Drafts Open for Comment

Comment periods are still open for the draft publications listed below. Select the publication title for more information about draft downloads, information, and instructions for submitting comments. Your thoughtful reviews and comments are greatly appreciated and help us to improve our standards and guidance.

Also see a complete list of public drafts that includes those whose comment periods have closed.

Showing 8 matching records.

In today’s cloud data centers and edge computing, attack surfaces have significantly increased, hacking has become industrialized, and most security control implementations are not coherent or consistent. The foundation of any data center or edge computing security strategy should be securing the pl...

FIPS 201-3 Workshop:  A public virtual workshop will be held on December 9, 2020 to present Draft FIPS 201-3. Please visit the Draft FIPS 201-3 event page for agenda and registration details. For all other inquiries, please email piv_comments@nist.gov.   This Standard defines common credentials an...

Draft NISTIR 8259C describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop...

Draft NISTIR 8259D provides a worked example result of applying the NISTIR 8259C process, focused on the federal government customer space, where the requirements of the FISMA process and the SP 800-53 security and privacy controls catalog are the essential guidance. NISTIR 8259D provides a device-c...

This draft includes background and recommendations to help federal agencies consider how an IoT device they plan to acquire can integrate into a federal information system. IoT devices and their support for security controls are presented in the context of organizational and system risk management....

Draft NISTIR 8259B complements the NISTIR 8259A device cybersecurity core baseline by detailing additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties. This non-technical baseline collects and makes explicit supporting capabilities like do...

This report provides a more in-depth discussion of the concepts introduced in the NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). It specifically highlights that cybersecurity risk management (CSRM) is an integral part of ERM—both taking its direction from ERM and inform...

Organizations frequently share information through various information exchange channels based on mission and business needs. In order to protect the confidentiality, integrity, and availability of exchanged information commensurate with risk, the information being exchanged requires protection at t...