NIST, Computer Security Division, Computer Security Resource Center
News & Events
News Archive - 2006
This page contains archived news items. These items are no longer updated and serve a historical purpose. To access news items from other years, please click on that year. If you have any questions, please contact the CSRC Webmaster.
For current news items, please visit the News section of the website.
2007 | 2006 | 2005 | 2004 | 2003 | 2002
SP 800-53, Revision 1 Annexes Released
December 29, 2006
NIST announces the release of the security control baseline annexes for Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. Annex 1 contains the baseline security controls and assurance requirements for low-impact information systems; Annex 2 contains the baseline security controls and assurance requirements for moderate-impact information systems; and Annex 3 contains the baseline security controls and assurance requirements for high-impact information systems.
Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs Now Available
December 21, 2006
A white paper entitled Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs, is now available for managers and information security professionals. This paper describes the NIST Risk Management Framework and the associated standards and guidelines that support a comprehensive enterprise information security program.
SP 800-53, Revision 1 Released
December 21, 2006
NIST announces the release of Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems. This publication provides the first major update for the security controls selection and specification guidance since February 2005. Important changes to the Media Protection, Certification, Accreditation, and Security Assessments, and Identification and Authentication families are included in the update as well as new guidance on updating security controls and the use of external information systems.
SP 800-89 Released
December 6, 2006
NIST announces the release of Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications. This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures: assurance of domain parameter validity, assurance of public key validity, assurance that the key pair owner actually possesses the private key, and assurance of the identity of the key pair owner.
NIST Information Security Seminar Series Announced
December 5, 2006
On January 10th, 2007 there will be a NIST Information Security Seminar Series that will be held at the Department of Commerce: Herbert C. Hoover Bldg Auditorium. Click here to view the announcement flyer.
SP 800-10 Released
November 7, 2006
NIST is proud to announce the release of Special Publication 800-100, Information Security Handbook: A Guide for Managers. This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program.
The purpose of this publication is to inform members of the information security management team [agency heads, chief information officers (CIO), senior agency information security officers (SAISO), and security managers] about various aspects of information security that they will be expected to implement and oversee in their respective organizations. This handbook summarizes and augments a number of existing National Institute of Standards and Technology (NIST) standard and guidance documents and provides additional information on related topics.
RSA Attacks Possible
October 20, 2006
An attack has been found on some implementations of RSA digital signatures using the padding scheme for RSASSA-PKCS1-v1_5 as specified in Public Key Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography Standard-2002. A statement discussing the attack is available. A similar attack could also be applied to implementations of RSA digital signatures as specified in American National Standard (ANS) X9.31. Note that this attack is not on the RSA algorithm itself, but on improper implementations of the signature verification process.
SP 800-51, Revision 1 (Final Public Draft) Released
October 20, 2006
NIST announces the release of Special Publication 800-53, Revision 1 (Final Public Draft), Recommended Security Controls for Federal Information Systems. SP 800-53, Revision 1 is available for a four-week public comment period. Comments can be sent to the FISMA Implementation Project at sec-cert@nist.gov. The comment period closes on Friday, November 17th, 2006.
Draft of the Special Publication 800-103 Released
October 6, 2006
NIST is pleased to announce the release of Draft of the Special Publication 800-103 (SP 800-103), An Ontology of Identity Credentials, Part 1: Background and Formulation. The SP 800-103 is available for a six week public comment period. This document provides the broadest possible range of identity credentials and supporting documents insofar as they pertain to identity credential issuance. Priority is given to examples of primary and secondary identity credentials issued within the United States. Part 2 of this document will provide an Extensible Markup Language (XML) schemas, as a framework for retention and exchange of identity credential information. Please send your comments to id_comments@nist.gov with "Comments on SP800-103" in the subject line. The comment period closes at 5:00 EST on Wednesday, November 15th, 2006.
Three Drafts Released
September 29, 2006
NIST announces the release of the following draft and final publications:
1. Draft SP 800-54, Border Gateway Protocol Security
2. Draft SP 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
3. Draft SP 800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems
These 3 draft SPs, summaries, and dates for public comments can be found at CSRC Draft Publications page (or click document title link from above).
The 4 final publications are:
1. SP 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
2. SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
3. SP 800-92, Guide to Computer Security Log Management
4. NISTIR 7316, Assessment of Access Control Systems
SP 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist, provides advice primarily to experienced Windows XP administrators on securing Windows XP Home Edition computers for home users, such as telecommuting Federal employees. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event. The publication contains step-by-step directions that can be performed by experienced administrators, and also a short set of instructions that end users can follow to implement the most essential security protections.
SP 800-84, Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, provides guidance on maintaining information technology (IT) plans, such as contingency and computer security incident response plans, in a state of readiness so that organizations can effectively respond to and manage adverse situations involving IT. Maintaining these plans includes training IT personnel to fulfill their roles and responsibilities, having plans exercised to validate policies and procedures, and having systems tested to ensure their operability. SP 800-84 assists organizations in designing, developing, conducting, and evaluating test, training, and exercise events so that they can maximize their ability to prepare for, respond to, manage, and recover from disasters that may affect their missions.
SP 800-92, Guide to Computer Security Log Management, provides detailed information on developing, implementing, and maintaining effective log management practices throughout an enterprise. It includes guidance on establishing a centralized log management infrastructure, which includes hardware, software, networks, and media. It also discusses the log management processes that should be put in place at an organization-wide level, including the definition of roles and responsibilities and the creation of feasible logging policies. Guidance is also provided on log management at the individual system level, such as configuring log generating sources, supporting logging operations, performing log data analysis, and managing long-term data storage.
NISTIR 7316, Assessment of Access Control Systems, provides organizations with background information on access control policies, models, and mechanisms to assist them in securing their computer applications. NISTIR 7316 introduces access control terminology and provides an overview of major access control policies and mechanisms. It then discusses the capabilities, limitations, and qualities of the mechanisms that are embedded for each policy. It also provides information on the broader applications of access control mechanisms for distributed systems, and it proposes possible measurements for the quality of a mechanism.
Draft SP 800-76-1 Available for Comment
September 14, 2006
NIST Draft Special Publication 800-76-1, Biometric Data Specification for Personal Identity Verification, is now available for a three week public comment period. This document is a revision for the earlier version of February 1, 2006. The changes include incorporation of the published errata document, clarification on performance testing and certification procedures, and caution regarding fingerprint minutiae generation. Additional typographical fixes and aesthetic changes have been incorporated in this document. To learn more about this Draft Publication, please visit the CSRC Drafts Publications page.
SP 800-96 Released
September 11, 2006
NIST is pleased to announce the release of NIST Special Publication 800-96, PIV Card to Reader Interoperability Guidelines. This document provides requirements for PIV card readers in the area of performance and communications characteristics to foster interoperability. Requirements for the contact and contactless card readers for both physical and logical access control systems are provided in this document. The requirements are for the PIV readers designed to read end-point cards.
Biometric Consortium Conference (BC2006) Announced
September 6, 2006
The Biometric Consortium Conference (BC2006) will be held September 19-21, 2006 at the Baltimore Convention Center (Baltimore, Maryland). BC2006 will address the important role that biometrics can play in the identification and verification of individuals in this age of heightened security and privacy by examining biometric-based solutions for homeland security (airport security, travel documents, visas, border control, prevention of ID theft) as well as the utilization of biometrics in other applications such as point of sale and large-scale enterprise network environments. BC2006 will provide a forum to address biometric research, recent technology advancements, government initiatives, adoption of biometric standards and biometrics and security.
Several Publications Released
August 31, 2006
NIST announces that the following draft Special Publications (SP) are now available for public comment: 1) SP 800-45A, Guidelines on Electronic Mail Security, 2) SP 800-94, Guide to Intrusion Detection and Prevention (IDP) Systems, 3) SP 800-95, Guide to Secure Web Services, and 4) SP 800-101, Guidelines on Cell Phone Forensics. These draft publications and requested dates for comments can be found on the CSRC Draft Publications page.
Additionally, NIST announces the final publication of NIST SP 800-88, Guidelines for Media Sanitization. It provides information on techniques to remove data from a wide variety of media types and a decision matrix to determine which technique is best. It also recommends that organizations first determine the confidentiality of the information and then decide how to dispose of the media. SP 800-88 describes the three most common methods of sanitizing media: 1) clearing using software or hardware products to overwrite storage space on the media with nonsensitive data; 2) purging magnetic media through degaussing, which is exposure to a strong magnetic field to disrupt the magnetically encoded information; and 3) destroying the media through a variety of methods ranging from shredding to melting and incineration. The publication recommends techniques for sanitizing a wide range of commonly used media using all three methods.
NIST is also pleased to announce the final release of SP 800-86, Guide to Integrating Forensic Techniques into Incident Response. The publication is intended to help organizations in handling computer security incidents and troubleshooting some information technology (IT) operational problems by providing practical guidance on performing computer and network forensics. SP 800-86 describes the processes for performing effective forensics activities in support of incident response, and it provides advice regarding different data sources, including files, operating systems, network traffic, and applications. Several scenarios involving the use of forensic techniques are also included as the basis for tabletop exercises.
Draft SP 800-69 Released
August 1, 2006
NIST is pleased to announce the release of draft Special Publication (SP) 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. SP 800-69 provides guidance to home users, such as telecommuting Federal employees, on improving the security of their home computers that run Windows XP Home Edition. Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security. It also emphasizes the importance of performing regular backups to ensure that user data is available after an adverse event such as an attack against the computer, a hardware failure, or human error. The publication contains detailed step-by-step directions for securing Windows XP Home Edition computers that can be performed by experienced Windows XP Home Edition users.
NIST requests comments on NIST SP 800-69 by August 31, 2006. Please submit comments to itsec@nist.gov with "Comments SP800-69/XPHome" in the subject line.
Draft 800-96 Released
July 28, 2006
NIST is pleased to announce the release of Draft Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a two week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. The comment period closes at 5:00 EST on Friday, August 11th, 2006. Please visit the DRAFTs Publications page to learn more about this draft.
SP 800-85B Released
July 27, 2006
NIST is pleased to announce the release of NIST SP 800-85B, PIV Data Model Conformance Test Guidelines. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules, PIV card issuers, and entities performing conformance tests.
SP 800-53 Available for Public Comment
July 26, 2006
NIST is pleased to announce the release of Special Publication 800-53, Revision 1 (Second Public Draft), Recommended Security Controls for Federal Information Systems. SP 800-53, Revision 1 is available for a one-month public comment period. The comment period closes on August 25, 2006. To obtain a copy of this draft document, please visit the Draft Publications page.
SP 800-78-1 Released
July 3, 2006
NIST is pleased to announce the release of Draft Special Publication 800-78-1, Cryptographic Standards and Key Sizes for Personal Identity Verification. The SP 800-78-1 is available for a 90 day public comment period. The comment period closes at 5:00 EST on October 2nd, 2006. To learn more about this draft document, please visit the Drafts Publications page.
FIPS 201-1 Change Notice 1 Released
June 26, 2006
NIST is pleased to announce the release of NIST FIPS 201-1 Change Notice 1, Personal Identity Verification (PIV) of Federal Employees and Contractors. This change notice clarifies requirements for printing Agency Card Serial Number on the back of the PIV card. Specifically, the requirement allows variable placement of Agency Card Serial Number along the outer edge of the back of the PIV Card. The change notice also provides corrections to the ASN.1 encoding of the NACI indicator.
SP 800-90 Released
June 12, 2006
NIST is proud to announce the release of Special Publication 800-90, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, specifies four DRBGs and briefly discusses entropy sources and methods for creating an RNG from an entropy source and an Approved DRBG.
Draft SP 800-100 Available for Public Comment
June 7, 2006
The Draft Special Publication 800-100, Information Security Handbook: A Guide for Managers is available for public comment at the Drafts Publications page. NIST requests public comments on the draft until August 07, 2006; comments may be sent to handbk-100@nist.gov. Check out the Drafts page for more details about this draft.
Draft SP 800-97 Available for Public Comment
June 5, 2006
NIST is pleased to announce the release of draft Special Publication (SP) 800-97, Guide to IEEE 802.11i: Robust Security Networks. SP 800-97 provides detailed information on the Institute of Electrical and Electronics Engineers (IEEE) 802.11i standard for wireless local area network (WLAN) security. IEEE 802.11i provides security enhancements over the previous 802.11 security method, Wired Equivalent Privacy (WEP), which has several well-documented security deficiencies. IEEE 802.11i introduces a range of new security features that are designed to overcome the shortcomings of WEP. This document explains these security features and provides specific recommendations to ensure the security of the WLAN operating environment. It gives extensive guidance on protecting the confidentiality and integrity of WLAN communications, authenticating users and devices using several methods, and incorporating WLAN security considerations into each phase of the WLAN life cycle. The document complements, and does not replace, NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices.
NIST requests comments on NIST SP 800-97 by July 7, 2006. Please submit comments to 800-97comments@nist.gov with "Comments SP800-97/802.11i" in the subject line.
SP 800-85B Available for Public Comment
May 25, 2006
NIST Special Publication 800-85B, PIV Data Model Conformance Test Guidelines, is now available for a four week public comment period. This document provides Derived Test Requirements and Test Assertions for testing all data on the PIV Card. The requirements and assertions cover the following PIV Specifications - SP 800-73-1, SP 800-76 and SP 800-78. In addition it also provides tests for verifying the PKI certificates on the PIV card for conformance to Certificate Profiles in FICC-SSP subcommittee document. The guidelines are to be used by the developers of software modules and entities issuing PIV cards. Please submit comments using the comment template form provided on the website. Comments should be submitted to PIV_Comments@nist.gov with "Comments on Public Draft SP 800-85B" in the subject line. The comment period closes at 5:00 EST on June 22, 2006. Go to the Drafts page for more details.
SP 800-96 Available for Public Comment
May 23, 2006
NIST is pleased to announce the release of Preliminary Draft of the Special Publication 800-96 (SP 800-96), PIV Card / Reader Interoperability Guidelines. The SP 800-96 is available for a three week public comment period. The document provides guidelines for interaction between any card and any reader in the PIV system. It covers contact and contactless readers for logical access as well readers for physical access. The comment period closes at 5:00 EST on Tuesday, June 13th, 2006. Go to the Drafts page for more details.
SP 800-81 Released
May 16, 2006
NIST is pleased to announce the release of NIST Special Publication 800-81, Secure Domain Name System (DNS) Deployment Guide. This publication seeks to assist organizations in the secure deployment of Domain Name System (DNS) services in an enterprise. It discusses the threats, security objectives, and relevant security approaches. Finally, it makes specific recommendation on securely configuring DNS and associated mechanisms. The publication can be obtained at the Special Publications page.
SP 800-80 Available for Public Comment
May 4, 2006
The initial public draft of NIST Special Publication 800-80, Guide for Developing Performance Metrics for Information Security, is now available for public comment. Visit the Drafts page to learn more about this draft document. NIST requests public comments on the draft until June 19, 2006. Comments may be sent to 800-80comments@nist.gov.
Draft SP 800-53A Available for Public Comment
April 21, 2006
The second public draft of NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems is now available for public comment at the draft publications page. The document provides a comprehensive listing of methods and procedures to assess the effectiveness of security controls in federal information systems. Assessment procedures have been developed for each security control and control enhancement in NIST Special Publication 800-53 with the rigor and intensity of assessments aligned with the impact levels in FIPS 199. NIST requests public comments on the draft until July 31, 2006. Comments may be sent to sec-cert@nist.gov.
Draft SP 800-38D Available for Public Comment
April 20, 2006
The draft Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication is available for public comment at the Draft Publications page. The document specifies the Galois/Counter Mode (GCM), an authenticated encryption mode of the Advanced Encryption Standard (AES) algorithm. GCM provides assurance of confidentiality of data using a variation of the Counter mode of operation for encryption. GCM provides assurance of authenticity of the confidential data using a universal hash function that is defined over a binary Galois (i.e., finite) field. GCM can also provide authentication assurance for additional data that is not encrypted.
NIST requests public comments on the draft until June 5, 2006; comments may be sent to EncryptionModes@nist.gov.
Draft SP 800-92 Available for Public Comment
April 18, 2006
NIST is pleased to announce a new draft document, SP 800-92, Guide to Computer Security Log Management. Many logs within an organization may contain records related to computer security events. Organizations are facing larger quantities, volumes, and varieties of computer security logs, and also need to address requirements to analyze and retain certain logs to comply with Federal legislation and regulations, including FISMA, HIPAA, the Sarbanes-Oxley Act of 2002, and the Gramm-Leach-Bliley Act. As a result, many organizations have a greater need for computer security log management--the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management assists in ensuring that computer security records are stored in sufficient detail for an appropriate period of time.
This document provides detailed information on developing, implementing, and maintaining effective log management practices throughout an enterprise. It includes guidance on establishing a centralized log management infrastructure, which includes hardware, software, networks, and media. It also discusses the log management processes that should be put in place at an organization-wide level, including the definition of roles and responsibilities, the creation of feasible logging policies, and the division of responsibilities between system-level and organization-level administrators. Guidance is also provided on log management at the individual system level, such as configuring log generating sources, supporting logging operations, performing log data analysis, and managing long-term data storage.
NIST requests comments on NIST SP 800-92 by May 18 2006. Please submit comments to 800-92comments@nist.gov with "Comments SP800-92/Log Management" in the subject line.
Cryptographic Hash Workshop Announced
April 5, 2006
NIST is holding the Second Cryptographic Hash Workshop on August 24- 25, 2006 in UCSB, Santa Barbara. Details of the workshop can be found on http://www.nist.gov/hash-function. Call for Papers Submission Deadline: May 12, 2006.
SP 800-85A Released
April 5, 2006
NIST is pleased to announce the release of NIST Special Publication 800-85A, PIV Card Application and Middleware Interface Test Guidelines (SP800-73 Compliance). This document provides Derived Test Requirements (DTR) and Test Assertions (TA) for testing the PIV Card Application and PIV Middleware interfaces for conformance to specifications in SP 800-73 (Interfaces for Personal Identity Verification). The Guidelines are to be used by the developers of software modules and testing laboratories. SP 800-85A is the first of the two documents (the other one is SP 800-85B to be released shortly) that will replace SP 800-85 released in October 2005.
SP 800-73-1 Released
March 24, 2006
NIST is pleased to announce the release of NIST Special Publication 800-73-1, Interfaces for Personal Identity Verification, 2006 Edition. Special Publication 800-73-1 specifies a PIV data model, communication interface, and application programming interface. This revision includes changes to the access control requirements for reading PIV public key certificates, storage of the biometric fingerprints in one container, incorporation of the Errata to date, and accommodation of public comments.
Workshop Announced
March 16, 2006
The National Institute of Standards and Technology (NIST) is holding a workshop to discuss Phase II of the FISMA Implementation Project and proposed requirements for credentialing organizations to conduct information security assessments of federal information systems, including those information systems operated by contractors on behalf of the federal government.
Statement Posted Regarding FIPS 180-2
March 15, 2006
NIST has posted a statement on the continued use of the hash functions specified in FIPS 180-2.
FIPS 201 Revision Approved
March 14, 2006
The National Institute of Standards and Technology (NIST) is pleased to announce the approval of a revision to Federal Information Processing Standard (FIPS) Publication 201, Standard for Personal Identity Verification of Federal Employees and Contractors. The revision makes changes to Section 2.2, PIV Identify Proofing and Registration Requirements, Section 4.3, Cryptographic Specifications, Section 5.2, PIV Identity Proofing and Registration Requirements, Section 5.3.1, PIV Card Issuance, Section 5.4.2.1 X.509 Certificate Content, and to Appendix D, PIV Object Identifiers and Certificate Extension. The revision also clarifies the identity proofing and registration process that departments and agencies must follow when issuing identity credentials. The changes are needed to make FIPS 201-1 consistent with the Memorandum for All Departments and Agencies (M-05-24), issued by the Office of Management and Budget on August 5, 2005, Implementation of Homeland Security Presidential Directive (HSPD) 12 Policy for a Common Identification Standard for Federal Employees and Contractors.
FIPS 200 Available
March 14, 2006
Federal Information Processing Standard (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, is now available. FIPS 200 is the second of two mandatory security standards required by the Federal Information Security Management Act (FISMA). FISMA requires all federal agencies to develop, document and implement agency-wide information security programs and to provide security for the information and information systems that support the operations and assets of the agency. FIPS 200 specifies minimum security requirements for federal information and information systems that are not national security systems and a risk-based process for selecting security controls from NIST Special Publication 800-53 necessary to satisfy these requirements.
SP 800-56A Available
March 13, 2006
NIST Special Publication (SP) 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, is now available. This document specifies key establishment schemes based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography).
Drafts FIPS 186-3 and SP 800-89 Available for Public Comment
March 13, 2006
A Federal Register Notice has been published that a draft of Federal Information Processing Standard (FIPS) 186-3, Digital Signature Standard is available for public comment. This draft Standard defines methods for digital signature generation that can be used for the protection of messages, and for the verification and validation of those digital signatures. The comment period closes on June 12, 2006. To learn more on how to review and to submit comments to Draft FIPS 186-3, please visit the Drafts page.
A draft of an accompanying document, NIST Special Publication (SP) 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications is also available for public comment. This Recommendation specifies methods for obtaining the assurances necessary for valid digital signatures. The comment period closes on April 28, 2006. To learn more on how to review and to submit comments to Draft SP 800-89, please visit the Drafts page.
Draft Sp 800-53, Revision 1 Available for Public Comment
February 28, 2006
Draft Special Publication 800-53, Revision 1, Recommended Security Controls for Federal Information Systems is now available for a one-month public comment period. The minimum security controls in SP 800-53 will be become mandatory for federal agencies and their support contractors upon final approval and publication of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. The comment period for SP 800-53, Revision 1 closes on Friday, March 31, 2006.
Changes to SP 800-73 Published
February 13, 2006
Draft Special Publication 800-73-1 Interfaces for Personal Identity Verification
NIST has received several comments that it is difficult to track the proposed changes to Special Publication 800-73. We have therefore replaced the original posting with a concise list of the proposed changes. These changes reference the current version of Special Publication 800-73. Pending public comment, NIST plans to make these changes and post an updated version 800-73-1.
SP 800-73-1 Available for Public Comment
February 8, 2006
NIST Special Publication 800-73-1, Interfaces for Personal Identity Verification, is now available for a three week public comment period. This document provides necessary changes to SP 800-73 for synchronization with biometric data requirements in SP 800-76 and to enhance the utility of the PIV card for logical access. Please submit comments using the comment template form provided on the website. Comments should be submitted to DraftFips201@nist.gov with "Comments on Public Draft SP 800-73-1" in the subject line. The comment period closes at 5:00 EST on Tuesday, February 28th, 2006.
SP 800-18 Available
February 7, 2006
The Revision to NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems is now available. The document was updated to be consistent with the NIST SP 800-53 and to provide additional guidance on information system types and system boundaries.
Draft of SP 800-88 Available
February 3, 2006
NIST's Computer Security Division has completed the initial public draft of Special Publication 800-88, Guidelines for Media Sanitization. This guide is intended to assist organizations and system owners in making practical sanitization decisions based on...
SP 800-76 Released
February 1, 2006
NIST is pleased to announce the release of NIST Special Publication 800-76, Biometric Data Specification for Personal Identity Verification. Special Publication 800-76 specifies technical acquisition and formatting requirements for the biometric credentials of Federal Information Processing Standard 201 (FIPS 201) conformant Personal Identity Verification (PIV) systems, including the PIV Card itself. Special Publication 800-76 enumerates required procedures and formats for fingerprints, fingerprint templates and facial images by appropriate instantiation of values and practices generically laid out in published biometric standards.
NISTIR 7284 Released
January 18, 2006
NIST is pleased to announce the release of NIST Interagency Report 7284, Personal Identity Verification Card Management Report, which provides an overview of card management systems, identifies generic card management requirements, and considers some technical approaches to filling the existing gaps in PIV card management. The purpose of the report is to offer higher level of consistency and testability for PIV card issuance processes, enhance ability to outsource various card management components and functions, and improve overall security for the Federal PIV framework.