U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Drafts Open for Comment

Feeds:      RSS/Atom      JSON

Many of NIST's cybersecurity and privacy publications are posted as drafts for public comment. Comment periods are still open for the following publications. Select the publication title to access downloads, related content, and instructions for submitting comments. Your thoughtful reviews and comments are greatly appreciated and help us to improve our standards and guidance.

Also see a complete list of public drafts that includes those whose comment periods have closed.

Showing 9 matching records.

This initial public draft provides guidance on how to improve the security of Operational Technology (OT) systems while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems or devices that interact with the physical enviro...

The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) has published volume A of a preliminary draft practice guide titled "Implementing a Zero Trust Architecture" and is seeking the public's comments on its contents. This guide summarizes how the NCCoE...

This final public draft offers significant content and design changes that include a renewed emphasis on the importance of systems engineering and viewing systems security engineering as a critical subdiscipline necessary to achieving trustworthy secure systems. This perspective treats security as a...

This draft introduces four significant changes to NIST SP 800-140B: Defines a more detailed structure and organization for the Security Policy Captures Security Policy requirements that are defined outside of ISO/IEC 19790 and ISO/IEC 24759 Builds the Security Policy document as a combinat...

Traditional business impact analyses (BIAs) have been successfully used for business continuity and disaster recovery (BC/DR) by triaging damaged infrastructure recovery actions that are primarily based on the duration and cost of system outages (i.e., availability compromise). However, BIA analyses...

What Is This Guide About? Technologies today rely on complex, globally distributed and interconnected supply chain ecosystems to provide reusable solutions. Organizations are increasingly at risk of cyber supply chain compromise, whether intentional or unintentional. Managing cyber supply chain r...

Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach to evaluating properties that lead to a successfu...

NIST's Cybersecurity for the Internet of Things (IoT) program has released two new draft documents for public comment: A Discussion Essay titled Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity. This discussion paper presents some grounding for risk identif...

The national and economic security of the United States (US) is dependent upon the reliable functioning of the nation’s critical infrastructure. Positioning, Navigation, and Timing (PNT) services are widely deployed throughout this infrastructure. In a government-wide effort to mitigate the potentia...