Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results

Showing 88 matching records.

Draft: SummaryNIST plans to update NIST IR 7621 Rev. 1, Small Business Information Security: The Fundamentals and is issuing this Pre-Draft Call for Comments to solicit feedback. The public is invited to provide input by 12 p.m. ET on May 16, 2024. DetailsSince NIST IR 7621 Revision 1 was publish...

ir7621-comments@nist.gov
Comments due by: 03/18/2024

Draft: Quick-start guides are supplemental resources for the NIST Cybersecurity Framework (CSF) 2.0. See more information on CSF 2.0 quick-start guides. NIST seeks comments on this initial public draft by May 3, 2024. Submit comments to cyberframework@nist.gov.

cyberframework@nist.gov
Comments due by: 02/26/2024

Draft: Quick-start guides are supplemental resources for the NIST Cybersecurity Framework (CSF) 2.0. See more information on CSF 2.0 quick-start guides. NIST seeks comments on this initial public draft by May 3, 2024. Submit comments to cyberframework@nist.gov.

cyberframework@nist.gov
Comments due by: 02/26/2024

Draft: Since the NIST Cybersecurity Framework (CSF) was first released in 2014, the CSF has been used by communities with shared interests in cybersecurity risk management. These communities developed what are now called “Community Profiles” to outline shared interests, goals, and outcomes within a specifi...

framework-profiles@nist.gov
Comments due by: 02/26/2024

Draft: Quick-start guides are supplemental resources for the NIST Cybersecurity Framework (CSF) 2.0. See more information on CSF 2.0 quick-start guides. NIST seeks comments on this initial public draft by May 3, 2024. Submit comments to cyberframework@nist.gov.

cyberframework@nist.gov
Comments due by: 02/26/2024

Draft: SummaryNIST seeks to update and improve the guidance in Special Publication (SP) 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. Specifically, NIST seeks feedback on the document’s current use, proposed updates in the initial working draft and informati...

sec-cert@nist.gov
Comments due by: 01/31/2024

Draft: NoSQL (i.e., “not only SQL” or “non-SQL”) database systems and data stores often outperform traditional relational database management systems (RDBMSs) in various aspects, such as data analysis efficiency, system performance, ease of deployment, flexibility/scalability of data management, and users’...

ir8504-comments@nist.gov
Comments due by: 01/30/2024

Draft: The Addressing Visibility Challenges with TLS 1.3 project builds on the NCCoE's earlier work, TLS Server Certificate Management, which showed organizations how to centrally monitor and manage their TLS certificates. We are now focusing on protocol enhancements such as TLS 1.3 which have helped...

Draft: The initial public drafts (ipd) of NIST Special Publication (SP) 800-55, Measurement Guide for Information Security, Volume 1 – Identifying and Selecting Measures and Volume 2 – Developing an Information Security Measurement Program are available for comment after extensive research, developmen...

cyber-measures@list.nist.gov
Comments due by: 01/17/2024

Draft: The initial public drafts (ipd) of NIST Special Publication (SP) 800-55, Measurement Guide for Information Security, Volume 1 – Identifying and Selecting Measures and Volume 2 – Developing an Information Security Measurement Program are available for comment after extensive research, developmen...

cyber-measures@list.nist.gov
Comments due by: 01/17/2024

Draft: SummaryNIST plans to update Special Publication (SP) 800-100, Information Security Handbook: A Guide for Managers, and is issuing this Pre-Draft Call for Comments to solicit feedback from users. The public is invited to provide input by February 23, 2024. DetailsSince SP 800-100 was published i...

sp800-100-comments@nist.gov
Comments due by: 01/09/2024

Draft: The National Cybersecurity Center of Excellence (NCCoE) has published for comment the Preliminary Draft of Volumes B and C for NIST SP 1800-38A, Migration to Post-Quantum Cryptography. The public comment period for this draft is open through February 20, 2024.NIST SP 1800-38B, Quantum Readiness...

Draft: NIST SP 800-79r3 ipd, Guidelines for the Authorization of PIV Card and Derived PIV Credential Issuers, expands the set of issuer controls to include new and updated requirements from FIPS 201-3, its supporting updated publications (e.g., SP 800-157r1, SP 800-76r2, etc.) and newly-issued OMB Memorand...

piv_comments@nist.gov
Comments due by: 12/13/2023

Draft: This publication is about differential privacy, a privacy-enhancing technology that quantifies privacy risk to individuals when their information appears in a dataset. In response to President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence...

privacyeng@nist.gov
Comments due by: 12/11/2023

Draft: Data classification is the process an organization uses to characterize its data assets using persistent labels so those assets can be managed properly. Data classification is vital for protecting an organization’s data at scale because it enables application of cybersecurity and privacy protection...

data-nccoe@nist.gov
Comments due by: 11/15/2023

Draft: This initial public draft is being released along with NIST SP 800-171r3 fpd (final public draft). In addition to reflecting the security requirements in NIST SP 800-171r3 fpd, the following significant changes have been made:Restructured the assessment procedure syntax to align with NIST SP 80...

800-171comments@list.nist.gov
Comments due by: 11/09/2023

Draft: This update to NIST SP 800-171 represents over one year of data collection, technical analyses, customer interaction, redesign, and development of the security requirements and supporting information for the protection of Controlled Unclassified Information (CUI). Many trade-offs have been made to e...

800-171comments@list.nist.gov
Comments due by: 11/09/2023

Draft: The NIST National Cybersecurity Center of Excellence (NCCoE) has released the second preliminary drafts of volumes B, C, and E of NIST SP 1800-36, Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management. The comment period is open through December 15, 2023.About the...

iot-onboarding@nist.gov
Comments due by: 10/31/2023

Draft: Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. It facilitates log usage and analysis for many purposes, including identifying and investigating cybersecurity incidents, finding operational issues, and ensuring that records are stored for th...

log-mgmt@nist.gov
Comments due by: 10/11/2023

Draft: In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently...

piv_comments@nist.gov
Comments due by: 09/27/2023

Draft: In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently...

piv_comments@nist.gov
Comments due by: 09/27/2023

Draft: In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently...

piv_comments@nist.gov
Comments due by: 09/27/2023

Draft: In January 2022, NIST revised Federal Information Processing Standard (FIPS) 201, which establishes standards for the use of Personal Identity Verification (PIV) Credentials – including the credentials on PIV Cards. NIST Special Publication (SP) 800-73-5: Parts 1–3 and SP 800-78-5 have subsequently...

piv_comments@nist.gov
Comments due by: 09/27/2023

Draft: The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) has released the second version of volume E of a preliminary draft practice guide titled Implementing a Zero Trust Architecture and is seeking the public's comments on the contents. This guide s...

nccoe-zta-coi@list.nist.gov
Comments due by: 09/12/2023

Draft: To support implementation of the research cybersecurity effort detailed in Section 10229  of the CHIPS and Science Act, NIST is leading an initiative to disseminate and make publicly available resources to help qualifying institutions of higher education identify, assess, manage, and...

cyber4R&D@nist.gov
Comments due by: 08/31/2023

Draft: Cybersecurity awareness and training resources, methodologies, and requirements have evolved since NIST SP 800-50 was introduced in 2003. New guidance from the National Defense Authorization Act (NDAA) for FY2021 and the Cybersecurity Enhancement Act of 2014 have informed this revision. In addition,...

Draft: NIST requests comments on three draft Federal Information Processing Standards (FIPS):FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism StandardFIPS 204, Module-Lattice-Based Digital Signature Standard FIPS 205, Stateless Hash-Based Digital Signature StandardThese proposed st...

fips-203-comments@nist.gov
Comments due by: 08/24/2023

Draft: NIST requests comments on three draft Federal Information Processing Standards (FIPS):FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism StandardFIPS 204, Module-Lattice-Based Digital Signature Standard FIPS 205, Stateless Hash-Based Digital Signature StandardThese proposed st...

fips-205-comments@nist.gov
Comments due by: 08/24/2023

Draft: NIST requests comments on three draft Federal Information Processing Standards (FIPS):FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism StandardFIPS 204, Module-Lattice-Based Digital Signature Standard FIPS 205, Stateless Hash-Based Digital Signature StandardThese proposed st...

fips-204-comments@nist.gov
Comments due by: 08/24/2023

Draft: The Zero Trust Architecture (ZTA) team at NIST's National Cybersecurity Center of Excellence (NCCoE) has published the third version of volume D of a preliminary draft practice guide titled "Implementing a Zero Trust Architecture” and is seeking the public's comments on its contents.This guide summa...

nccoe-zta-coi@list.nist.gov
Comments due by: 08/22/2023

Draft: The Cybersecurity Framework (CSF) Profile for Genomic Data provides voluntary guidance to help organizations manage, reduce, and communicate cybersecurity and privacy risks for systems, networks, and assets that process genomic data. This publication is a follow-on effort to NIST Internal Report (IR...

genomic_cybersecurity_nccoe@nist.gov
Comments due by: 06/15/2023

Draft: Since the beginning of the Cryptographic Module Validation Program (CMVP), demands for the latest technology, cryptographic module fixes, and patch releases have outpaced NIST’s validation model. Today, NIST is working to reduce the length of the validation cycle, while maintaining and improving ass...

Draft: The Addressing Visibility Challenges with TLS 1.3 project builds on the NCCoE's earlier work, TLS Server Certificate Management, which showed organizations how to centrally monitor and manage their TLS certificates. We are now focusing on protocol enhancements such as TLS 1.3 which have helped...

Draft: Most applications on the internet are run by centralized service providers that are a single point of failure: if the provider crashes or is malicious, users may lose access to the application, or it may return erroneous or inconsistent results. Consensus algorithms and state machine replication ena...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has published for comment Preliminary Draft NIST SP 1800-39A, Implementing Data Classification Practices.  About the Project Organizations are managing an increasing volume of data while maintaining compliance with policies for protectin...

Draft: NIST IR 8459 is currently being prepared for final publication.  The report reviews the NIST Special Publication 800-38 series, including the limitations of the block cipher modes specified in those recommendations. Although NIST is not requesting formal public comments, NIST IR 8459 is intend...

Draft: NISTIR 8320D is the latest in a series of reports on hardware-enabled security techniques and technologies. Organizations employ a growing volume of machine identities, often numbering in the thousands or millions per organization. Machine identities, such as secret cryptographic keys, can be used...

Draft: This document addresses the need to support a cloud system’s forensic readiness, which is the ability to quickly and effectively collect digital evidence with minimal investigation costs. The document presents a reference architecture to help users understand the forensic challenges that might exis...

Draft: NIST requests public comments on NIST IR 8214C ipd (initial public draft), NIST First Call for Multi-Party Threshold Schemes, for primitives organized into two categories: Cat1: selected NIST-specified primitives Cat2: other primitives not specified by NIST The report specifies the various cat...

nistir-8214C-comments@nist.gov
Comments due by: 01/25/2023

Draft: Summary This publication complements FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors. The draft guidelines in SP 800-157r1 detail the issuance and maintenance of authenticators used a...

Draft: Summary This publication complements FIPS 201-3, which defines the requirements and characteristics of government-wide interoperable identity credentials used by federal employees and contractors. The draft guidelines in SP 800-217 provide technical requirements on the use of federated PIV ide...

Draft: NIST requests comments on the draft fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volume. They also p...

Draft: NIST requests comments on the draft fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volume. They also p...

Draft: NIST requests comments on the draft fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volume. They also p...

dig-comments@nist.gov
Comments due by: 12/16/2022

Draft: NIST requests comments on the draft fourth revision to the four-volume suite of Special Publication 800-63, Digital Identity Guidelines. This publication presents the process and technical requirements for meeting the digital identity management assurance levels specified in each volume. They also p...

Draft: The NIST SP 800-90 series of documents supports the generation of high-quality random bits for cryptographic and non-cryptographic use. SP 800-90A specifies several deterministic random bit generator (DRBG) mechanisms based on cryptographic algorithms. SP 800-90B provides guidance for the developmen...

Draft: This report considers signature schemes that are compatible with the verification phase of the Edwards Curve Digital Signature Algorithm (EdDSA) specified in Draft Federal Information Processing Standards (FIPS) publication 186-5. The report analyzes threshold schemes, where the private signing key...

Draft: NIST’s National Cybersecurity Center of Excellence (NCCoE) has published portions of a preliminary draft practice guide, “5G Cybersecurity,” and is seeking the public's comments on the contents. Our proposed solution contains approaches that organizations can use to better secure 5G networks through...

Draft: The initial public draft of NIST IR 8320C presents an approach for overcoming security challenges associated with creating, managing, and protecting machine identities, such as cryptographic keys, throughout their lifecycle.    NOTE: A call for patent claims is included on page iii of th...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has prepared Draft NISTIR 8349 for public comment. Securing a network is a complex task made more challenging when Internet of Things (IoT) devices are connected to it. NISTIR 8349 demonstrates how to use device characterization techniques and...

Draft: Publication of this project description begins a process to further identify project requirements, scope, and hardware and software components for use in a laboratory demonstration environment. The National Cybersecurity Center of Excellence (NCCoE) will solicit participation from industry to devel...

Draft: Combinatorial coverage measures have been defined and applied to a wide range of problems, including fault location and evaluating the adequacy of test inputs and input space models. More recently, methods applying coverage measures have been used in applications of artificial intelligence and machi...

Draft: The NIST Special Publication (SP) 800-140x series supports Federal Information Processing Standards (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, and its associated validation testing program, the Cryptographic Module Validation Program (CMVP). The series specifies modif...

Draft: Structural coverage criteria are widely used tools in software engineering, useful for measuring aspects of test execution thoroughness. However, in many cases, structural coverage may not be applicable, either because source code is not available, or because processing is based on neural networks o...

Draft: Identity as a service (IDaaS) is when a company offers identity, credential, and access management (ICAM) services to customers through a software-as-a-service (SaaS) cloud-service model. Public safety organizations (PSOs) could potentially reduce costs and adopt new standards and authenticators mor...

Draft: NIST Special Publication 800-63-3 defines identity federation as “a process that allows the conveyance of identity and authentication information across a set of networked systems.” Identity federation technologies can help public safety organizations (PSOs) to share information with each other more...

Draft: Many public safety organizations (PSOs) are adopting mobile devices, such as smartphones and tablets, to provide first responders with immediate access to the sensitive information they need from any location. However, authentication requirements meant to safeguard that information, like entering a...

Draft: The purpose of this draft paper is to start a conversation about what it means to have confidence in the cybersecurity of IoT devices used by individuals and organizations and the various ways of gaining that confidence. This paper describes the landscape of confidence mechanisms that are currently...

Draft: Digital twin technology is an emerging area of research and standardization. Because of this, there may be a lack of clarity as to what is new with digital twins and what promise this technology holds. This report provides a detailed definition of digital twins, the motivation and vision for their u...

nistir-8356-comments@nist.gov
Comments due by: 04/16/2021

Draft: To help secure our elections, NIST has released Draft NISTIR 8310, Cybersecurity Framework Election Infrastructure Profile. This Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to election infrastructure. The Profile is meant to supplem...

NISTIR-8310-comments@nist.gov
Comments due by: 03/29/2021

Draft: This draft document is the result of an effort to define authentication by examining mechanisms used to prove position or membership; analyzing existing methods, tools, and techniques; and developing an abstract representation of authentication features and services. Basic mechanisms used to accompl...

Draft: Privacy-enhancing cryptography (PEC) refers to cryptography used to enhance privacy, beyond the traditional sense of data confidentiality. For example, it enables sophisticated interactions that obtain a useful output of the combined information of multiple entities, although without them sharing th...

Draft: Draft NISTIR 8259C describes a process, usable by any organization, that starts with the core baselines provided in NISTIRs 8259A and 8259B and explains how to integrate those baselines with organization- or application-specific requirements (e.g., industry standards, regulatory guidance) to develop...

Draft: The National Cybersecurity Center of Excellence (NCCoE) at NIST is actively engaged in helping organizations address the challenge of ransomware and other data integrity events through the Data Integrity projects. These projects help organizations implement technical capabilities that address data i...

Draft: Summary NIST requests review and comments on Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. This documents presents recommendations for safeguarding the technologies used for telework and remote access. The public...

Draft: This paper provides background information on trusted IoT device network-layer onboarding and lifecycle management. It defines a taxonomy of onboarding characteristics that will enable stakeholders to have a common language to describe and express their onboarding capabilities and fully capture the...

Draft: The National Cybersecurity Center of Excellence (NCCoE) at NIST is announcing the release of a draft project description on Improving Cybersecurity of Managed Service Providers.  Many small and medium sized businesses use managed service providers (MSPs) to manage their organiza...

Draft: In 2017, more than eight billion IoT devices were in use worldwide and the current estimate is that more than 20 billion IoT devices will be in use by 2020, according to various market research organizations. Since many IoT devices  are accessible via the internet, malicious actors can exploit...

Draft: The National Cybersecurity Center of Excellence (NCCoE) is seeking comments on a draft Project Description. The NCCoE is proposing a project to explore continuous monitoring capabilities that can effectively, efficiently and automatically detect when a malicious actor—be it an authorized...

Draft: This short paper introduces an approach to producing explanations or justifications of decisions made in some artificial intelligence and machine learning (AI/ML) systems, using methods derived from those for fault location in combinatorial testing. We show that validation and explainability issues...

Draft: Draft NISTIR 8213 provides a reference for implementing interoperable randomness beacons. The document defines terminology and notation, a format for pulses, a protocol for beacon operations, hash-chaining and skiplists of pulses, and the beacon interface calls. It also provides directions for&...

Draft: In this revision of SP 800-38G, the specifications of the two encryption methods, called FF1 and FF3-1, are updated in order to address potential vulnerabilities when the domain size is too small. Instructions for providing comments are included at the bottom of this notice. Details Special Public...

Draft: The National Cybersecurity Center of Excellence (NCCoE) at NIST is proposing a project to protect building management systems’ IoT sensor networks. Our findings may be applicable to other industry sectors and are listed for consideration for inclusion as future NCCoE use cases. We will exp...

Draft: This draft white paper identifies seventeen technical trust-related issues that may negatively impact the adoption of IoT products and services. The paper offers recommendations for mitigating or reducing the effects of these concerns while also suggesting additional areas of research regarding the...

Draft: Draft NIST Special Publication (SP) 800-71, Recommendations for Key Establishment Using Symmetric Block Ciphers, addresses key establishment techniques that use symmetric key cryptography algorithms to protect symmetric keying material. The objective is to provide recommendations for reducing exposu...

Draft: The national need for a common lexicon to describe and organize the cybersecurity workforce and requisite knowledge, skills, and abilities (KSAs) led to the creation of the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework). The NICE Framework d...

Draft: Privileged Account Management (PAM) is a domain within Identity and Access Management (IdAM) focusing on monitoring and controlling the use of privileged accounts. Privileged accounts include local and domain administrative accounts, emergency accounts, application management, and service accounts....

Draft: NIST invites comments on Draft NISTIR 8139, Identifying Uniformity with Entropy and Divergence.  Entropy models are frequently utilized in tests identifying either qualities of randomness or randomness uniformity of formal and/or observed distributions. The NIST Special Publications SP 800-22...

Draft: [10/11/16 - The comment period has been extended to 11/10 (from 10/12).] The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Authentication for Law Enforcement Vehicle Systems. Law enforcement vehicles often serve as mobile offices for off...

Draft: The Mobile Threat Catalogue outlines a catalogue of threats to mobile devices and associated mobile infrastructure to support development and implementation of mobile security capabilities, best practices, and security solutions to better protect enterprise information technology (IT). Threats are d...

Draft: The National Cybersecurity Center of Excellence (NCCoE) has posted a draft Project Description on the topic of Securing Non-Credit Card, Sensitive Consumer Data.   Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email...

Draft: NIST requests public comments on draft Special Publication (SP) 800-154, Guide to Data-Centric System Threat Modeling. Data-centric system threat modeling is a form of risk assessment that models aspects of the attack and defense sides for selected data within a system. Draft SP 800-154 provides inf...

Draft: NIST requests public comments on Draft SP 800-180, NIST Definition of Microservices, Application Containers and System Virtual Machines. This document serves to provide a NIST-standard definition to application containers, microservices which reside in application containers and system virtual machi...

Draft: This report provides guidance to associate SWID Tags with the CPE specification. The publication is intended as a supplement to NIST Internal Report (NISTIR) 8060, Guidelines for the Creation of Interoperable Software Identification (SWID) Tags. NISTIR 8060 shows how SWID tags, as defined by the ISO...

Draft: NIST announces the public comment release of NIST Internal Report (NIST IR 8058), Security Content Automation Protocol (SCAP) Version 1.2 Content Style Guide: Best Practices for Creating and Maintaining SCAP 1.2 Content. SCAP is a suite of specifications that standardize the format and nomenclature...

Draft: NIST announces the release of Draft Special Publication (SP) 800-16 Revision 1 (3rd public draft), A Role-Based Model For Federal Information Technology/Cyber Security Training for public comment. SP 800-16 describes information technology / cyber security role-based training for Federal Departments...

Draft: NIST announces the public comment release of Draft NIST Interagency Report (NISTIR) 7848, Specification for the Asset Summary Reporting Format 1.0. NISTIR 7848 defines the Asset Summary Reporting (ASR) format version 1.0, a data model for expressing the data exchange format of summary information re...

Draft: NIST announces the public comment release of NIST Special Publication 800-155, BIOS Integrity Measurement Guidelines. This document outlines the security components and security guidelines needed to establish a secure Basic Input/Output System (BIOS) integrity measurement and reporting chain. BIOS i...

View All Publications