Publications

September 10, 2008

SP 800-116

DRAFT (second) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS)

The National Institute of Standards and Technology (NIST) is pleased to announce a 2nd draft publication SP 800-116, A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. This draft provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in Federal facilities. Major changes in this draft include selection of outcome-based PIV authentication mechanisms and addition of PACS conformance best practice guideline. Federal agencies and private organizations as well as individuals are invited to review the 2nd draft document and submit comments using the comment template form provided on the website.

Comments should be submitted to PIV_comments@nist.gov with "Comments on Public 2nd Draft SP 800-116" in the subject line. The comment period closes at 5:00 EST (US and Canada) on September 24, 2008.

SP800-116-2nd-draft-v2.pdf (750 KB)
Comments_SP800-116.xls

August 19, 2008

SP 800-37 Rev. 1

DRAFT Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach

NIST, in cooperation with the Office of the Director of National Intelligence (ODNI), the Department of Defense (DOD), and the Committee on National Security Systems (CNSS), announces the completion of an interagency project to develop a common process to authorize federal information systems for operation. The initial public draft of NIST Special Publication 800-37, Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach, is now available for a six-week public comment period. The publication contains the proposed new security authorization process for the federal government (currently commonly referred to as certification and accreditation, or C&A). The new process is consistent with the requirements of the Federal Information Security Management Act (FISMA) and the Office of Management and Budget (OMB) Circular A-130, Appendix III, promotes the concept of near real-time risk management based on continuous monitoring of federal information systems, and more closely couples information security requirements to the Federal Enterprise Architecture (FEA) and System Development Life Cycle (SDLC). The historic nature of the partnership among the Civil, Defense, and Intelligence Communities and the rapid convergence of information security standards and guidelines for the federal government will have a significant impact on the federal government's ability to protect its information systems and networks. The convergence of security standards and guidelines is forging ahead with the development of a series of new CNSS policies and instructions that closely parallel the NIST security standards and guidelines developed in response to FISMA. The CNSS policies and instructions which address the specific areas of security categorization, security control specification, security control assessment, risk management, and security authorization, coupled with the current NIST publications will provide a more unified information security framework for the federal government and its contracting base. The unified approach to information security is brought together in part by the update to NIST Special Publication 800-37, Revision 1, which provides a common security authorization process and references the NIST and CNSS publications for the national security and non national security communities, respectively. The convergence activities mentioned above along with tighter integration of security requirements into the FEA and SDLC processes will promote more consistent and cost-effective information security and trusted information sharing across the federal government. Comments on the IPD of SP 800-37, Revision 1 should be provided by September 30, 2008 and forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

SP800-37-rev1-IPD.pdf (836 KB)

Aug. 13, 2008

NIST IR-7511

DRAFT Security Content Automation Protocol (SCAP) Validation Program Test Requirements

Draft NIST Interagency Report (IR) 7511, Security Content Automation Protocol (SCAP) Validation Program Test Requirements, Version 1.1 is now available for public comment. This report describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
 
NIST requests comments on Draft NISTIR 7511 by September 15, 2008. Please submit comments to IR7511comments@nist.gov with "Comments IR 7511" in the subject line.

Draft-NISTIR-7511.pdf (330 KB)

Jul 31, 2008

SP 800-106

DRAFT Randomized Hashing Digital Signatures (2nd draft)

NIST announces the release of the 2nd draft Special Publication 800-106, Randomized Hashing for Digital Signatures. This Recommendation provides a technique to randomize messages that are input to a cryptographic hash function during the generation of digital signatures. Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-106" in the subject line. The comment period closes on September 5th, 2008.

2nd-Draft_SP800-106_July2008.pdf (167 kB)

July 25, 2008

SP 800-68 Rev. 1

DRAFT Guide to Securing Microsoft Windows XP Systems for IT Professionals

Draft SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals, is being released for public comment. It seeks to assist IT professionals in securing Windows XP Professional systems running Service Pack 2 or 3. The guide provides detailed information about the security features of Windows XP and security configuration guidelines. SP 800-68 Revision 1 updates the original version of SP 800-68, which was released in 2005. NIST requests comments on draft SP 800-68 Revision 1 by August 29, 2008. Please submit comments to 800-68comments@nist.gov with "Comments SP 800-68" in the subject line.

The beta NIST Windows Security Baseline Database is being released for public comment. The database contains information on security setting baselines for Microsoft Windows XP, Windows Vista, Internet Explorer 7 (IE7), and Windows Firewall that are specified in NIST security templates and in the Federal Desktop Core Configuration (FDCC) Major Version 1.0. The database allows interested parties to view security settings by baseline or by policy (e.g., FDCC), as well as to compare baselines to each other. The information in the database is intended to supplement Draft SP 800-68 Revision 1, Guide to Securing Microsoft Windows XP Systems for IT Professionals. NIST requests comments on the beta Windows Security Baseline Database by August 29, 2008. Please submit comments to 800-68comments@nist.gov with "Comments Security Database" in the subject line.

download_WinXP.html

July 9, 2008

SP 800-121

DRAFT Guide to Bluetooth Security

Draft SP 800-121, Guide to Bluetooth Security, describes the security capabilities of Bluetooth technologies and gives recommendations to organizations employing Bluetooth technologies on securing them effectively. Much of SP 800-121 was originally included in draft NIST SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth, but based on public comments, the Bluetooth material has been removed from SP 800-48 and placed in its own publication. NIST requests comments on draft SP 800-121 by August 22, 2008. Please submit comments to 800-121comments@nist.gov with "Comments SP 800-121" in the subject line.

Draft-SP800-121.pdf (3,887 KB)
Draft-SP800-121_pdf.zip (1,580 KB)

July 9, 2008

SP 800-107

DRAFT Recommendation for Applications Using Approved Hash Algorithms

NIST announces the release of the 2nd draft Special Publication 800-107, Recommendation for Applications Using Approved Hash Algorithms. This document provides security guidelines for achieving the required or desired security strengths when using cryptographic applications that employ the approved cryptographic hash functions specified in Federal Information Processing Standard (FIPS) 180-3, such as digital signature applications, Keyed-hash Message Authentication Codes (HMACs) and Hash-based Key Derivation Functions (HKDFs). Please submit comments to quynh.dang@nist.gov with "Comments on Draft 800-107" in the subject line. The comment period closes on October 9, 2008.

draft-SP800-107-July2008.pdf (174 KB)

July 9, 2008

SP 800-41 Rev. 1

DRAFT Guidelines on Firewalls and Firewall Policy

Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy, provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls. The publication covers a number of firewall technologies, including packet filtering, stateful inspection, application-proxy gateways, host-based, and personal firewalls. SP 800-41 Revision 1 updates the original publication, which was released in 2002. NIST requests comments on draft SP 800-41 Revision 1 by August 15, 2008. Please submit comments to 800-41comments@nist.gov with "Comments SP 800-41" in the subject line.

Draft-SP800-41rev1.pdf (495 KB)

July 7, 2008

SP 800-124

DRAFT Guidelines on Cell Phone and PDA Security

Draft SP 800-124, Guidelines on Cell Phone and PDA Security, is available for public comment. It provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights for making informed information technology security decisions regarding their treatment. SP 800-124 gives details about the threats, technology risks, and safeguards for these devices. NIST requests comments on draft SP 800-124 by August 8, 2008. Please submit comments to 800-124comments@nist.gov with "Comments SP 800-124" in the subject line.

Draft-SP800-124.pdf (301 KB)

May 30, 2008

NIST IR-7502

DRAFT The Common Configuration Scoring System (CCSS)

Draft NIST Interagency Report (IR) 7502, The Common Configuration Scoring System (CCSS), is now available for public comment. This document proposes a specification for CCSS, a set of standardized measures for the characteristics and impacts of software security configuration issues. NISTIR 7502 also provides several examples of how CCSS measures and scores would be determined for a diverse set of configuration issues. Once CCSS is finalized, CCSS data can assist organizations in making sound decisions as to how configuration issues should be addressed and can provide data to be used in quantitative assessments of host security.

NIST requests comments on Draft NISTIR 7502 by July 3, 2008. Please submit comments to IR7502comments@nist.gov with "Comments IR 7502" in the subject line.

Draft-NISTIR-7502.pdf

May 1, 2008

SP 800-108

DRAFT Recommendation for Key Derivation Using Pseudorandom Functions

NIST announces the release of draft Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions. This Recommendation specifies techniques for key derivation from a secret key using pseudorandom functions (PRF). Please submit comments to draft-SP800-108-comment@nist.gov with "Comments on SP800-108" in the subject line. The comment period closes on June 28, 2008.

Draft_SP-800-108_April-2008.pdf (166 KB)

May 1, 2008

SP 800-66 Rev 1

DRAFT An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

NIST announces the release of the public draft of Special Publication 800-66 Revision 1, An Introductory Resource Guide to Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (Draft). This Special Publication (SP), which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to help educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule, direct readers to helpful information in other NIST publications on individual topics the HIPAA Security Rule addresses, and aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

Comments on Draft SP 800-66 Revision 1 will be accepted through June 13, 2008. Comments should be submitted via email to 800-66comments@nist.gov , or forwarded to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-66 Rev. 1, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, MD. 20899-8930.

Draft_SP800-66-Rev1.pdf (725 KB)

April 3, 2008

SP 800-39

DRAFT Managing Risk from Information Systems: An Organizational Perspective

NIST announces the release of the second public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a structured, yet flexible approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of organizations. Comments will be accepted through April 30, 2008. EComments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to: sec-cert@nist.gov .

SP800-39-spd-sz.pdf (634 KB)

March 14, 2008

SP 800-64 Rev. 2

DRAFT Security Considerations in the System Development Life Cycle

The purpose of this draft revision is to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This should result in more cost effective, risk appropriate security control identification, development and testing.
 
Comments on Draft SP 800-64 Revision 2 will be accepted through April 28, 2008. Comments should be submitted via email to 800-64comments@nist.gov , or forwarded to Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-64 Rev. 2, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, MD. 20899-8930.

draft-SP800-64-Revision2.pdf (900 KB)

Mar. 7, 2008

SP 800-73 -2

DRAFT Interfaces for Personal Identity Verification (4 parts):
1- End-Point PIV Card Application Namespace, Data Model and Representation
2- End-Point PIV Card Application Interface
3- End-Point PIV Client Application Programming Interface
4- The PIV Transitional Data Model and Interfaces

NIST has posted a second draft of SP 800-73-2 for public comments. This draft incorporates some comments and suggestions that were received after the first public comment period had closed (see 3). The changes since the first draft include: 1) relaxation of the Global PIN security status limitations, 2) incorporation of an optional Global and PIV PIN discovery object, 3) addition of a discovery object for the PIV card application, 4) elimination of the previously proposed optional U-CHUID data object, and 5) resolutions of the first draft public comments. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_comments@nist.gov with "Comments on 2nd Public Draft SP 800-73-2" in the subject line. The comment period closes at 5:00 EST (US and Canada) on April 18th 2008. (NOTE: the due date has been extended from April 4 to the 18th.)

2nddraft_SP800-73-2_part1_DataModel-032008.pdf (459 kB)
2nddraft_SP800-73-2_part2_EndPointPIVCardApplicationCardCommandInterface-032008.pdf (282 KB)
2nddraft_SP800-73-2_part3_EndpointClientAPI-032008.pdf (177 KB)
2nddraft_SP800-73-2_part4_TransitionalSpec-032008.pdf (172 KB)
Comments-form-on-NIST_SP800-73-2.xls (26 KB)
2nddraft-SP800-73-2.zip (694 KB)
TrackChanges_Part1_SP800-73-2.pdf (322 KB)
TrackChanges_Part2_SP800-73-2.pdf (214 KB)
TrackChanges_Part3_SP800-73-2.pdf (148 KB)

Feb 26, 2008

SP 800-63 -1

DRAFT Electronic Authentication Guidelines

Draft SP 800-63 Revision 1: E-Authentication Guideline is available for public comment. It supplements OMB guidance, by providing technical guidelines for the design of electronic systems for the remote authentication of citizens by government agencies. The revision represents an expansion and reorganization of the original document, broadening the discussion of technologies available to agencies, and giving a more detailed discussion of assertion technologies. Changes intended to clarify the pre-existing requirements are also included in the revision. Comments will be accepted until April 10, 2008. Comments should be forwarded via email to eauth-comments@nist.gov

Draft_SP-800-63-1_2008Feb20.pdf (726 KB)

Dec 28, 2007

FIPS-186 -3 Appendices

DRAFT RSA Strong Primes - Digital Signature Standard (DSS)

NIST requests comments on revised text for FIPS 186-3 related to the generation of RSA key pairs. Please provide comments by February 1, 2008 to ebarker@nist.gov.

fips186-3_Strong-Prime-Sections_Dec2007.pdf

Nov 13, 2007

SP 800-115

DRAFT Technical Guide to Information Security Testing

Draft SP 800-115, Technical Guide to Information Security Testing, is available for public comment. It seeks to assist organizations in planning and conducting technical information security testing, analyzing findings, and developing mitigation strategies. The publication provides practical recommendations for designing, implementing, and maintaining technical information security testing processes and procedures. SP 800-115 provides an overview of key elements of security testing, with an emphasis on technical testing techniques, the benefits and limitations of each technique, and recommendations for their use. Draft SP 800-115 is intended to replace SP 800-42, Guideline on Network Security Testing, which was released in 2003. NIST requests comments on Draft SP 800-115 by January 4, 2008. Please submit comments to 800-115comments@nist.gov with "Comments SP 800-115" in the subject line.

Draft-SP800-115.pdf (694 KB)
Draft-SP800-115_pdf.zip (468 KB)

Sep 29, 2007

NIST IR-7328

DRAFT Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems

NIST announces the release of draft NIST Interagency Report 7328, Security Assessment Provider Requirements and Customer Responsibilities: Building a Security Assessment Credentialing Program for Federal Information Systems. This report provides an initial set of requirements security assessment providers should satisfy to demonstrate capability to conduct information system security control assessments in accordance with NIST standards and guidelines. This report also identifies some customer’s responsibilities in providing an effective and cooperative environment in which security assessments can take place, and in adequately preparing for security assessments. The purpose of this report is to facilitate community dialogue and obtain feedback for defining a minimum set of requirements that customers believe important for security assessment providers to demonstrate competence for a credentialing program. Based on comments received NIST will update and republish this report and use it as reference in further development of a credentialing program for security assessment providers. Security assessments involve the comprehensive assessment of the management, operational, and technical security controls in federal information systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Comments will be accepted through November 30, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to sec-cert-p2@nist.gov

NISTIR_7328-ipdraft.pdf (327 KB)

Sep 28, 2007

SP 800-110

DRAFT Information System Security Reference Data Model

NIST is pleased to announce the release of NIST Draft Special Publication 800-110, Information System Security Reference Data Model. The Information System Security Reference Data Model and its associated XML taxonomy and schema are intended to: •Serve as a guideline for software tool developers and federal agencies that wish to develop an automated process for managing an information security program; and •Enable greater interoperability between information system security tools, resulting in more practical and cost-effective information security program management. Comments on draft 800-110 will be accepted through October 31, 2007. Comments should be submitted via email to 800-110comments@nist.gov, or forwarded to the Chief, Computer Security Division, Information Technology Laboratory, Attn: Comments on Draft Special Publication 800-110, NIST, 100 Bureau Dr., Stop 8930, Gaithersburg, Md. 20899-8930

Draft-SP800-110.pdf (247 KB)

Sep 28, 2007

SP 800-82

DRAFT Guide to Industrial Control Systems (ICS) Security

The second public draft of SP 800-82 is available for public comment. It provides guidance on how to secure ICS, including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. SP 800-82 provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. This publication is an update to the first public draft, which was released in 2006. NIST requests comments on NIST SP 800-82 by November 30, 2007. Please submit comments to 800-82comments@nist.gov with "Comments SP 800-82" in the subject line.

2nd-Draft-SP800-82-clean.pdf (2,245 KB)
2nd-Draft-SP800-82-markup.pdf (2,001 KB)
2nd-Draft-SP800-82-clean.pdf.zip (1,739 KB)
2nd-Draft-SP800-82-markup.pdf.zip (1,701 KB)

Jul 13, 2007

FIPS-140 -3

DRAFT Security Requirements for Cryptographic Modules

Draft FIPS 140-3 is the proposed revision of FIPS 140-2. The draft specifies five security levels instead of the four found in FIPS 140-2; has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing. Please submit electronic comments to: FIPS140-3@nist.gov, with "Comments on Draft 140-3" in the subject line. ADDRESSES: Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive--Stop 8930. DATES: Comments must be received on or before October 11, 2007.

fips1403Draft.pdf (1,280 kB)

Jun 12, 2007

FIPS-180 -3

DRAFT Secure Hash Standard (SHS)

Draft FIPS 180-3 is the proposed revision of FIPS 180-2. The draft specifies five secure hash algorithms (SHAs) called SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 which are used to condense input messages to fixed-length messages, called message digests. These algorithms produce 160, 256, 384, and 512-bit message digests, respectively. The security strengths of these hash algorithms are specified in NIST Special Publications (SP) 800-57, Recommendation for Key Management. And, recommendation for using these hash algorithms will be discussed in draft NIST SP 800-107, Recommendation for Using Approved Hash Algorithms. Draft NIST Special Publication 800-107 will be available in the near future. Please submit comments to Proposed180-3@nist.gov with "Comments on Draft 180-3" in the subject line. The comment period closes on September 10, 2007.

draft_fips-180-3_June-08-2007.pdf (190 kB)

Oct 6, 2006

SP 800-103

DRAFT An Ontology of Identity Credentials, Part I: Background and Formulation

NIST is pleased to announce the release of Draft of the Special Publication 800-103, An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006. Comment period is NOW closed.

sp800-103-draft.pdf (699 kB)
draft-sp800-103.zip (558 kB)

May 4, 2006

SP 800-80

DRAFT Guide for Developing Performance Metrics for Information Security

NIST's Computer Security Division has completed the initial public draft of Special Publication 800-80, Guide for Developing Performance Metrics for Information Security. This guide is intended to assist organizations in developing metrics for an information security program. The methodology links information security program performance to agency performance. It leverages agency-level strategic planning processes and uses security controls from NIST SP 800-53, Recommended Security Controls for Federal Information Systems, to characterize security performance. To facilitate the development and implementation of information security performance metrics, the guide provides templates, including at least one candidate metric for each of the security control families described in NIST SP 800-53. Comment period is NOW closed.

draft-sp800-80-ipd.pdf (762 kB)

Mar 13, 2006

FIPS-186 -3

DRAFT Digital Signature Standard (DSS)

Draft FIPS 186-3 is the proposed revision of FIPS 186-2. The draft defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures. Three techniques are allowed: DSA, RSA and ECDSA. This draft includes requirements for obtaining the assurances necessary for valid digital signatures. Methods for obtaining these assurances are provided in Draft NIST Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications. (see write-up for draft SP 800-89 below) Please submit comments to Elaine Barker at NIST with "Comments on Draft 186-3" in the subject line. The comment period closes on June 12, 2006 - Comment period is NOW closed.

See note above dated December 28, 2007 regarding RSA Strong Primes.

Draft-FIPS-186-3%20_March2006.pdf (474 kB)