NIST, Computer Security Division, Computer Security Resource Center
News & Events
News Archive - 2003
This page contains archived news items. These items are no longer updated and serve a historical purpose. To access news items from other years, please click on that year. If you have any questions, please contact the CSRC Webmaster.
For current news items, please visit the News section of the website.
2007 | 2006 | 2005 | 2004 | 2003 | 2002
Draft of 800-60 Available
December 19, 2003
NIST has completed the first draft of NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The purpose of the draft guideline is to assist Federal government agencies in identifying information types and information systems and assigning impact levels for confidentiality, integrity, and availability. Impact levels are based on the security categorization definitions in FIPS 199, pre-publication. The draft Special Publication 800-60 is posted in two volumes. Volume I provides guidelines for identifying impact levels by type and suggests impact levels for administrative and support information common to multiple agencies. Volume II includes rationale for information type and impact level recommendations and examples of recommendations for agency-specific mission-related information. A goal of this document is to independently define the impact level, that is, determine the impact level without considering counter- measures or controls. (This is one area that we are continuing to address. Comments and suggested approaches will be welcomed.) NIST requests comments on the draft by February 20, 2004. Comments should be addressed to 800-60_comments@nist.gov. A government-only Workshop on the draft will beheld at NIST on 26 and 27 February 2004. Please e-mail elaine.frye@nist.gov for Workshop details and registration information.
Draft NISTIR 7056 Completed
December 19, 2003
NIST has completed a draft NIST IR 7056, Card Technology Development and Gap Analysis Interagency Report. This draft reports NIST activities in response to the GAO report, dated January 2003 “Progress in Promoting Adoption of Smart Card Technology” (GAO-03-144 report). The NIST IR includes the proceedings of the 8-9 July 2003 Storage and Processor Card-Based Technologies Workshop and reports the results of subsequent requirements and capabilities survey activities. NIST requests comments on the draft interagency report by January 30, 2004. Comment period is now CLOSED.
New Members on Information Security and Privacy Advisory Board
December 15, 2003
INFORMATION SECURITY AND PRIVACY ADVISORY BOARD: NEW MEMBERS
The Director of NIST recently appointed three new members to the Information Security and Privacy Advisory Board to fill existing vacancies. The new members are: Mr. Bruce A. Brody, Associate Deputy Assistant Secretary for Cyber and Information Security at the U.S. Department of Veterans Affairs; Ms. Rebecca C. Leng, Deputy Assistant Inspector General for Information Technology and Computer Security with the U. S. Department of Transportation and Dr. Howard A. Schmidt, Vice President and Chief Information Security Officer with Ebay. A copy of their bios is available from the Board's membership site http://csrc.nist.gov/ispab/membership.html.
Symposium Announced
December 9, 2003
The National Institute of Standards and Technology (NIST) and General Services Administration (GSA) are co-sponsoring the symposium entitled "Knowledge Based Authentication: Is it Quantifiable" on February 9-10, 2004 in Gaithersburg, Maryland.
Knowledge Based Authentication (KBA) is a useful tool to remotely authenticate individuals who conduct business electronically with Federal agencies or businesses infrequently. However, the complexity and interdependencies of KBA solutions used to establish a remote user identity is difficult to quantify. This symposium will explore KBA through panel discussions of user requirements, KBA system models, and metrics to quantify information sources, questions for challenges, analysis and scoring of responses, and standards. Complete information on the 1½ day symposium can be found at http://csrc.nist.gov/kba.
Proposed Change Notice for FIPS 180-2
December 1, 2003
NIST is proposing a change notice for FIPS 180-2, the Secure Hash Standard that will specify an additional hash function, SHA-224, that is based on SHA-256. NIST requests comments for the change notice by January 16, 2004. Comments should be addressed to ebarker@nist.gov.
Spam Technology Workshop Announced
November 25, 2003
Today NIST announced plans to hold a spam technology workshop on February 17, 2004 to examine technical topics related to spam including filtering at the Internet/network and client sides (e.g., how to detect spam and how to reduce it), input from standards bodies on relevant current activities, Internet service providers' current and future plans to deal with spam, and technical issues regarding the efficacy of proposals to create ''do not spam'' lists. NIST is also interested in hearing about research challenges to developing and measuring improvements in spam control and reduction technology.
Symposium to be Held on Voting Systems
November 13, 2003
Building Trust and Confidence in Voting Systems Symposium
As part of its responsibilities under the Help America Vote Act of 2002 (HAVA), the Commerce Department's National Institute of Standards and Technology (NIST) will hold a symposium on building trust and confidence in voting systems at the agency's Gaithersburg, Md., headquarters on Dec. 10-11, 2003. The two-day event will bring together a host of people with an interest in election technology, including federal, state and local election officials; university researchers; independent testing laboratories; election law experts; hardware and software vendors; and others concerned about or involved with the latest developments in voting systems. Topics to be covered include specification, testability, security, usability and accessibility of voting systems. Information on the Building Trust and Confidence in Voting Systems symposium can be found at http://vote.nist.gov.
Draft of SP 800-53 Available
October 31, 2003
NIST has completed the first draft of NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. This draft guideline provides a recommended set of controls for low and moderate impact systems (based upon the security categorization definitions in FIPS 199, pre-publication). This guideline, when completed, will stand as NIST interim guidance until 2005, which is the statutory deadline to publish minimum standards for all non-national security systems.
Five Publications Released
October 10, 2003
NIST is pleased to announce the release of 5 special publications (SP): SP 800-35, Guide to Information Technology Security Services, SP 800-36, Guide to Selecting Information Security Products, SP 800-42, Guideline on Network Security Testing, SP 800-50, Building an Information Technology Security Awareness and Training Program, and SP 800-64, Security Considerations in the Information System Development Life Cycle. To view or to download these 5 publications, please visit http:/csrc.nist.gov/publications/nistpubs/
Chief of NIST's Computer Security Division Testifies
September 17, 2003
The Chief of NIST's Computer Security Division, Ed Roback, testified today before the House Congressional Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census. The Subcommittee held a hearing on "Exploring Common Criteria: Can it Ensure that the Federal Government Gets Needed Security in Software."
FIPS 199 Available
September 17, 2003
NIST has completed the final draft of FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems. To view or to download the pre-publication final draft of FIPS Publication 199, please visit http://csrc.nist.gov/publications/drafts.html.
Draft SP 800-61 Available for Public Comment
September 15, 2003
NIST has completed a draft of NIST Special Publication 800-61, Computer Security Incident Handling Guide. This publication seeks to help both established and newly formed incident response teams respond effectively and efficiently to a variety of incidents. More specifically, this document discusses the following items: 1) organizing a computer security incident response capability, 2) establishing incident response policies and procedures, 3) structuring an incident response team, and 4) handling incidents from initial preparation through the post-incident lessons learned phase. Finally, it discusses handling a range of incidents, such as denial of service, malicious code, unauthorized access, inappropriate usage, and multiple component incidents. NIST welcomes public comments on the draft until October 15, 2003. Comments may be sent to IncidentHandlingPub800-61@nist.gov. To view or to download the draft of NIST Special Publication 800-61, please visit http:/csrc.nist.gov/publications/drafts.html
Two NIST Interagency Reports (NISTIR) Released
September 12, 2003
Two NIST Interagency Reports (NISTIR) has been released today.
The first, NISTIR 7030 "Picture Password: A Visual Login Technique for Mobile Devices" describes a general-purpose mechanism for authenticating a user to a PDA or other mobile device using image selection. Image selection is a simple and natural way for users to authenticate, which has advantages over passwords and other knowledge-based authentication mechanisms, particularly on handheld devices.
The second NISTIR 7046 "A Framework for Multi-mode Authentication: Overview and Implementation Guide" describes a general Multi-mode Authentication Framework (MAF) for applying organizational security policies to mobile devices. Policies are organized into distinct policy contexts known as echelons, among which a user may transition. The approach is aimed at helping users easily comply with their organization's security policy, yet be able to exercise a significant amount of flexibility and discretion.
To view or to download these two NISTIRs please visit http:/csrc.nist.gov/publications/nistir/
Training Classes Announced
September 11, 2003
Occasionally, NIST will host IT security training classes at a severely reduced cost. On September 24 - 26, we are hosting an MIS Training Institute class, "Securing and Auditing Virtual Office Networks." The class, which is at NIST in Gaithersburg, Maryland, will address issues we are dealing with right now, such as dial-up access, small office/home high speed Internet service, virtual private networks, mobile computing, and wireless technology. The registration fee for the three day course is $435.00.
Deputy Under Secretary of Commerce for Technology Testifies
September 9, 2003
Deputy Under Secretary of Commerce for Technology, Benjamin H. Wu, testified before the House Congressional Committee on Government Reform, Subcommittee on Technology, Information policy, Intergovernmental Relations and the Census. The hearing was entitled "Advancements in Smart Card and Biometric Technology." Mr. Wu's testimony focused on NIST's efforts to promote smart card security and interoperability.
Draft SP 800-38C Available for Public Comment
September 4, 2003
In the draft Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality, the CCM mode of the Advanced Encryption Standard (AES) algorithm is specified for the protection of sensitive, unclassified data. The CCM algorithm combines the counter (CTR) mode for confidentiality with the cipher block chaining-message authentication code (CBC-MAC) technique for authentication. Further information on the development of block cipher modes of operation is available at the modes home page http://nist.gov/modes/. NIST welcomes public comments on the draft until October 20, 2003; comments may be sent to EncryptionModes@nist.gov.
Information Requested for New Website
August 27, 2003
(posted Sept. 2) NIST is requesting that public and private sector organizations, on a voluntary basis, submit their information security practices for inclusion on CSRC's new Public / Private Security Practices (PPSP) website. The PPSP site will complement the existing CSRC Federal Agency Security Practices (FASP) site. The broader sharing of such practices can help enhance the overall performance of information security programs and reduce costs from duplication of effort.
SP 800-59 Released
August 13, 2003
The final version of NIST Special Publication 800-59, "Guideline for Identifying an Information System as a National Security System" is now available. The document provides guidance on how to determine whether an information system meets the new legislative definition for "national security systems" (FISMA, Title III, Public Law 107-347).
SP 800-55 Released
August 12, 2003
The final version of NIST Special Publication 800-55, "Security Metrics Guide for Information Technology (IT) Systems" is now available. The document provides guidance on how to establish a metrics program to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related IT security data.
FIPS Can No Longer Be Waived
August 7, 2003
With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards.
NISTIR 6887-2003 Edition Available
August 5, 2003
NEW....The newly released NIST InterAgency Report 6887-2003 Edition, Government Smart Card Interoperability Specification (v2.1) is now available. GSC-ISv2.1 has expanded the government smart card architecture defined in GSC-ISv2.0 with the addition of an interface for contactless cards. GSC-ISv2.1 provides a common contactless card interface and establishes the foundation for achieving interoperability for both contact and contactless cards. A copy of NISTIR 6887-2003 can be found at http://smartcard.nist.gov.
Security Checklists to be Developed
August 1, 2003
The Cyber Security Research and Development Act of 2002 tasks NIST to develop security checklists containing settings for IT products used within the Federal Government. To meet this challenging requirement, NIST proposes to solicit from IT vendors, consortia, industry and government organizations, and others in the public and private sector to produce additional checklists and associated guidance material to NIST. These materials would then be made available for display and downloading from CSRC. NIST will hold a workshop to identify current and planned Federal government checklist activities and related needs, existing and planned voluntary efforts for building security checklists, and current industry capabilities for the development of checklists and the associated templates that describe sets of security configurations for IT products widely used in the United States Government (USG) on September 25-26, 2003.
Workshops Accepting Comments
July 25, 2003
Card Technology Workshop Presentations: On July 8 and 9, 2003 the ITL Computer Security Division hosted a workshop on multi technology card issues. The workshop was organized to identify current and planned Federal government activities, requirements, and issues for multi-technology cards. Specifically, it examined general technical and business issues, existing voluntary industry consensus standards, gap areas in standards coverage, and industry capabilities in the field of ISO/IEC 7810-compliant storage and processor card technologies. Copies of the presentation slides are available at http://csrc.nist.gov/card-technology/. The workshop was the initial step in a requirements definition effort. Follow-on activities will include 1) publication of proceedings of the workshop 2) identification of the gaps in standards coverage, and 3) identification of the multi-technology composition issues. We invite comments on the workshop or the follow-on topics. Please send comments to nist_workshop@bah.com.
Highlights, Proceedings and Notes Available from Workshops
July 23, 2003
Highlights, Proceedings and Notes are now available from the June 4th and 30th, 2003, IT Security Capital Investment Planning (CPIC) Workshops.
Proposed E-Authentication Policy Available for Public Comment
July 11, 2003
The General Services Administration, in coordination with OMB, has published a proposed E-Authentication policy for public comment. GSA is requiring that agencies implement the E-Authentication Policy, which establishes four assurance levels to create a Governmentwide standard framework for determining what is required to access a particular Government transaction online. Comments are being accepted through August 11.
Nominations Needed for Advisory Board
July 2, 2003
NIST is seeking nominations of qualified individuals to serve on the Information Security and Privacy Advisory Board. The Board (formerly called the Computer System Security and Privacy Advisory Board) advises the Director of NIST, Secretary of Commerce, and Director of OMB.
Second Draft of SP 800-37 Available for Public Comment
June 30, 2003
The second public draft of NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, has been completed and is available for public comment. This document is one of a series of security standards and guidelines being developed by NIST's Computer Security Division in response to the Federal Information Security Management Act of 2002. For additional information, please visit the NIST Security Certification and Accreditation Project web site.
Workshop Information Updated
June 27, 2003
(UPDATED information - workshop web pages & registration link provided) On July 8 and 9, 2003, NIST will host a workshop to identify current and planned Federal government activities and related needs, general issues, existing voluntary industry consensus standards, gap areas in standards coverage, and industry capabilities in the field of storage and processor card technologies. It is anticipated that the workshop will support development of a standards roadmap, and a guideline on storage and processor card technologies to include multitechnology composition issues. The goal of this initial workshop is to develop and exchange information on the standards for and capabilities of multitechnology storage and processor cards. The workshop will be open to the public. The registration fee will be approximately $275 per person. The detailed agenda and supporting documentation for the workshop is now available.
Workshop Announced
June 8, 2003
The Second IT Security Capital Investment Planning Workshop will take place on June 30, 2003. It is a repeat of the workshop that was held on June 4th. Due to demand, this second workshop has been scheduled. This workshop will focus on effectively integrating security into the capital planning process. It will also provide participants with information on how to best develop a comprehensive business case in support of IT security acquisitions and investments.
National Cyber Security Division (NCSD) Created
June 6, 2003
The Department of Homeland Security has created the National Cyber Security Division (NCSD) under the Department's Information Analysis and Infrastructure Protection Directorate. The NCSD will provide for 24 x 7 functions, including conducting cyberspace analysis, issuing alerts and warning, improving information sharing, responding to major incidents, and aiding in national-level recovery efforts.
OMAC Variation of the XCBC Algorithm Available for Public Comment
June 6, 2003
The National Institute of Standards and Technology (NIST) has been developing a block cipher mode of operation for message authentication. From the authentication modes that were submitted to NIST for consideration, NIST initially selected the RMAC algorithm and specified it in the draft NIST Special Publication 800-38B. In response to public comments on the draft, NIST posted a consultation paper that proposed a revision of the draft that would focus on the EMAC construction that underlies RMAC. In response to further public input, NIST has decided to replace RMAC and EMAC altogether with the OMAC variation of the XCBC algorithm.
The technical characteristics of RMAC, EMAC, and XCBC are summarized in the consultation paper; the rationale for the current decision is explained in a supplemental paper. These two papers, and other information on the modes development effort, are available through the modes home page, http://www.nist.gov/modes/.
NIST welcomes public comments on the OMAC variation of the XCBC algorithm in advance of the formal public comment period that will follow posting of the revised draft. Comments may be submitted to EncryptionModes@nist.gov by July 3, 2003.
Draft SP 800-59 Available
June 3, 2003
NIST's draft of the "Guideline for Identifying an Information System as a National Security System" (Draft Special Publication 800-59) is now available. The document provides guidelines for identifying an information system as a national security system consistent with applicable requirements for national security systems as specified in Title III to Public Law 107-347, the Federal Information Systems Management Act of 2002 (FISMA).
OMB Releases Report on Federal Government Information Security Reform
May 16, 2003
The Office of Management and Budget has issued its FY-2002 Report to Congress on Federal Government Information Security Reform. The report describes agency IT security activities and results during FY 2002, as required under the Government Information Security Reform Act (GISRA).
FIPS 199 Available for Public Comments
May 16, 2003
In a notice in today's Federal Register, NIST is requesting comments on the draft of Federal Information Processing Standard 199, Standards for Security Categorization of Federal Information and Information Systems. The draft was developed in response to tasking to NIST under the Federal Information Security Management Act of 2002. [This is TITLE III of the E-Government Act of 2002]. Comments are due to NIST within 90 days to fips.comments@nist.gov.
Director of NIST Testifies
May 14, 2003 - The Director of NIST, Dr. Arden Bement testified today before the House Science Committee on implementation of the Cyber Security Research and Development Act. His testimony is available here.
Workshop Announced
May 7, 2003
The IT Security Capital Investment Planning Workshop will take place on June 4, 2003. This workshop will focus on effectively integrating security into the capital planning process. It will also provide participants with information on how to best develop a comprehensive business case in support of IT security acquisitions and investments.
Workshop Announced
April 21, 2003
(UPDATED information - workshop web pages & registration link provided) On July 8 and 9, 2003, NIST will host a workshop to identify current and planned Federal government activities and related needs, general issues, existing voluntary industry consensus standards, gap areas in standards coverage, and industry capabilities in the field of storage and processor card technologies. It is anticipated that the workshop will support development of a standards roadmap, and a guideline on storage and processor card technologies to include multitechnology composition issues. The goal of this initial workshop is to develop and exchange information on the standards for and capabilities of multitechnology storage and processor cards. The workshop will be open to the public. The registration fee will be approximately $275 per person. The detailed draft agenda and supporting documentation for the workshop will be posted at the NIST CSRC web site by May 9, 2003.
Consulting Paper for Draft SP 800-38B Released
April 8, 2003
In response to the public comments on the draft NIST Special Publication 800-38B, a consultation paper summarizes the technical issues underlying the selection of a block cipher based MAC and proposes to refocus the RMAC specification in the draft to its underlying EMAC construction. A link to the consultation paper is available at http://csrc.nist.gov/CryptoToolkit/modes/, under the heading "NIST Recommendation for Modes." Further comments on the draft SP 800-38B and the consultation paper may be submitted to EncryptionModes@nist.gov until May 5, 2003. Comment period is NOW CLOSED.
Second Draft of SP 800-50 Available for Public Comment
April 4, 2003
SECOND DRAFT Special Publication 800-50, Building an Information Technology Security Awareness and Training Program The second draft of Special Publication 800-50, Building an Information Technology Security Awareness and Training Program, is now available for public comment. The publication provides detailed guidance on designing, developing, implementing, and maintaining an awareness and training program within an agency's IT security program. NIST welcomes your comments and suggestions on this document. Please provide them directly to Mark Wilson (sp800-50@nist.gov) by May 2, 2003. Comment period is NOW CLOSED.
White House Releases National Strategy to Secure Cyberspace
February 14, 2003
The White House has released the National Strategy to Secure Cyberspace. The purpose of the Strategy is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact.