@nist.gov

Draft NISTIR 8062
Comment Template

May 01, 2015

NISTIR 8058

DRAFT Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content

NIST announces the public comment release of NIST Internal Report (NIST IR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. SCAP is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Over time, certain stylistic conventions regarding the authoring of SCAP 1.2 content have become best practices. They improve the quality of SCAP content in several ways, such as improving the accuracy and consistency of results, avoiding performance problems, reducing user effort, lowering content maintenance burdens, and enabling content reuse. This document has been created to capture the best practices and encourage their use by SCAP content authors and maintainers.

The public comment period closed on July 1, 2015
Questions? Send email to : NISTIR8058-comments@nist.gov

Draft NISTIR 8058

Apr 02, 2015

NISTIR 8050

DRAFT Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy: Summary and Next Steps

Draft NISTIR 8050 summarizes the Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy, held in collaboration with Stanford University, which brought together chief technology officers, information officers, and security executives to discuss the challenges their organizations and industries face in implementing advanced cybersecurity and privacy technologies.

The public comment period closed on July 17, 2015
Questions? Send email to : consumer-nccoe@nist.gov

Draft NISTIR 8050

Dec 16, 2014

NISTIR 7621 Rev. 1

DRAFT Small Business Information Security: the Fundamentals

NIST, as a partner with the Small Business Administration and the Federal Bureau of Investigation in an information security awareness outreach to the small business community, developed this NISTIR as a reference guideline for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.

The public comment period closed on February 9, 2015
Questions? Send email to : smallbizsecurity@nist.gov

Draft NISTIR 7621 Rev. 1

Oct 20, 2014

SP 800-125A

DRAFT Security Recommendations for Hypervisor Deployment

NIST announces the public comment release of NIST Special Publication 800-125A, Security Recommendations for Hypervisor Deployment. Server Virtualization (enabled by Hypervisor) is finding widespread adoption in enterprise data centers both for hosting in-house applications as well as for providing computing resources for cloud services. The hypervisor provides abstraction of all physical resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (each consisting of an O/S (called Guest O/S), Middleware and a set of Application programs) to be run on a single physical host (referred to virtualized host or hypervisor host).

Since the NIST publication of SP 800-125 (Guide to Security for Full Virtualization Technologies) in January 2011, both the feature set of hypervisors as well as the tools for configuration and administration of virtualized infrastructure spawned by the hypervisor has seen considerable increase. This has generated the need to develop security recommendations for secure deployment of hypervisor platforms. This special publication defines a focused set of twenty-two security recommendations (in terms of architectural choices and configuration settings), intended to ensure secure execution of tasks performed by the hypervisor components under the umbrella of five baseline functions.

The public comment period closed on November 10, 2014.

Draft SP 800-125A

Aug 06, 2014

SP 800-85B-4

DRAFT PIV Data Model Test Guidelines

NIST has produced a revised version of NIST Special Publication (SP) 800-85B, PIV Data Model Conformance Test Guidelines. The revisions include additional tests necessary to test new features added to the PIV Data Model in SP 800-73-4 Parts 1. This document, after a review and comment period, will be published as NIST SP 800-85B-4.

NOTE: NIST has made a one-time change in the revision number of SP 800-85B (skipping revision numbers 2 and 3) so we can align the current publication revision to SP 800-73-4.

The public comment period closed on September 5, 2014
Questions? Send email to : piv_comments@nist.gov

Draft SP 800-85B-4
Comment Template

Jun 23, 2014

NISTIR 8006

DRAFT NIST Cloud Computing Forensic Science Challenges

This document summarizes the research performed by the members of the NIST Cloud Computing Forensic Science Working Group, and aggregates, categorizes and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems. The long-term goal of this effort is to gain a deeper understanding of those concerns (challenges) and to identify technologies and standards that can mitigate them.

The public comment period closed on August 25, 2014
Questions? Send email to : nistir8006@nist.gov

Draft NISTIR 8006
Comment Template

May 29, 2014

NISTIR 7924

DRAFT Reference Certificate Policy

NIST announces the public comment release of second draft of NIST Interagency Report (NISTIR) 7924, Reference Certificate Policy. The purpose of this document is to identify a set of security controls and practices to support the secure issuance of certificates. It was written in the form of a Certificate Policy (CP), a standard format for defining the expectations and requirements of the relying party community that will trust the certificates issued by its Certificate Authorities (CAs).

NIST released the first draft of this publication in April 2013 and received extensive public comments. This revised draft incorporates changes requested by commenters, many intended to improve the security controls identified in the document, provide additional flexibility for CAs, and clarify ambiguities in the previous release.

The public comment period closed on August 1, 2014
Questions? Send email to : nistir7924-comments@nist.gov

Second Draft NISTIR 7924
Comment Template

Mar 14, 2014

SP 800-16 Rev. 1

DRAFT A Role-Based Model for Federal Information Technology/Cybersecurity Training

NIST announces the release of Draft Special Publication (SP) 800- 16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments and Agencies and Organizations (Federal Organizations). Its primary focus is to provide a comprehensive, yet flexible, training methodology for the development of training courses or modules for personnel who have been identified as having significant information technology / cyber security responsibilities.

The public comment period closed on April 30, 2014
Questions? Send email to : sp80016-comments@nist.gov

Draft SP 800-16 Rev. 1 (3rd draft)

Mar 07, 2014

NISTIR 7981

DRAFT Mobile, PIV, and Authentication

NIST announces public comment release of NISTIR 7981, Mobile, PIV, and Authentication. NIST IR 7981 analysis and summarizes various current and near-term options for remote authentication with mobile devices that leverage both the investment in the PIV infrastructure and the unique security capabilities of mobile devices.

The public comment period closed on April 21, 2014
Questions? Send email to : piv_comments@nist.gov

Draft NISTIR 7981
Comment Template

May 05, 2013

SP 500-299

DRAFT NIST Cloud Computing Security Reference Architecture

The NIST Cloud Computing Security Working Group (NCC-SWG) issued Draft SP 500-299, NIST Cloud Computing Security Reference Architecture, in May 2013. See the NCC-SWG homepage for additional details.

NIST Cloud Computing Security Working Group homepage
Draft SP 500-299

Oct 31, 2012

SP 800-164

DRAFT Guidelines on Hardware-Rooted Security in Mobile Devices

NIST announces the public comment release of the draft NIST SP 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices . The guidelines in this document are intended to provide a common baseline of security technologies that can be implemented across a wide range of mobile devices to help secure organization-issued mobile devices as well as devices brought into an organization, such as personally-owned devices used in enterprise environments (e.g., Bring Your Own Device, BYOD). It focuses on providing three security capabilities- device integrity, isolation, and protected storage- through the use of hardware-based roots of trust.

The intended audience for this document includes mobile Operating System (OS) vendors, device manufacturers, security software vendors, carriers, application software developers and information system security professionals who are responsible for managing the mobile devices in an enterprise environment.

The public comment period closed on December 14, 2012
Questions? Send email to : 800-164comments@nist.gov

Draft SP 800-164

Jul 25, 2012

SP 800-94 Rev. 1

DRAFT Guide to Intrusion Detection and Prevention Systems (IDPS)

NIST announces the public comment release of Draft Special Publication (SP) 800-94 Revision 1, Guide to Intrusion Detection and Prevention Systems (IDPS). This publication describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: network-based, wireless, network behavior analysis (NBA), and host-based. Draft SP 800-94 Revision 1 updates the original SP 800-94, which was released in 2007.

The public comment period closed on August 31, 2012
Questions? Send email to : 800-94comments@nist.gov

Draft SP 800-94 Rev. 1

May 07, 2012

NISTIR 7848

DRAFT Specification for the Asset Summary Reporting Format 1.0

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information relative to one or more metrics. ASR reduces the bandwidth requirement to report information about assets in the aggregate since it allows for reporting aggregates relative to metrics, as opposed to reporting data about each individual asset, which can lead to a bloated data exchange. ASR is vendor neutral and leverages widely adopted, open specifications; it is flexible, and suited for a wide variety of reporting applications.

The public comment period closed on June 6, 2012
Questions? Send email to : asr-comments@nist.gov

Draft NISTIR 7848

Jan 20, 2012

NISTIR 7800

DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7800, Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains. This publication binds together the Continuous Monitoring workflows and capabilities described in NIST IR 7799 to specific data domains. It focuses on the Asset Management, Configuration and Vulnerability data domains. It leverages the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability scan content, and it dictates reporting results in an SCAP-compliant format. This specification describes an overview of the approach to each of the three domains, how they bind to specific communication protocols, and how those protocols interact. It then defines the specific requirements levied upon the various capabilities of the subsystems defined in NIST IR 7799 that enable each data domain.

The public comment period closed on February 17, 2012
Questions? Send email to : fe-comments@nist.gov

Draft NISTIR 7800

Jan 06, 2012

SP 800-117 Rev. 1

DRAFT Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2

NIST announces the public comment release of draft Special Publication (SP) 800-117 Revision 1, Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2. The purpose of this document is to provide an overview of SCAP version 1.2. This document discusses SCAP at a conceptual level, focusing on how organizations can use SCAP-enabled tools to enhance their security posture. It also explains to IT product and service vendors how they can adopt SCAP version 1.2 capabilities within their offerings. The intended audience for this document is individuals who have responsibilities for maintaining or verifying the security of systems in operational environments.

The public comment period closed on February 17, 2012
Questions? Send email to : 800-117comments@nist.gov

Draft SP 800-117 Rev. 1

Jan 06, 2012

NISTIR 7799

DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications

NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7799, Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications. This publication provides the technical specifications for the continuous monitoring (CM) reference model presented in NIST IR 7756. These specifications enable multi-instance CM implementations, hierarchical tiers, multi-instance dynamic querying, sensor tasking, propagation of policy, policy monitoring, and policy compliance reporting. A major focus of the specifications is on workflows that describe the coordinated operation of all subsystems and components within the model. Another focus is on subsystem specifications that enable each subsystem to play its role within the workflows. The final focus is on interface specifications that supply communication paths between subsystems. These three sets of specifications (workflows, subsystems, and interfaces) are written to be data domain agnostic, which means that they can be used for CM regardless of the data domain that is being monitored.

The public comment period closed on February 17, 2012
Questions? Send email to : fe-comments@nist.gov

Draft NISTIR 7799

Jan 06, 2012

NISTIR 7756

DRAFT CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture

NIST announces the second public comment release of Draft NIST Interagency Report (NISTIR) 7756, CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture. This publication presents an enterprise continuous monitoring technical reference architecture that extends the framework provided by the Department of Homeland Security's CAESARS architecture. The goal is to facilitate enterprise continuous monitoring by presenting a reference architecture that enables organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness. The model design is focused on enabling organizations to realize this capability by leveraging their existing security tools and thus avoiding complicated and resource intensive custom tool integration efforts.

The public comment period closed on February 17, 2012
Questions? Send email to : fe-comments@nist.gov

Draft NISTIR 7756 (2nd public draft)

Dec 08, 2011

SP 800-155

DRAFT BIOS Integrity Measurement Guidelines

NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS is a critical security component in systems due to its unique and privileged position within the personal computer (PC) architecture. A malicious or outdated BIOS could allow or be part of a sophisticated, targeted attack on an organization -either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware). The guidelines in this document are intended to facilitate the development of products that can detect problems with the BIOS so that organizations can take appropriate remedial action to prevent or limit harm. The security controls and procedures specified in this document are oriented to desktops and laptops deployed in an enterprise environment.

The public comment period closed on January 20, 2012
Questions? Send email to : 800-155comments@nist.gov

Draft SP 800-155

Back to Top