Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Drafts Open for Comment

Feeds:      RSS/Atom      JSON

Many of NIST's cybersecurity and privacy publications are posted as drafts for public comment. Comment periods are still open for the following publications. Select the publication title to access downloads, related content, and instructions for submitting comments. Your thoughtful reviews and comments are greatly appreciated and help us to improve our standards and guidance.

Also see a complete list of public drafts that includes those whose comment periods have closed.

In the digital age, the accurate identification of individuals is paramount to ensuring security, privacy, and trust in online interactions. Whether it's for accessing medical records, applying for benefits, or engaging in other high-stakes transactions, the need to confirm the identity and...

This document presents a comprehensive framework designed to enhance traceability across manufacturing supply chains, focusing on improving product provenance, pedigree, and supply chain transparency.The Meta-Framework introduces key concepts such as trusted data repositories, ecosystems, and...

Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined....

The Cryptographic Module Validation Program (CMVP) validates third-party assertions that cryptographic module implementations satisfy the requirements of Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules. The NIST National...

NIST provides cryptographic key management guidance for defining and implementing appropriate key-management procedures, using algorithms that adequately protect sensitive information, and planning for possible changes in the use of cryptography because of algorithm breaks or the availability of...

Supply chain risk assessments start with due diligence. Acquirers who make procurement decisions need to be informed about potential supplier risks before those decisions are executed. Consequently, many acquisition operating procedures strongly recommend or even require an assessment of a...

This report studies the cryptographic random number generation standards and guidelines written by Germany’s Federal Office for Information Security (BSI) and NIST, namely AIS 20/31 and the NIST Special Publication (SP) 800-90 series. It compares these publications, focusing on the similarities and...